| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <9DFDDA5AE17BEC418FD3092387A99AB6152EE2CE@BXCH2K.bjw2k.asg> Date: Fri Oct 21 22:22:11 2005 From: tkrpata at bjs.com (Krpata, Tyler) Subject: Re: Snort BackOrifice Fun > Attached some in-progress code for the snort bug, getting through the > while() loop that modifies both 'i' and 'len' is annoying. Any ideas on > making this more reliable? It works great on my -ggdb version , but runs > off a page during a memcmp() on my normal binary. The problem is that you reach a point (coincidentally a page before eip) where you start to clobber the pointer that is being used to copy your user data into memory. Once that happens you're no longer writing to the location you want to be writing to. ***************************************** Bf??????? [41414141] len Bf??????? [41414141] id Bf??????? [41414141] l Bf??????? [41414141] i Bf??????? [41414141] type Bf??????? [Bf????41] buf_ptr Bf??????? [????????] Bf??????? [????????] Bf??????? [????????] eip ***************************************** Somewhere else... Bf????41 [41414141]
Powered by blists - more mailing lists