Vulnerability Development mailing list archives
Re: Possibly exploitable overflow in Alibaba 2.0
From: dullien () GMX DE (Thomas Dullien)
Date: Sat, 30 Oct 1999 23:44:02 +0200
On Fri, 29 Oct 1999 18:38:05 MET, W.H.J.Pinckaers wrote:
Could you point us to the web site that is distributing this software? Along with a guess of the number of users of this webserver?
Well, I have no clear estimates of the number of users of this server, but a few political parties in Germany use it for some pages ;) Aside from that, the authors homepage is www.csm-usa.com
And on what OS//CPU does the webserver run? Linux ? Wintendo?
Wintendo 9x/NT
I have such shellcode on the shelf, since this is needed by quite a lot of other webservers to. (Shellcode for Linux/X86) if you want it drop me a mail.
Well, on NT/9x we run into the problem that there is no way around guessing the address of the stack. Theoretically, it could be possible to overwrite the dword after the return address, too, and then ret to a CALL ESP instruction somewhere in the DLL-Space in NT, but since all DLLs are mapped somewhere in the 0x77xxxxxx-range, we can't due to the strupr problem. It might be a good idea to look at all products of CSM with a certain suspicion as I have a 'pricking of my thumb' that they might have similar holes. Evaluate their security before using them :) Thomas Dullien dullien () gmx de Win32 Security Consultant ;-> Hire me !
Current thread:
- Possibly exploitable overflow in Alibaba 2.0 Thomas Dullien (Oct 28)
- Re: Possibly exploitable overflow in Alibaba 2.0 W.H.J.Pinckaers (Oct 29)
- FreeBSD listen() again 3APA3A (Oct 30)
- Re: FreeBSD listen() again Sebastian (Oct 30)
- Re: Possibly exploitable overflow in Alibaba 2.0 Blue Boar (Oct 30)
- <Possible follow-ups>
- Re: Possibly exploitable overflow in Alibaba 2.0 Thomas Dullien (Oct 30)