Vulnerability Development mailing list archives

Re: Eudora Pro Buffer Overflow testing in progress - help needed.

From: BlueBoar () THIEVCO COM (Blue Boar)
Date: Fri, 28 Apr 2000 21:19:29 -0700


Zoa_Chien wrote:
<snip>

the 3334 are the first bytes that overwrite the EIP.

Leaving us very little space to execute some arbitrary code.
(unless it's possible to send files from non microsoft OS'es that contain
even more chars in the extension, that could give us some more room.


Of course, you can hand-craft an e-mail with an attachment with an
extension
of arbitrary length.  You don't have to use a real mail client, or have
the file exist on a real file system ahead of time.

I don't know the format for an attachment when talking to an SMTP
server off the top of my head, but a bit of work with a sniffer or
the RFCs would reveal it.

Or were you being sarcastic? :)

                                        BB

Current thread:

Re: No-Exec Stack Smashing 101, (continued)
- - - Re: No-Exec Stack Smashing 101 M.C.Mar (Apr 26)
    - limited functionality accounts (was: Re: History Files) Alex Andrews (Apr 25)
    - Re: limited functionality accounts (was: Re: History Files) Rob Kouwenberg (Apr 28)
    - Re: No-Exec Stack Smashing 101 Granquist, Lamont (Apr 26)
    - long file names in explorer.exe kj (Apr 26)
    - Re: long file names in explorer.exe Rory Savage (Apr 28)
    - Re: long file names in explorer.exe kj (Apr 28)
    - Lotus notes + windows98 overflow Alistair Orchard (Apr 27)
    - Blind Remote Buffer Overflow Granquist, Lamont (Apr 27)
    - Eudora Pro Buffer Overflow testing in progress - help needed. Zoa_Chien (Apr 28)
    - Re: Eudora Pro Buffer Overflow testing in progress - help needed. Blue Boar (Apr 28)
    - Re: Blind Remote Buffer Overflow Marc (Apr 28)
    - Re: Blind Remote Buffer Overflow Ralph The Wonder Llama (Apr 28)
    - Re: Blind Remote Buffer Overflow Matthew R. Potter (Apr 28)
    - Re: Blind Remote Buffer Overflow Sebastian (Apr 29)
    - Re: Blind Remote Buffer Overflow Mark L. Jackson (Apr 29)
    - Re: Blind Remote Buffer Overflow Arturo Busleiman (Apr 30)
    - Re: Blind Remote Buffer Overflow Arturo Busleiman (Apr 30)
    - Replacing Kernel Functions via a LKM Granquist, Lamont (Apr 27)
    - Re: Replacing Kernel Functions via a LKM Dragos Ruiu (Apr 27)
    - Re: Replacing Kernel Functions via a LKM Dragos Ruiu (Apr 28)

(Thread continues...)