Re: All you WMF haxxors are belong to...... Mr Moore

[H D Moore <fdlist () digitaloffense net>]

There are a handful of cases where a malicious server / mitm could cause 
the Framework to run out of memory. We aren' t that concerned with it -- 
if you can find a way to do something useful (run code, etc), let us 
know. We might look at limiting this in version 3.0, but no matter what 
'max size' we place on a protocol response, its never going to be small 
enough to account for the low-end system or big enough to handle truly 
gigantic (legit) replies. The SMB, DCERPC, and BackupExec protocols also 
suffer from 'arbitrary malloc and die' issues. 

-HD


On Monday 23 January 2006 08:40, H D Moore wrote:
> Nice DoS bug, next time try emailing us first :-)
>
> -HD
>
> On Monday 23 January 2006 04:23, cranium pain wrote:
> > WMF Exploit vulnerable?
> >
> > [*] Starting Reverse Handler.
> > [*] Waiting for connections to http://0.0.0.0:80/
> > [*] Got connection from 0.0.0.0:443 <-> 1.1.1.1:42121
> > [*] Sending Stage (2834 bytes)
> > [*] Sleeping before sending dll.
> > [*] Uploading dll to memory (69643), Please wait...
> > [*] Upload completed
> > meterpreter> Out of memory during "large" request for 2147487744
> > bytes, total sbrk() is 17950720 bytes at
> > /home/framework/lib/Pex/Meterpreter/Packet.pm line 509
> >
> >
> > 509:  $res -1 if ($res >= 0 and not defined(recv($fd, $tempBuffer,
> > $tempBufferLength, 0)));
> >
> > --
> >
> > "haxxoring haxxors for fun and fun"
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/