lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri Dec 16 15:37:47 2005
From: FistFuXXer at gmx.de (FistFucker)
Subject: iDEFENSE Security Advisory 12.06.05: Ipswitch

No, there was nothing useful on the stack. Just a few static strings and
pointers to the code section of various DLLs, followed by thousands of
zeros. I've tryed many possibilities for about 3 weeks and then I've gave it
up. Now I want to know if it's really exploitable and how.


-FistFucker (aka FistFuXXer)



----- Original Message ----- 
From: "H D Moore" <hdm@...asploit.com>
To: "FistFucker" <FistFuXXer@....de>
Sent: Friday, December 16, 2005 4:09 PM
Subject: Re: [Full-disclosure] iDEFENSE Security Advisory 12.06.05: Ipswitch


> Doh, oh well. If you send %p x 512, is there anything else in memory that
> you can control? An idea might be to send a long mail from: before using
> a rcpt to: with the format specifier. Doing something similar for a CGI
> app right now.
>
> -HD
>
> On Friday 16 December 2005 09:05, FistFucker wrote:
> > I've already tryed this, but argument-skipping isn't supported by the
> > called funtion.
> >
> >
> > -FistFucker (aka FistFuXXer)
> >
> >
> >
> > ----- Original Message -----
> > From: "H D Moore" <fdlist@...italoffense.net>
> > To: <full-disclosure@...ts.grok.org.uk>
> > Sent: Friday, December 16, 2005 3:59 PM
> > Subject: Re: [Full-disclosure] iDEFENSE Security Advisory 12.06.05:
> > Ipswitch
> >
> > > This may not be a limitation if you can use the argument-skipping
> > > syntax in msvcrt (ie. %4000$x).
> > >
> > > -HD
> > >
> > > On Friday 16 December 2005 08:32, FistFucker wrote:
> > > >I don't think it's > exploitable because the user controlled string
> > > > is many thousand bytes away from the stack pointer and you can only
> > > > send 512 bytes  to the SMTP daemon.
> > >
> > > [snip]
> > >
> > > > If someone was able to exploit this, I would be interested in
> > > > exploit code or an explanation to learn from him.
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