DEFCON 16 and Hacking OpenVMS - VMS

This is a discussion on DEFCON 16 and Hacking OpenVMS - VMS ; Verified (finally got my VMS box up): $ show sys/noproc OpenVMS V8.3 on node CHIMPY 15-AUG-2008 09:27:20.73 Uptime 0 23:14:17 $ type .plan %n $ show sys/noproc OpenVMS V8.3 on node CHIMPY 15-AUG-2008 09:27:25.34 Uptime 0 23:14:21 $ finger sampsa ...

+ Reply to Thread
Page 4 of 35 FirstFirst ... 2 3 4 5 6 14 ... LastLast
Results 61 to 80 of 691

Thread: DEFCON 16 and Hacking OpenVMS

  1. Re: DEFCON 16 and Hacking OpenVMS

    Verified (finally got my VMS box up):

    $ show sys/noproc
    OpenVMS V8.3 on node CHIMPY 15-AUG-2008 09:27:20.73 Uptime 0
    23:14:17
    $ type .plan
    %n
    $ show sys/noproc
    OpenVMS V8.3 on node CHIMPY 15-AUG-2008 09:27:25.34 Uptime 0
    23:14:21
    $ finger sampsa
    Login name: SAMPSA In real life: SAMPSA LAINE
    Account: SAMPSA Directory: SYS$SYSDEVICE:
    [SAMPSA]
    Last login: Fri 15-AUG-2008 09:26:39
    No unread mail
    %SYSTEM-F-ACCVIO, access violation, reason mask=04, virtual
    address=0000000000000000, PC=FFFFFFFF80BA3BA4, PS=0000001B

    Improperly handled condition, image exit forced.
    Signal arguments: Number = 0000000000000005
    Name = 000000000000000C
    0000000000000004
    0000000000000000
    FFFFFFFF80BA3BA4
    000000000000001B

    Register dump:
    R0 = 0000000000000000 R1 = 0000000000000049 R2 =
    000000007BEEDCD0
    R3 = 000000007AE26940 R4 = 0000000000000000 R5 =
    0000000000000000
    R6 = 000000007AE26928 R7 = FFFFFFFFFFFFFFFF R8 =
    000000007BF628E8
    R9 = 0000000000050011 R10 = 00000000000202D0 R11 =
    0000000000000000
    R12 = 0000000000116C88 R13 = 0000000000000000 R14 =
    0000000000000053
    R15 = 0000000000116BC8 R16 = 0000000000050011 R17 =
    000000007AE26DB0
    R18 = 000000007AE26DB0 R19 = 000000007AE26930 R20 =
    0000000000000008
    R21 = 0000000000000000 R22 = 0000000000000000 R23 =
    0000000000000000
    R24 = 0000000000000000 R25 = FFFFFFFFFFFFEC96 R26 =
    0000000000000001
    R27 = FFFFFFFF80BA36D0 R28 = FFFFFFFF80BA3B30 R29 =
    000000007AE26880
    SP = 000000007AE26880 PC = FFFFFFFF80BA3BA4 PS =
    000000000000001B


  2. Re: DEFCON 16 and Hacking OpenVMS

    sampsal@gmail.com wrote:
    > Verified (finally got my VMS box up):
    >
    > $ show sys/noproc
    > OpenVMS V8.3 on node CHIMPY 15-AUG-2008 09:27:20.73 Uptime 0
    > 23:14:17
    > $ type .plan
    > %n
    > $ show sys/noproc
    > OpenVMS V8.3 on node CHIMPY 15-AUG-2008 09:27:25.34 Uptime 0
    > 23:14:21
    > $ finger sampsa
    > Login name: SAMPSA In real life: SAMPSA LAINE
    > Account: SAMPSA Directory: SYS$SYSDEVICE:
    > [SAMPSA]
    > Last login: Fri 15-AUG-2008 09:26:39
    > No unread mail
    > %SYSTEM-F-ACCVIO, access violation, reason mask=04, virtual
    > address=0000000000000000, PC=FFFFFFFF80BA3BA4, PS=0000001B


    OK, now *please*, someone show us how to "properly" format the .plan
    (plan.txt) file to produce this result.

