Vulnerability Development mailing list archives
Re: buffer overflows encapsulation
From: Mike Sues <msues () cinnabar ca>
Date: Wed, 24 Jan 2001 07:10:47 -0800
and more generaly, if the target is behind a firewall with a good security policy that would deny any outgoing connection from a dmz and so any
If connections initiated from the exploited box to the external network are prohibited then you are blocked from using commands (e.g. ftp, tftp) on the box to upload survey kits or local exploits to elevate your access. However, if you are able to locate the socket descriptor for your initial connection to the box over which you sent your overflow, re-use it in the egg to upload survey kits or other exploits and then spawn a shell. When developing an overflow I will break on the accept for my connection and follow where the returned descriptor is stored for re-use in my egg. An egg such as this would not require too large a buffer; I've been able to build the socket reuse to upload code and execute capability into an egg of less than about 153 bytes and I'm sure it could be made a bit smaller. Once you have this capability your injector can push larger code fragments up to your egg who themselves could re-use the socket for comms with your injector code. Mike Sues Senior Network Security Analyst Cinnabar Networks Inc http://www.cinnabar.ca ph :613.720.4842 fax:613.236.2506
Current thread:
- Re: buffer overflows encapsulation gregory duchemin (Jan 24)
- Re: buffer overflows encapsulation Mike Sues (Jan 24)