Vulnerability Development mailing list archives
Re: vulndev-1 exploit.
From: Joel Eriksson <je-vulndev () bitnux com>
Date: Wed, 14 May 2003 14:07:44 +0200
On Wed, May 14, 2003 at 11:15:02AM +0200, Joel Eriksson wrote:
[je@vudo ~]$ ADDR=`objdump -R vulndev-1 | awk '$3 == "__libc_start_main" { print $1 }'
Hint. __libc_start_main + 8 = jumpslot in GOT -> free() on my system, and probably on most other Linux-systems with gcc.. I searched for "__libc_start_main" to get the addr I was after directly, instead of searching for "free" and subtracting 8, to confuse the causal readers and encourage people to find out what is going on by themselves. Then I saw matrix had already posted a sploit for it (a little different, he puts the shellcode in buf1 instead) and people may think I checked out his post to find out how to exploit it. Btw, matrix, your challenge on phiral.com was fun too, perhaps you should post it here and see what the CISSP's and other "IT-security specialists" make of it. ;-) It was really entertaining to see people's analysis of vulndev-1, especially by the ones who said it could not be exploited since the buffers are on the heap. Eheh. :-) -- Joel Eriksson <je () mensa se> ------------------------------------------------- Cellphone: +46-70-288 64 16 Home: +46-26-10 23 37 Security Research & Systems Development at Bitnux PGP Key Server pgp.mit.edu, PGP Key ID 0x529FDBD1 A615 A1E1 3CA2 D7C2 CFEA 47B4 7EF7 E6B2 529F DBD1 -------------------------------------------------
Current thread:
- RE: Administrivia: List Announcement, (continued)
- RE: Administrivia: List Announcement Cameron Brown (May 13)
- RE: Administrivia: List Announcement Shafik Yaghmour (May 13)
- RE: Administrivia: List Announcement Cameron Brown (May 13)
- RE: Administrivia: List Announcement andrewg (May 13)
- RE: Administrivia: List Announcement Shafik Yaghmour (May 13)
- Re: vulndev1.c solution (warning SPOILER) Jose Ronnick (May 13)
- RE: vulndev1.c solution (warning SPOILER) Cameron Brown (May 14)
- Re: vulndev1.c solution (warning SPOILER) Jon Erickson (May 14)
- RE: vulndev1.c solution (warning SPOILER) Cameron Brown (May 15)
- Re: vulndev1.c solution (warning SPOILER) Kenji Cronos (May 15)
- RE: Administrivia: List Announcement Cameron Brown (May 13)
- Re: vulndev-1 exploit. Joel Eriksson (May 14)
- Re: vulndev-1 exploit. Joel Eriksson (May 14)
- Re: Administrivia: List Announcement xenophi1e (May 13)
- Re: Administrivia: List Announcement Shafik Yaghmour (May 13)
- RE: Administrivia: List Announcement Oliver Lavery (May 13)
- RE: Administrivia: List Announcement Gustavo Scotti (May 13)
- RE: Administrivia: List Announcement Oliver Lavery (May 13)
- Re: Administrivia: List Announcement Eric Haugh (May 13)
- Re: Administrivia: List Announcement Nexus (May 13)
- Re: Administrivia: List Announcement Shafik Yaghmour (May 13)
- Re: Administrivia: List Announcement Thiago Canozzo Lahr (May 13)
- Re: Administrivia: List Announcement Wynn Fenwick (May 13)
- Re: Administrivia: List Announcement Thiago Canozzo Lahr (May 14)