    :-)
    [...]

  3. Re: DEFCON 16 and Hacking OpenVMS

    In article <48A55B5C.60807@comcast.net>, bradhamilton writes:

    >OK, now *please*, someone show us how to "properly" format the .plan
    >(plan.txt) file to produce this result.


    And which finger (TCP/IP Services, Multinet, ...)


  4. Re: DEFCON 16 and Hacking OpenVMS

    In article <6e77d46c-8fd3-4b11-be3b-64f53ae4598b@y38g2000hsy.googlegroups.com>, bugs@signedness.org writes:
    >{...snip...}
    >LOL
    >The bug is not in DCL, and if you care to watch the videos you will
    >see that an arbitrary program can be run with higher privileges.
    >As an example we wrote FILE.EXE (since we can not get any output to

    __________________________________^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^
    >the terminal from 'show proc/priv' when exploiting) which simply

    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^

    WHy not?


    >writes the privileges of the current process to PRIVS.TXT.
    >We first execute FILE.EXE from the shell to show that the user has the
    >default privileges.
    >FILE.EXE is then executed with higher privileges from the program that
    >we are exploiting (install, tcpip and telnet, but there are others as
    >well).
    >
    >Oh, and you need the vmware codecs installed to watch the videos.


    Why not .MPG which doesn't require the download of some questionable
    software from some site on the internet?

    --
    VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM

    .... pejorative statements of opinion are entitled to constitutional protection
    no matter how extreme, vituperous, or vigorously expressed they may be. (NJSC)

    Copr. 2008 Brian Schenkenberger. Publication of _this_ usenet article outside
    of usenet _must_ include its contents in its entirety including this copyright
    notice, disclaimer and quotations.

  5. Re: DEFCON 16 and Hacking OpenVMS

    In article <48A4DDE7.3020506@comcast.net>, bradhamilton writes:
    >bugs@signedness.org wrote:
    >[...]
    >>
    >> LOL
    >> The bug is not in DCL, and if you care to watch the videos you will
    >> see that an arbitrary program can be run with higher privileges.
    >> As an example we wrote FILE.EXE (since we can not get any output to
    >> the terminal from 'show proc/priv' when exploiting) which simply
    >> writes the privileges of the current process to PRIVS.TXT.
    >> We first execute FILE.EXE from the shell to show that the user has the
    >> default privileges.
    >> FILE.EXE is then executed with higher privileges from the program that
    >> we are exploiting (install, tcpip and telnet, but there are others as
    >> well).
    >>
    >> Oh, and you need the vmware codecs installed to watch the videos.
    >>
    >> Cheers,
    >> signedness.org

    >
    >Thanks for the additional information. I was curious as to why you ran
    >FILE.EXE, as opposed to a simple "show proc/priv" before and after your
    >exploit.
    >
    >I can see that you have gained privilege after the "exploit", but the
    >"exploit" itself seems to be another EXE (SHELLCODE?) itself. Why all
    >the "mystery"? Without the source code, we can't "see" what's going on,
    >and reproduce it ourselves; we are left to trusting that you are not
    >playing some kind of bizarre, behind-the-scenes tricks to pretend that
    >you are elevating privileges. Sorry to be so mistrustful, but that's
    >just a common attitude here.
    >
    >I was able to "view" the videos on a linux laptop using "Movie Player".
    > I tried to view the videos on an XP box, but both Media Player and
    >Quicktime show dark screens, as reported by Brian. Media player claims
    >that a codec is corrupt (I assume that this is the vmware codec referred
    >to above).


    VLC gives be a white screen with [cmn@fc6 ~]$ , and then runs for 1:06
    with nothing else.


