Snort mailing list archives
Re: Test question
From: Paul Cardon <paul () moquijo com>
Date: Sun, 16 Dec 2001 22:39:37 -0500
Jose Celestino wrote:
Thus spake Paul Cardon, on Sun, Dec 16, 2001 at 10:13:35PM -0500:Jose Celestino wrote:And how the hell did you intended to get a "uid=0(root)" out of an suposely encrypted connection?Wow, Jose. You just flunked the test. Good thing this was a practice run. ;^)Wrong, this is exploit specific. The exploit that has been running around does a id after a successful exploit. Of course, the overflow occurs at key exchange and so no encryption yet to prevent this kind of data from being sniffed.
It doesn't matter where the overflow occurs actually. The encryption will only remain if the injected code is able to maintain it in some way. Typically it will just use the open socket and all communication will be in the clear. There may not be enough room to do more or it is too complex to be worth the trouble.
-paul _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Test question Phil Wood (Dec 16)
- Re: Test question Jose Celestino (Dec 16)
- Re: Test question Paul Cardon (Dec 16)
- Re: Test question Jose Celestino (Dec 16)
- Re: Test question Paul Cardon (Dec 16)
- Re: Test question Jose Celestino (Dec 16)
- Re: Test question Paul Cardon (Dec 16)
- Re: Test question Erik Fichtner (Dec 16)
- Re: Test question Jose Celestino (Dec 16)
- Re: Test question Greg Herlein (Dec 16)
- Re: Test question Jose Celestino (Dec 16)
- Re: Test question James (Dec 16)
- Re: Test question Ralf Hildebrandt (Dec 17)
- Re: Test question Paul Cardon (Dec 16)
- <Possible follow-ups>
- RE: Test question Ronneil Camara (Dec 16)
- RE: Test question Ryan Hill (Dec 17)
- Re: Test question Erik Fichtner (Dec 17)