lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <200601231138.33500.fdlist@digitaloffense.net>
Date: Mon Jan 23 17:38:54 2006
From: fdlist at digitaloffense.net (H D Moore)
Subject: All you WMF haxxors are belong to...... Mr Moore

There are a handful of cases where a malicious server / mitm could cause 
the Framework to run out of memory. We aren' t that concerned with it -- 
if you can find a way to do something useful (run code, etc), let us 
know. We might look at limiting this in version 3.0, but no matter what 
'max size' we place on a protocol response, its never going to be small 
enough to account for the low-end system or big enough to handle truly 
gigantic (legit) replies. The SMB, DCERPC, and BackupExec protocols also 
suffer from 'arbitrary malloc and die' issues. 

-HD


On Monday 23 January 2006 08:40, H D Moore wrote:
> Nice DoS bug, next time try emailing us first :-)
>
> -HD
>
> On Monday 23 January 2006 04:23, cranium pain wrote:
> > WMF Exploit vulnerable?
> >
> > [*] Starting Reverse Handler.
> > [*] Waiting for connections to http://0.0.0.0:80/
> > [*] Got connection from 0.0.0.0:443 <-> 1.1.1.1:42121
> > [*] Sending Stage (2834 bytes)
> > [*] Sleeping before sending dll.
> > [*] Uploading dll to memory (69643), Please wait...
> > [*] Upload completed
> > meterpreter> Out of memory during "large" request for 2147487744
> > bytes, total sbrk() is 17950720 bytes at
> > /home/framework/lib/Pex/Meterpreter/Packet.pm line 509
> >
> >
> > 509:  $res -1 if ($res >= 0 and not defined(recv($fd, $tempBuffer,
> > $tempBufferLength, 0)));
> >
> > --
> >
> > "haxxoring haxxors for fun and fun"
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