    --
    VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM

    .... pejorative statements of opinion are entitled to constitutional protection
    no matter how extreme, vituperous, or vigorously expressed they may be. (NJSC)

    Copr. 2008 Brian Schenkenberger. Publication of _this_ usenet article outside
    of usenet _must_ include its contents in its entirety including this copyright
    notice, disclaimer and quotations.

  6. Re: DEFCON 16 and Hacking OpenVMS

    In article , patrick jankowiak writes:
    >
    >Forgive me, but all this "enter exactly 511 characters and press the up
    >arrow three times" business reminds me of the old Dick Van Dyke episode
    >schtick that started with a telephone call and ended with "..then swing
    >the bag over your head and scream like a chicken"


    ROFL!


    >Vaxman -please e-mail me your shipment receiving address.. I am a couple
    >years remiss in sending you something.


    A rack of DTC03s?

    Address forthcoming in separate email.

    --
    VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM

    .... pejorative statements of opinion are entitled to constitutional protection
    no matter how extreme, vituperous, or vigorously expressed they may be. (NJSC)

    Copr. 2008 Brian Schenkenberger. Publication of _this_ usenet article outside
    of usenet _must_ include its contents in its entirety including this copyright
    notice, disclaimer and quotations.

  7. Re: DEFCON 16 and Hacking OpenVMS

    On Aug 15, 4:37 am, patrick jankowiak wrote:
    > Mark Daniel wrote:
    > > Tim E. Sneddon wrote:
    > >> VAXman- @SendSpamHere.ORG wrote:

    >
    > >>> In article
    > >>> <9781c047-761a-4923-9aab-8c1a32ff7...@x35g2000hsb.googlegroups.com>,
    > >>> samp...@gmail.com writes:

    >
    > >>>>> I would have thought a CLI overflow to have been tried by at least
    > >>>>> a few
    > >>>>> at DEFCON9 because the system automagically created service-rich user
    > >>>>> accounts with of course DCL which the hackers were then free to abuse.

    >
    > >>>>> We were not scrutinizing buffers however and any such overflow may in
    > >>>>> our case have done nothing harmful (by luck or design). I think it was
    > >>>>> version 7.1-? if it makes a difference. Did the gentleman specify any
    > >>>>> versions?

    >
    > >>>> Default 8.3 install on an Alpha according to the presentation notes.
    > >>>> To reproduce this, apparently one is to enter exactly 511 characters
    > >>>> of input, then press the up arrow three times and wait - a core dump
    > >>>> follows.

    >
    > >>> I know you didn't make the claim but you should first test it out before
    > >>> brandishing bull**** here.

    >
    > >>> I've tried to reproduce the claimed results from your posted instruction
    > >>> and it does NOT produce a "core dump".

    >
    > >> This isn't entirely bull****. I reported it, case number AH800710.

    >
    > >> I saw the original post regarding the "execution of priviledged code"
    > >> and was tempted to reply, but I didn't bother. However, I am now :-)

    >
    > >> The issue never allowed execution of priv. code (certainly not as
    > >> far as I could see). The issue was simply a miss calculation in the
    > >> RECALL ring buffer that resulted in an access violation. This seemed
    > >> to coincide with the extension of the DCL command line buffer. Yes,
    > >> the process does crash. Yes, it was a pain. However, it happened so
    > >> infrequently and never actually did anything serious that I didn't
    > >> report it for the first few months.

    >
    > >> The version of VMS is also incorrect. I reported the problem under
    > >> OpenVMS Alpha V7.3-2 in June, 2004.

