Hosting Provided By

Re: vulndev-1 exploit.

From: Joel Eriksson <je-vulndev(at)bitnux.com>
Date: Wed May 14 2003 - 08:07:44 EDT

On Wed, May 14, 2003 at 11:15:02AM +0200, Joel Eriksson wrote:
> [je@vudo ~]$ ADDR=`objdump -R vulndev-1 | awk '$3 == "__libc_start_main" { print $1 }'

Hint. __libc_start_main + 8 = jumpslot in GOT -> free() on my system, and probably on most other Linux-systems with gcc.. I searched for "__libc_start_main" to get the addr I was after directly, instead of searching for "free" and subtracting 8, to confuse the causal readers and encourage people to find out what is going on by themselves.

Then I saw matrix had already posted a sploit for it (a little different, he puts the shellcode in buf1 instead) and people may think I checked out his post to find out how to exploit it.

Btw, matrix, your challenge on phiral.com was fun too, perhaps you should post it here and see what the CISSP's and other "IT-security specialists" make of it. ;-)

It was really entertaining to see people's analysis of vulndev-1, especially by the ones who said it could not be exploited since the buffers are on the heap. Eheh. :-)

-- 
Joel Eriksson 
-------------------------------------------------
Cellphone: +46-70-288 64 16 Home: +46-26-10 23 37
Security Research & Systems Development at Bitnux
PGP Key Server pgp.mit.edu, PGP Key ID 0x529FDBD1
A615 A1E1 3CA2 D7C2 CFEA 47B4 7EF7 E6B2 529F DBD1
-------------------------------------------------

Received on Wed May 14 11:40:20 2003

This message: [ Message body ]
Next message: Berend-Jan Wever: "Re: MSIE integer overflows"
Previous message: Frank Knobbe: "Re: Buffer overflow in Microsoft ftp.exe"
In reply to Joel Eriksson: "Re: vulndev-1 exploit."

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:39 EDT