Re: Format String Vulnerabilities

To:	"Mike Gibson" <micheal.gibson@gmail.com>
Subject:	Re: Format String Vulnerabilities
From:	"rajat swarup" <rajats@gmail.com>
Date:	Fri, 18 May 2007 17:40:19 -0400
Cc:	pen-test@securityfocus.com
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	pentest-list2@consult.net
Delivered-to:	mailing list pen-test@securityfocus.com
Delivered-to:	moderator for pen-test@securityfocus.com
Dkim-signature:	a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=uPIG31/tZYNFn6ZEZSCZ7ipMvvuII1ooBAR4eze28NzZql6yCYY+YhkUtSYj+yIILOCEQWqvnN+HcPk1Vq8BBbSvFDgrLgpLlhwUxcM6mLmUZYrzW/OgVOSAdpGeqEBzl+SMLgzQ4oXhpedpn0WuLHFfv77vH2FfB7CDVhFhAZY=
Domainkey-signature:	a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ozZntVAQ5IlIiB2GPxFu3HJE4oaQbUrLnKvp0IUTAbHahAciaQExTJHssHTd3p85JAZBUTp7n8BJp5M3X4fd4ih9lWPNwRRqGAdziDQg3tntvuKL5JA/PFWPzpqCUYg34Tdr3HyfxCe/XC9a1yul1xLNgf1yuvrnptHe0UblWSg=
In-reply-to:	<dd4aa4a20705181122i4f86c920j67d87f8d3d5c8a8@mail.gmail.com>
List-help:	<mailto:pen-test-help@securityfocus.com>
List-id:	<pen-test.list-id.securityfocus.com>
List-post:	<mailto:pen-test@securityfocus.com>
List-subscribe:	<mailto:pen-test-subscribe@securityfocus.com>
List-unsubscribe:	<mailto:pen-test-unsubscribe@securityfocus.com>
Mailing-list:	contact pen-test-help@securityfocus.com; run by ezmlm
References:	<dd4aa4a20705181122i4f86c920j67d87f8d3d5c8a8@mail.gmail.com>
Resent-date:	Fri, 18 May 2007 16:34:42 -0600 (MDT)
Resent-from:	pen-test-return-1078484189@securityfocus.com
Resent-message-id:	<20070518223442.433032380B7@outgoing3.securityfocus.com>
Resent-sender:	listbounce@securityfocus.com
Sender:	listbounce@securityfocus.com

On 5/18/07, Mike Gibson <micheal.gibson@gmail.com> wrote:

I have a custom application that I am using to learn a little more
about format string vulnerabilities. It is basically an echo server. I
have been able to exploit the vulnerability and write data to memory
on the server however the problem I am seeing is that I want to
overwrite EIP but every time the application runs the stack seems to
be at a different location.

Does anyone know if Red Hat 9 has any form of stack protection? If so
is there a way to disable it?


Red hat 9 randomizes stack addresses.  You can disable it by using:
echo "kernel.randomize_va_space = 0" >> /etc/sysctl.conf
/sbin/sysctl -p /etc/sysctl.conf

James foster's book says:
"You can disable ExecShield with the command:
sysctl -w kernel.exec-shield=0
or just the randomization with the command:
sysctl -w kernel.exec-shield-randomize=0"

Please let me know how it works out.

HTH,
Rajat Swarup

http://rajatswarup.blogspot.com/

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------

<Prev in Thread]	Current Thread	[Next in Thread>
Format String Vulnerabilities, Mike Gibson Re: Format String Vulnerabilities, Pranay Kanwar Re: Format String Vulnerabilities, rajat swarup <= Re: Format String Vulnerabilities, andy . x . johnson

Previous by Date:	Consulting License Offer, Foster, Matt
Next by Date:	Re: Database pen-testing tools, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Previous by Thread:	Re: Format String Vulnerabilities, Pranay Kanwar
Next by Thread:	Re: Format String Vulnerabilities, andy . x . johnson
Indexes:	[Date] [Thread] [Top] [All Lists]