    >
    > > Little point in me reporting that I couldn't produce anything resembling
    > > the (albeit sketchy) description of the 'exploit' on my off-the-CD V8.3
    > > installation. This is a quoted-copy (to help circumvent wrapping) of
    > > that test:

    >
    > >> $ product show hist
    > >> ------------------------------------ ----------- ----------- ---
    > >> -----------
    > >> PRODUCT KIT TYPE OPERATION VAL DATE
    > >> ------------------------------------ ----------- ----------- ---
    > >> -----------
    > >> CPQ AXPVMS CDSA V2.2-271 Full LP Install (C)
    > >> 13-AUG-2008
    > >> DEC AXPVMS DECNET_OSI V8.3 Full LP Install (C)
    > >> 13-AUG-2008
    > >> DEC AXPVMS DWMOTIF V1.6 Full LP Install (C)
    > >> 13-AUG-2008
    > >> DEC AXPVMS DWMOTIF_SUPPORT V8.3 Full LP Install (U)
    > >> 13-AUG-2008
    > >> DEC AXPVMS OPENVMS V8.3 Platform Install (U)
    > >> 13-AUG-2008
    > >> DEC AXPVMS TCPIP V5.6-9 Full LP Install (C)
    > >> 13-AUG-2008
    > >> DEC AXPVMS VMS V8.3 Oper System Install (U)
    > >> 13-AUG-2008
    > >> HP AXPVMS AVAIL_MAN_BASE V8.3 Full LP Install (U)
    > >> 13-AUG-2008
    > >> HP AXPVMS KERBEROS V3.0-103 Full LP Install (C)
    > >> 13-AUG-2008
    > >> HP AXPVMS SSL V1.3-281 Full LP Install (C)
    > >> 13-AUG-2008
    > >> HP AXPVMS TDC_RT V2.2-107 Full LP Install (C)
    > >> 13-AUG-2008
    > >> ------------------------------------ ----------- ----------- ---
    > >> -----------
    > >> 11 items found

    >
    > >> $ show cpu/full

    >
    > >> System: WASD, AlphaServer DS20 500 MHz

    >
    > >> SMP execlet = 3 : Disabled : Uniprocessing.
    > >> Config tree = None
    > >> Primary CPU = 0
    > >> HWRPB CPUs = 2
    > >> Page Size = 8192
    > >> Revision Code =
    > >> Serial Number = S391400466
    > >> Default CPU Capabilities:
    > >> System: QUORUM RUN
    > >> Default Process Capabilities:
    > >> System: QUORUM RUN

    >
    > >> CPU 0 State: RUN CPUDB: 81C18000 Handle: * None *
    > >> Process: FTA7:SYSTEM PID: 0000045C
    > >> Capabilities:
    > >> System: PRIMARY QUORUM RUN RAD0
    > >> Slot Context: 84970180
    > >> CPU - State..........: RC, PA, PP, CV, PV, PMV, PL
    > >> Type...........: EV6 (21264), Pass 2.3
    > >> Speed..........: 500 Mhz
    > >> Variation......: VAX FP, IEEE FP, Primary Eligible
    > >> Serial Number..:
    > >> Revision.......:
    > >> Halt Request...: 0
    > >> Software Comp..: 0.0
    > >> PALCODE - Revision Code..: 1.98-01
    > >> Compatibility..: 79
    > >> Max Shared CPUs: 2
    > >> Memory Space..: Physical = 00000000.00000000 Length = 0
    > >> Scratch Space..: Physical = 00000000.00000000 Length = 0
    > >> Bindings: * None *
    > >> Fastpath:
    > >> PKC0
    > >> BG0
    > >> Features:
    > >> Autostart - Enabled.
    > >> Fastpath - Selection enabled as Preferred CPU.

    >
    > >> $ typ test.com
    > >> $ write sys$output 79 * 6 + 37
    > >> $ write sys$output f$fao("!79*A")
    > >> $ write sys$output f$fao("!79*B")
    > >> $ write sys$output f$fao("!79*C")
    > >> $ write sys$output f$fao("!79*D")
    > >> $ write sys$output f$fao("!79*E")
    > >> $ write sys$output f$fao("!79*F")
    > >> $ write sys$output f$fao("!37*G")
    > >> $ @test.com
    > >> 511
    > >> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAA

    >
    > >> BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBB

    >
    > >> CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCC

    >
    > >> DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD DDDDDDDDDDDDDDDDDDDDDDDDDDDDD

    >
    > >> EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE EEEEEEEEEEEEEEEEEEEEEEEEEEEEE

    >
    > >> FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFF

    >
    > >> GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG

    >
    > > I then cut and paste the 511 characters (line-by-line) into the CLI and
    > > used the cursor keys to no result.

