<a href="http://g.adspeed.net/ad.php?do=clk&zid=14678&wd=728&ht=90&pair=as" target="_top"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=14678&wd=728&ht=90&pair=as" alt="i" width="728" height="90"/></a>

Nmap Security Scanner

Docs
Security Lists

Full Disclosure

More
Security Tools

Packet crafters

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

edgeos

Vulnerability Development: Re: challenge

Re: challenge

From: Marco Ivaldi <raptor_at_0xdeadbeef.info>
Date: Tue, 14 Sep 2004 14:34:39 +0200 (CEST)

> Hopefully I shall get responses to this challenge,...

Hey fuzzy,

Find attached a working C exploit (with detailed comments) for your sample
vulnerable code.

Of course, it's possible to modify it to automagically get the needed
addresses. It should also be possible to use pipe() and write() to send
the evil buffer to the vulnerable program.

Finally, there's room for the .got entry substitution technique, for
changing the second free() into a system() instead of using a shellcode
-- but beware, 'cause usually system() drops privileges.

Cheers,

-- 
Marco Ivaldi
Antifork Research, Inc.   http://0xdeadbeef.info/
3B05 C9C5 A2DE C3D7 4233  0394 EF85 2008 DBFD B707

TEXT/PLAIN attachment: vuln-ex_c

Received on Sep 16 2004

This message: [ Message body ]
Next message: Berend-Jan Wever: "Problem with keyboard forwarding to cmd.exe shellcode"
Previous message: Yves Younan: "Re: Apache 1.3"
Maybe in reply to: fuzzy_at_bonbon.net: "challenge"
Next in thread: Marco Ivaldi: "Re: challenge"
Reply: Marco Ivaldi: "Re: challenge"
Reply: Marco Ivaldi: "Re: challenge"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]

edgeos