RE: controlling ebp/eip of a frame, does it always lead to possible code execution?

From: Fisch, Matthew (mfisch_at_kaz.com)
Date: 09/19/03

  • Next message: ned: "hooking python send()" 
    Date: Fri, 19 Sep 2003 13:06:42 -0400
To: "Ingram" <Vail@gmx.net>, <vuln-dev@securityfocus.com>

    Ingram,

      I may be mistaken, but I think I remember some people on the FreeBSD dev team talking about how their sshd was not vulnerable to this arbitrary code execution attack (although sshd was crashable). I don't recall if there was a change in their openssh code, or an OS restriction.

    -----Original Message-----
    From: Ingram [mailto:Vail@gmx.net]
    Sent: Thursday, September 18, 2003 1:45 PM
    To: vuln-dev@securityfocus.com
    Cc: pondermate@hotmail.com
    Subject: Re: controlling ebp/eip of a frame, does it always lead to possible code execution?

    deepcode . wrote:
    >By the looks of it, you are doing everything right. Your overwritten return

    >address points
    >directly to your nop's. The shellcode should be executed.
    >
    >What OS are you on, you may have aditional stack protections on the system
    >to prevent
    >standard overflows, particularly redhat 9 (shrike), which i'm using now,
    >will prevent this: not
    >sure exactly how yet ...

    *doh*, sorry forgot to mention the os, i am running freebsd 4.8 without any
    stack protections. 

    -- 
+++ GMX - die erste Adresse für Mail, Message, More! +++
Getestet von Stiftung Warentest: GMX FreeMail (GUT), GMX ProMail (GUT)
(Heft 9/03 - 23 e-mail-Tarife: 6 gut, 12 befriedigend, 5 ausreichend)
Jetzt selbst kostenlos testen: http://www.gmx.net
  • Next message: ned: "hooking python send()"