Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Snort BackOrifice Fun
From: "Krpata, Tyler" <tkrpata () bjs com>
Date: Fri, 21 Oct 2005 17:22:03 -0400

Attached some in-progress code for the snort bug, getting through the 
while() loop that modifies both 'i' and 'len' is annoying. Any ideas
on 
making this more reliable? It works great on my -ggdb version , but
runs 
off a page during a memcmp() on my normal binary.

 The problem is that you reach a point (coincidentally a page before
eip) where you start to clobber the pointer that is being used to copy
your user data into memory. Once that happens you're no longer writing
to the location you want to be writing to. 

*****************************************

Bf??????? [41414141] len
Bf??????? [41414141] id
Bf??????? [41414141] l
Bf??????? [41414141] i
Bf??????? [41414141] type
Bf??????? [Bf????41] buf_ptr
Bf??????? [????????]
Bf??????? [????????]
Bf??????? [????????] eip

*****************************************

Somewhere else...
Bf????41 [41414141] 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • Snort BackOrifice Fun H D Moore (Oct 19)
    • <Possible follow-ups>
    • Re: Snort BackOrifice Fun Krpata, Tyler (Oct 21)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]