| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: eos-india at linuxmail.org (Eye on Security India)
Subject: Pound <=1.5 Remote Exploit (Format string bug)
/*
Pound <=1.5 remote format string exploit (public version)
by
Nilanjan De - n2n@...nt.ru
Eye on Security Research Group, India, http://www.eos-india.net
Vendor URL: http://www.apsis.ch/pound/
Local exploit is only useful is pound is setuid
The shellcode used doesn't break chroot
if you need to break chroot, use a different shellcode
To find jmpslot:
For remote:
objdump -R /usr/sbin/pound|grep pthread_exit|cut -d ' ' -f 1
for local:
objdump -R /usr/sbin/pound|grep exit|grep -v pthread|cut -d ' '
-f 1
Note: In case of remote exploit, since the exploit occurs in one of the
threads, you may need to modify this exploit to brute-force the RET address to make the exploit work. Since pound runs in daemon mode, brute forcing it is no problem.
*/
--
______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org
This allows you to send and receive SMS through your mailbox.
Powered by Outblaze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 305-pound.c
Type: application/octet-stream
Size: 9282 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040508/f8016d6b/305-pound.obj
Powered by blists - more mailing lists