[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] iDEFENSE Security Advisory 12.06.05: Ipswitch

To: "Full-Disclosure" <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] iDEFENSE Security Advisory 12.06.05: Ipswitch
From: "FistFucker" <FistFuXXer@xxxxxx>
Date: Fri, 16 Dec 2005 16:37:27 +0100

No, there was nothing useful on the stack. Just a few static strings and
pointers to the code section of various DLLs, followed by thousands of
zeros. I've tryed many possibilities for about 3 weeks and then I've gave it
up. Now I want to know if it's really exploitable and how.


-FistFucker (aka FistFuXXer)



----- Original Message ----- 
From: "H D Moore" <hdm@xxxxxxxxxxxxxx>
To: "FistFucker" <FistFuXXer@xxxxxx>
Sent: Friday, December 16, 2005 4:09 PM
Subject: Re: [Full-disclosure] iDEFENSE Security Advisory 12.06.05: Ipswitch


> Doh, oh well. If you send %p x 512, is there anything else in memory that
> you can control? An idea might be to send a long mail from: before using
> a rcpt to: with the format specifier. Doing something similar for a CGI
> app right now.
>
> -HD
>
> On Friday 16 December 2005 09:05, FistFucker wrote:
> > I've already tryed this, but argument-skipping isn't supported by the
> > called funtion.
> >
> >
> > -FistFucker (aka FistFuXXer)
> >
> >
> >
> > ----- Original Message -----
> > From: "H D Moore" <fdlist@xxxxxxxxxxxxxxxxxx>
> > To: <full-disclosure@xxxxxxxxxxxxxxxxx>
> > Sent: Friday, December 16, 2005 3:59 PM
> > Subject: Re: [Full-disclosure] iDEFENSE Security Advisory 12.06.05:
> > Ipswitch
> >
> > > This may not be a limitation if you can use the argument-skipping
> > > syntax in msvcrt (ie. %4000$x).
> > >
> > > -HD
> > >
> > > On Friday 16 December 2005 08:32, FistFucker wrote:
> > > >I don't think it's > exploitable because the user controlled string
> > > > is many thousand bytes away from the stack pointer and you can only
> > > > send 512 bytes  to the SMTP daemon.
> > >
> > > [snip]
> > >
> > > > If someone was able to exploit this, I would be interested in
> > > > exploit code or an explanation to learn from him.
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- Re: [Full-disclosure] iDEFENSE Security Advisory 12.06.05: Ipswitch
  - From: Chris Rogers
- Re: [Full-disclosure] iDEFENSE Security Advisory 12.06.05: Ipswitch
  - From: H D Moore

Prev by Date: Re: [Full-disclosure] A CALL FOR FULL-DISCLOSURE TO BECOME AMODERATED LIST
Next by Date: RE: [Full-disclosure] Getting rid of n3td3v
Previous by thread: Re: [Full-disclosure] iDEFENSE Security Advisory 12.06.05: Ipswitch
Next by thread: [Full-disclosure] Amazon Phishing Scam - Tech Details
Index(es):
- Date
- Thread