Re: buffer overflows encapsulation

[Mike Sues <msues () cinnabar ca>]

> and more generaly, if the target is behind a firewall with a good security
> policy that would deny any outgoing connection from a dmz and so any

If connections initiated from the exploited box to the external
network are prohibited then you are blocked from using commands
(e.g. ftp, tftp) on the box to upload survey kits or local exploits
to elevate your access. However, if you are able to locate the
socket descriptor for your initial connection to the box over which
you sent your overflow, re-use it in the egg to upload survey kits
or other exploits and then spawn a shell. When developing an overflow
I will break on the accept for my connection and follow where the
returned descriptor is stored for re-use in my egg. An egg such as this
would
not require too large a buffer; I've been able to build the socket reuse
to upload code and execute capability into an egg of less than about 153
bytes and
I'm sure it could be made a bit smaller. Once you have this capability
your injector can push larger code fragments up to your egg who themselves
could re-use the socket for comms with your injector code.

Mike Sues
Senior Network Security Analyst
Cinnabar Networks Inc
http://www.cinnabar.ca
ph :613.720.4842
fax:613.236.2506