    >
    > >> Tim.

    >
    > > --
    > > "And I am not frightened of dying, any time will do, I
    > > don't mind. Why should I be frightened of dying?
    > > There's no reason for it, you've gotta go sometime."
    > > "If you can hear this whispering you are dying."
    > > "I never said I was frightened of dying."
    > > [Wright; The Dark Side of the Moon]

    >
    > I'm running that version on the Alpha out in the lab. I used a
    > privileged acct. and I am using a 132 column terminal width. (never mind
    > the system time, I just did this now.)
    >
    > $ show sys
    > OpenVMS V7.3-2 on node WIZ 16-DEC-2005 11:52:17.01 Uptime 29 02:28:59
    >
    > $
    > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
    > BBBBBBBBBBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCDDDDDDDDDDDDDDDDDDDDDDDDD
    > DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD DDDDEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
    > EFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFGGGGGGGGGGGGGGGGGGGG GGGGGGGGGGGGGGGGG
    >
    > up three times, and down three times, nothing.. but this shows now:
    > $
    > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
    > BBBBBBBBBBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCDDDDDDDDDDDDDDDDDDDDDDDDD
    > DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD DDDDEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
    > $
    > DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD DDDDEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE EEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
    > $
    > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
    > $
    > DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD DDDDEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE EEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
    > $
    >
    > Nothing more.. so finally I ran the up arrow till all the commands were
    > gone, and held it a bit, then down arrow till the same, holding it a bit
    > as well, and did this a few times and got this:
    >
    > $
    > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
    > BBBBBBBBBBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCDDDDDDDDDDDDDDDDDDDDDDDDD
    > DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD DDDDEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
    > $
    > DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD DDDDEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE EEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
    > $
    > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
    > $
    > DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD DDDDEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE EEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
    > $
    > DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD DDDDEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE EEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
    > $
    > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
    > $
    > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
    > $
    > DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD DDDDEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE EEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
    > $
    > DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD DDDDEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE EEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
    > $
    > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
    > $
    > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
    > $ ...
    >
    > read more »


    You have all the information that you need to reproduce this
    vulnerability on a vulnerable system.
    If you watch the video you can see that the bug is triggered from the
    prompt of the vulnerable program (like for example INSTALL>).

  8. Re: DEFCON 16 and Hacking OpenVMS

    On Aug 15, 1:11 pm, VAXman- @SendSpamHere.ORG wrote:
    > In article <6e77d46c-8fd3-4b11-be3b-64f53ae45...@y38g2000hsy.googlegroups.com>, b...@signedness.org writes:>{...snip...}
    > >LOL
    > >The bug is not in DCL, and if you care to watch the videos you will
    > >see that an arbitrary program can be run with higher privileges.
    > >As an example we wrote FILE.EXE (since we can not get any output to

    >
    > __________________________________^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^>the terminal from 'show proc/priv' when exploiting) which simply
    >
    > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^
    >
    > WHy not?
    >
    > >writes the privileges of the current process to PRIVS.TXT.
    > >We first execute FILE.EXE from the shell to show that the user has the
    > >default privileges.
    > >FILE.EXE is then executed with higher privileges from the program that
    > >we are exploiting (install, tcpip and telnet, but there are others as
    > >well).

    >
    > >Oh, and you need the vmware codecs installed to watch the videos.

    >
    > Why not .MPG which doesn't require the download of some questionable
    > software from some site on the internet?

    Because this is recorded from vmware, and the resulting file is
    an .avi file.
    You can recode it yourself if you feel that it is a problem.
    Unfortunately the codec for vmware vary in quality.
    If you run the movie on a Linux box with vmware installed it should
    display just fine.

