mailing list archives
Re: "Fire and forget" exploits?
From: endrazine <endrazine () gmail com>
Date: Fri, 20 Oct 2006 17:52:28 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Brendan Dolan-Gavitt wrote:
Hi, I'm looking for examples of (remote) security vulnerabilities
whose exploitation involves no guesswork--eg, no bruteforcing the
return address, or altering your exploit based on the server's
I guess you're thinking about _remote_ exploitation ? You don't have
to guess anything
for a local bo for instance.. Anyway :
It seems like this kind of exploit is dying out, particularly as
different flavors of Linux proliferate, each with their own
Target the kernel ? Use linux-gate.so ?
Portability of your exploit will greatly depend on how you choose to
exploit the vulnerability, since it's quite common to have to choose btw
several exploitation scenarii..
different libc and userland; in the Windows world, however, we
still find "universal" exploits that work on NT4/2k/XP over a
variety of service packs.
the language also affects some pointers. Anyway, if you need let s say a
jmp esp , you can try to choose one location in memory that contains this
opcode for several SP/languages. But I don't think you can prove any
exploit will be universal... (can you ? ;)
Anyways, if anyone has come across things like this, I'd greatly
appreciate hearing about it. I'm working on some new methods to
deliver exploits at once while minimizing recon.
Thanks, Brendan Dolan-Gavitt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v220.127.116.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/