Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: "Fire and forget" exploits?
From: endrazine <endrazine () gmail com>
Date: Fri, 20 Oct 2006 17:52:28 +0200

Hash: SHA1


Brendan Dolan-Gavitt wrote:
Hi, I'm looking for examples of (remote) security vulnerabilities
whose exploitation involves no guesswork--eg, no bruteforcing the
return address, or altering your exploit based on the server's
response, etc.
I guess you're thinking about _remote_ exploitation ? You don't have
to guess anything
for a local bo for instance.. Anyway :
It seems like this kind of exploit is dying out, particularly as
different flavors of Linux proliferate, each with their own
Target the kernel ? Use linux-gate.so ?
Portability of your exploit will greatly depend on how you choose to
exploit the vulnerability, since it's quite common to have to choose btw
several exploitation scenarii..
different libc and userland; in the Windows world, however, we
still find "universal" exploits that work on NT4/2k/XP over a
variety of service packs.
the language also affects some pointers. Anyway, if you need let s say a
jmp esp , you can try to choose one location in memory that contains this
opcode for several SP/languages. But I don't think you can prove any
exploit will be universal... (can you ? ;)
Anyways, if anyone has come across things like this, I'd greatly
appreciate hearing about it. I'm working on some new methods to
deliver exploits at once while minimizing recon.

Thanks, Brendan Dolan-Gavitt


Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]