Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: "Fire and forget" exploits?
From: endrazine <endrazine () gmail com>
Date: Fri, 20 Oct 2006 17:52:28 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Brendan Dolan-Gavitt wrote:
Hi, I'm looking for examples of (remote) security vulnerabilities
whose exploitation involves no guesswork--eg, no bruteforcing the
return address, or altering your exploit based on the server's
response, etc.
I guess you're thinking about _remote_ exploitation ? You don't have
to guess anything
for a local bo for instance.. Anyway :
It seems like this kind of exploit is dying out, particularly as
different flavors of Linux proliferate, each with their own
slightly
Target the kernel ? Use linux-gate.so ?
Portability of your exploit will greatly depend on how you choose to
exploit the vulnerability, since it's quite common to have to choose btw
several exploitation scenarii..
different libc and userland; in the Windows world, however, we
still find "universal" exploits that work on NT4/2k/XP over a
variety of service packs.
the language also affects some pointers. Anyway, if you need let s say a
jmp esp , you can try to choose one location in memory that contains this
opcode for several SP/languages. But I don't think you can prove any
exploit will be universal... (can you ? ;)
Anyways, if anyone has come across things like this, I'd greatly
appreciate hearing about it. I'm working on some new methods to
deliver exploits at once while minimizing recon.

Thanks, Brendan Dolan-Gavitt

Cheers,

endrazine-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFOPC7zX6JtL3KgRURAqAyAKDaza2Khkjv9qVd9NZAtu/xjHjxFgCg2z8D
V4wY66PaL6iTgk7QrQg31jc=
=pkfO
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault