Vulnerability Development mailing list archives
Re: SSH exploit
From: nahual () S0D SAL ITESM MX (El Nahual)
Date: Wed, 24 Nov 1999 17:09:51 -0600
Eerrrmmmm being fast here there is already an exploit going on there, s0d's server got hit by it, we are still examing the logs and look very very promissing on discovering what is going on (looks like remote root is posible) If anyone is interested email me because I don't think everyone wants to recieve the entire log (wich is quite large!) El Nahual "Your soul is mine, 'cause mine is the nahual" On Wed, 24 Nov 1999, Gerardo Richarte wrote:
Sebastian wrote:The problem is you cannot reach the input_len varible, since it is a register. Therefore the RSA check fails and the program exit's before it issues a ret.Why you think you need to overwrite input_len? we successfully overwritted input_data[], then we overwritted every input argument, but we are only interested in key, which is what RSA uses to compare input_len to. So we put in key a pointer to the stack, where we placed a key structure similar to the original, but with the field bits choosen so almost every test in RSA is passed. The main problem we have, after the decription is performed, is that when RSAPrivateBlock does its final NN_Decode() there is a buffer overflow (more on this in a future advisory) in RSA ref that we couldn't avoid. Anyway, input_len is defined after input_data[], so would not be overwriteable even if it were not in a register. richie -- A390 1BBA 2C58 D679 5A71 - 86F9 404F 4B53 3944 C2D0 Investigacion y Desarrollo - CoreLabs - Core SDI http://www.core-sdi.com --- For a personal reply use gera () core-sdi com
Current thread:
- Re: SSH exploit Gerardo Richarte (Nov 24)
- Re: SSH exploit El Nahual (Nov 24)
- Re: SSH exploit Max Vision (Nov 24)
- <Possible follow-ups>
- Re: SSH exploit Gerardo Richarte (Nov 24)
- Re: SSH exploit El Nahual (Nov 24)