Re: Blind Remote Buffer Overflow

[marc () EEYE COM (Marc)]

Since you mentioned eEye...

The beta that is on our website does not "scan for unknown exploits." So
wait till after May 15th and then give Retina a try it WILL have CHAM
(Common Hacking Attack Method) modules.

Retina 1.0 will be able to find the overflows and Retina 1.2 or 1.5 should
be able to find the exact overflow length. We also have plans for shell code
inserti er well I cant get into the rest of it. ;-]

Signed,
Marc
eEye Digital Security
http://www.eEye.com

P.S.
If anyone is going to networld+interop be sure to check out eEye/eCompany's
booth.
How will you find us you ask? We will be the "non-heard of sheep sporting
polo shirts and khakis" We will have black t-shirts on that poke fun at the
NSA, dyed hair and tequila. :-] hmm interesting... NSA was not in the
default dictionary for MS's spell checker.

| -----Original Message-----
| From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of
| Bluefish
| Sent: Monday, May 01, 2000 6:42 PM
| To: VULN-DEV () SECURITYFOCUS COM
| Subject: Re: Blind Remote Buffer Overflow
|
|
| Uhm...
|
| To begin with, in most situations it seems unrecommended to assume the
| attacker is blind. But if he really is?
|
| Some people have mentioned some ways to try to find a vulnerability
| remotely. Now, lets say you using some way have determined you can rewrite
| EIP, PC (or whatever it's called on your architecture). What now to do to
| detect operating system and architecture?
|
| I believe a 'generic buffert overflower' could be a part of answer. Let a
| tool be given what you know (or guess) about the overflow. Let it generate
| a number of variants (as an example: Linux/i386, Linux/sparc,
| Windows/i386) which all of them does something like "echo 3 | mail
| badguy () test com". Depending upon what mail you actually get back, you know
| that the architecture is at least quite compatible with the envioronents
| that returns an answer.
|
| It does seem like quite some work, but it does (IMHO) show that a even if
| a system has secret sourcecode and secret binaries as well, it's not
| possible to provide security through obscurity. If such scans could be
| automated, it would rise a need even for programs which only exists on a
| single system to be coded quite well.
|
| The group/company at www.eeye.com has a tool which can be used to scan for
| unknown exploits if you give it some information to it about "where you
| want to go today" (grin). I don't know how good it is, but perhaps
| the support of 'blind overlows' to detect systems can be incorperated into
| their scanner.
|
| ..:::::::::::::::::::::::::::::::::::::::::::::::::..
|      http://www.11a.nu || http://bluefish.11a.nu
|     eleventh alliance development & security team
|