Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Vulnerability Development mailing list archives

Re: New bugs discovered!
From: Syzop <syz () dds nl>
Date: Mon, 19 Nov 2001 21:02:56 +0100
jnf wrote:


Am I just stupid? How does that work?

esp            0xbffff210       0xbffff210
eip            0x40071a47       0x40071a47

he didnt even overwrite the esp/eip??


That's right, the crash is because of the free() at gzip.c line 1719:
    if (env != NULL)  free(env),  env  = NULL;
it's trying to free(0x41414141) if you pass a lot of A'z.
However, free() bugs are also exploitable...
see for example the two articles (8&9) in the last phrack (#57).

    Syzop.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]