[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] Pound <=1.5 Remote Exploit (Format string bug)

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: [Full-Disclosure] Pound <=1.5 Remote Exploit (Format string bug)
From: "Eye on Security India" <eos-india@xxxxxxxxxxxxx>
Date: Sat, 08 May 2004 08:19:28 +0800

/*
        Pound <=1.5 remote format string exploit (public version)
        by
        Nilanjan De - n2n@xxxxxxxx
        Eye on Security Research Group, India, http://www.eos-india.net
 
        Vendor URL: http://www.apsis.ch/pound/
 
        Local exploit is only useful is pound is setuid
        The shellcode used doesn't break chroot
        if you need to break chroot, use a different shellcode
 
        To find jmpslot:
        For remote:
                objdump -R /usr/sbin/pound|grep pthread_exit|cut -d ' ' -f 1
        for local:
                objdump -R /usr/sbin/pound|grep exit|grep -v pthread|cut -d ' '
-f 1
 
        Note: In case of remote exploit, since the exploit occurs in one of the
threads, you may need to modify this exploit to brute-force the RET address to 
make the exploit work. Since pound runs in daemon mode, brute forcing it is no 
problem.
*/

-- 
______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org 
This allows you to send and receive SMS through your mailbox.


Powered by Outblaze

Attachment: 305-pound.c
Description: Binary data

Prev by Date: Re: [Full-Disclosure] Multiple vulnerabilities in 'pizza_party'
Next by Date: Re: [Full-Disclosure] Multiple vulnerabilities in 'pizza_party'
Previous by thread: RE: [Full-Disclosure] Multiple vulnerabilities in 'pizza_party'
Next by thread: [Full-Disclosure] Victory day - Sasser surrenders
Index(es):
- Date
- Thread