question on remote overflow

From: Minchu Mo (morris_minchu@iwon.com)
Date: 10/29/01


Date: 29 Oct 2001 19:52:01 -0000
Message-ID: <20011029195201.20412.qmail@mail.securityfocus.com>
From: Minchu Mo <morris_minchu@iwon.com>
To: vuln-dev@securityfocus.com
Subject: question on remote overflow


('binary' encoding is not supported, stored as-is) Mailer: SecurityFocus

I am doing a remote overflow experiment on solaris
2.7 /w sparcV9. my RPC
server have a buffer overflow bug in stack, my rpc
client will pass a long
binary code(with hacking code inside) to the server.
Part of the binary will
overflow the buffer and overwrite the return address,
the other part of binary
contains the hacking code downloaded from lsd-pl
(findsck and shell code) and
resides in the heap area. Once the overflow happen,
the control supposed to be
transfered to the heap area and run from there.

With adb/truss tracing the RPC server, I can see the
control was indeed transferred
to the heap and run from there, but if I let the RPC
server run freely, the process
seem to skip the hacking code in heap.

My questions are:
Why control didn't transfer? IS heap also disable from
running code?
Or process under adb run differently from realtime?



Relevant Pages

  • Re: Tornado www-server v1.2: directory traversal, buffer overflow
    ... I've done a quick debugging session: The overflow does not seem exploitable ... What happens is that there is not enough heap to hold the long strings so it ... IMHO is most dangerous server. ... > malicious code) by sending long http request. ...
    (Bugtraq)
  • Re: question on remote overflow
    ... What's probably happening is that your overflow doesn't actually occur ... > binary code(with hacking code inside) to the server. ... > resides in the heap area. ...
    (Vuln-Dev)
  • SecurityFocus Microsoft Newsletter #98
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Exchange Server IMC EHLO Response Buffer Overflow... ... Novell GroupWise Internet Agent Buffer Overflow Vulnerability ...
    (Focus-Microsoft)
  • [NT] Orenosv HTTP/FTP Server Multiple Buffer Overflows
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Mutliple buffer overflows vulnerabilities were found in Orenosv's server. ... These buffer overflow is triggered when the server receives a FTP ... Long SSI Command Buffer Overflow Vulnerability: ...
    (Securiteam)
  • Buffer Overflow Discovery
    ... So today the MSN Messenger OCX Buffer Overflow is released and the overflow ... This would be an example of a Bof in its most simple form. ... The vulnerable program reads in the first 7 bytes and checks to make sure ... This package had a server that remote computers ...
    (Vuln-Dev)