Re: vulndev-1 exploit.

[Joel Eriksson <je-vulndev () bitnux com>]

On Wed, May 14, 2003 at 11:15:02AM +0200, Joel Eriksson wrote:
> [je@vudo ~]$ ADDR=`objdump -R vulndev-1 | awk '$3 == "__libc_start_main" { print $1 }'

Hint. __libc_start_main + 8 = jumpslot in GOT -> free() on my system,
and probably on most other Linux-systems with gcc.. I searched for
"__libc_start_main" to get the addr I was after directly, instead of
searching for "free" and subtracting 8, to confuse the causal readers
and encourage people to find out what is going on by themselves.

Then I saw matrix had already posted a sploit for it (a little
different, he puts the shellcode in buf1 instead) and people may
think I checked out his post to find out how to exploit it.

Btw, matrix, your challenge on phiral.com was fun too, perhaps
you should post it here and see what the CISSP's and other
"IT-security specialists" make of it. ;-)

It was really entertaining to see people's analysis of vulndev-1,
especially by the ones who said it could not be exploited since the
buffers are on the heap. Eheh. :-)

-- 
Joel Eriksson <je () mensa se>
-------------------------------------------------
Cellphone: +46-70-288 64 16 Home: +46-26-10 23 37
Security Research & Systems Development at Bitnux
PGP Key Server pgp.mit.edu, PGP Key ID 0x529FDBD1
A615 A1E1 3CA2 D7C2 CFEA 47B4 7EF7 E6B2 529F DBD1
-------------------------------------------------