Vulnerability Development mailing list archives
Re: Blind Remote Buffer Overflow
From: scut () NB IN-BERLIN DE (Sebastian)
Date: Sat, 29 Apr 2000 18:57:49 +0200
On Sat, Apr 29, 2000 at 12:54:56AM -0400, Matthew R. Potter wrote:
While we are on the topic I have some questions:
How does one tell the diffrence in architechture remotely, when the OS runs on multiple architechtures? Other than just taking a stab at it untill it works. Assuming you arent on the same physical network segment and can run ARP and see the MAC adress of the target. How does one tell the diffrence between x86 or SPARC, etc. Byte ordering? If thats at all possible to get the machine to disclose that across a network. I wonder if it would be possible to tell the diffrence of 4 NetBSD or OpenBSD machines with all diffrent architechtures. Then again is it even worth it.
It is most of the times easily possible to identify the OS, architecture, distribution, distribution version, ... remotely. The more open services the remote host has the better. You can use a lot of methods to fingerprint for example linux systems, from service banner compilation times (ftpd, sendmail, pidentd) to TCP/IP stack differences (nmap TCP fingerprinting). Once you know the architecture and the operating system version you can try to make an exact copy at your home and work out the exploit until it's working fine on your box. Then the chances are high it will work on the remote host also. And for the question of the worthiness of this effort, that depends on whom wants to intrude your network.
Matt.
ciao, scut / teso -- - scut () nb in-berlin de - http://nb.in-berlin.de/scut/ --- you don't need a -- -- lot of people to be great, you need a few great to be the best ------------ http://3261000594/scut/pgp - 5453 AC95 1E02 FDA7 50D2 A42D 427E 6DEF 745A 8E07 -- data in VK/USA Mayfly experienced, awaiting transfer location, hi echelon -
Current thread:
- long file names in explorer.exe, (continued)
- long file names in explorer.exe kj (Apr 26)
- Re: long file names in explorer.exe Rory Savage (Apr 28)
- Re: long file names in explorer.exe kj (Apr 28)
- Lotus notes + windows98 overflow Alistair Orchard (Apr 27)
- Blind Remote Buffer Overflow Granquist, Lamont (Apr 27)
- Eudora Pro Buffer Overflow testing in progress - help needed. Zoa_Chien (Apr 28)
- Re: Eudora Pro Buffer Overflow testing in progress - help needed. Blue Boar (Apr 28)
- Re: Blind Remote Buffer Overflow Marc (Apr 28)
- Re: Blind Remote Buffer Overflow Ralph The Wonder Llama (Apr 28)
- Re: Blind Remote Buffer Overflow Matthew R. Potter (Apr 28)
- Re: Blind Remote Buffer Overflow Sebastian (Apr 29)
- Re: Blind Remote Buffer Overflow Mark L. Jackson (Apr 29)
- Re: Blind Remote Buffer Overflow Arturo Busleiman (Apr 30)
- Re: Blind Remote Buffer Overflow Arturo Busleiman (Apr 30)
- Replacing Kernel Functions via a LKM Granquist, Lamont (Apr 27)
- Re: Replacing Kernel Functions via a LKM Dragos Ruiu (Apr 27)
- Re: Replacing Kernel Functions via a LKM Dragos Ruiu (Apr 28)
- Re: Replacing Kernel Functions via a LKM Prateek Jetly (Apr 27)
- Re: No-Exec Stack Smashing 101 Michael H. Warfield (Apr 26)
- Re: No-Exec Stack Smashing 101 Crispin Cowan (Apr 26)
- Re: No-Exec Stack Smashing 101 Taneli Huuskonen (Apr 26)