Dailydave mailing list archives
RE: quick notes
From: kquest () toplayer com
Date: Fri, 3 Sep 2004 09:55:52 -0400
Guys, Have you thought about Solaris? Most Netscape Enterprise Servers run on Solaris (Solaris 8 to be exact). Some of them seem to be vulnerable (specifically v 4.1). Kyle -----Original Message----- From: H D Moore [mailto:hdm-daily-dave () digitaloffense net] Sent: Friday, August 27, 2004 2:40 PM To: dailydave () lists immunitysec com Subject: Re: [Dailydave] quick notes On Friday 27 August 2004 13:27, Dave Aitel wrote:
In addition to having the NSS heap overflow working against Windows XP SP2 (just to say that it can be done, not that people are running SunONE on Windows),
Working on XP SP2 here as well. Using a request of 1024 bytes (256 * ret) I was able to hit a "call [edx+0x44]" where edx is controllable. This is actually preferable to write-what-where, especially when the target has heap cookies. The nice thing about SunONE is that the server will restart itself for you...So if you don't get it the first time, try, try again. The tricky part of this exploit is determining a static address to use for the value of edx. This register needs to point to a pointer of your shellcode. It is possible to load arbitrary amounts of data into the heap of the remote process through GET requests with a Content-Length set. Using a handful of connections, each sending about 65k, I was able to reliably place and return to shellcode. If your return address doubles as nop-like instruction, it makes things much easier, since you can simply append your shellcode to the end of each 65k data block and let execution slide right through. Of course, this depends on being able to get data into an address which will become a valid nop-like instruction no matter what offset into it is hit. Anywho, Metasploit module will be available sometime in the next week or two, moving sucks :/ Dave, are you using this vector to gain eip, or have you found another way that is easier/more reliable? The fact that SSLv2 ciphers are not enabled by default drops the value of this bug quite a bit. -HD _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- quick notes Dave Aitel (Aug 27)
- Re: quick notes H D Moore (Aug 27)
- <Possible follow-ups>
- Re: quick notes oded.horovitz (Aug 30)
- Re: quick notes hdm-daily-dave (Sep 01)
- RE: quick notes kquest (Sep 03)