  9. Re: DEFCON 16 and Hacking OpenVMS

    In article <9b6cde05-affa-4ebe-a55f-1237d2de2008@a1g2000hsb.googlegroups.com>, sampsal@gmail.com writes:
    >Verified (finally got my VMS box up):
    >
    >$ show sys/noproc
    >OpenVMS V8.3 on node CHIMPY 15-AUG-2008 09:27:20.73 Uptime 0
    >23:14:17
    >$ type .plan
    >%n
    >$ show sys/noproc
    >OpenVMS V8.3 on node CHIMPY 15-AUG-2008 09:27:25.34 Uptime 0
    >23:14:21
    >$ finger sampsa
    >Login name: SAMPSA In real life: SAMPSA LAINE
    >Account: SAMPSA Directory: SYS$SYSDEVICE:
    >[SAMPSA]
    >Last login: Fri 15-AUG-2008 09:26:39
    >No unread mail
    >%SYSTEM-F-ACCVIO, access violation, reason mask=04, virtual
    >address=0000000000000000, PC=FFFFFFFF80BA3BA4, PS=0000001B
    >
    > Improperly handled condition, image exit forced.
    > Signal arguments: Number = 0000000000000005
    > Name = 000000000000000C
    > 0000000000000004
    > 0000000000000000
    > FFFFFFFF80BA3BA4
    > 000000000000001B
    >
    > Register dump:
    > R0 = 0000000000000000 R1 = 0000000000000049 R2 =
    >000000007BEEDCD0
    > R3 = 000000007AE26940 R4 = 0000000000000000 R5 =
    >0000000000000000
    > R6 = 000000007AE26928 R7 = FFFFFFFFFFFFFFFF R8 =
    >000000007BF628E8
    > R9 = 0000000000050011 R10 = 00000000000202D0 R11 =
    >0000000000000000
    > R12 = 0000000000116C88 R13 = 0000000000000000 R14 =
    >0000000000000053
    > R15 = 0000000000116BC8 R16 = 0000000000050011 R17 =
    >000000007AE26DB0
    > R18 = 000000007AE26DB0 R19 = 000000007AE26930 R20 =
    >0000000000000008
    > R21 = 0000000000000000 R22 = 0000000000000000 R23 =
    >0000000000000000
    > R24 = 0000000000000000 R25 = FFFFFFFFFFFFEC96 R26 =
    >0000000000000001
    > R27 = FFFFFFFF80BA36D0 R28 = FFFFFFFF80BA3B30 R29 =
    >000000007AE26880
    > SP = 000000007AE26880 PC = FFFFFFFF80BA3BA4 PS =
    >000000000000001B
    >


    The same happens on Alpha VMS 7.3-1 with
    Compaq TCP/IP Services for OpenVMS Alpha Version V5.3 - ECO 2

    and it happens with %n in a .project file as well as a .plan file.

    Whilst I was at it I thought I'd check what happened with % in front of other
    characters.

    so I set up a .plan file with

    %a
    %b
    %c
    %d
    %e
    %f
    %g
    %h
    %i
    %j
    %k
    %l
    %m
    %o
    %p
    %q
    %r
    %s
    %t
    %u
    %w
    %x
    %y
    %z
    %0
    %1
    %2
    %3
    %4
    %5
    %6
    %7
    %8
    %9
    %

    (note missing %n for obvious reasons)

    The results were interesting

    Alpha2:finger XXXXXX1
    Username Program Login Term/Location
    XXXXXX1 TCPIP$FINGER Fri 11:39 ALPHA2::YYYYYY

    Login name: XXXXXX1 In real life:
    Account: Directory: USERZ:[XXXXXX]
    Last login: Fri 15-AUG-2008 11:39:56
    Unread mail: 494
    Plan:
    a
    b

    0
    -6.179570e+307
    0.000000
    0

    65536
    j
    k

    m
    626550
    106D0
    q
    r
    ..project
    t
    2080207092
    v
    w
    20500
    y
    z












    Alpha2:


    I'm not really familiar with finger .project and .plan files but is
    % supposed to do this sort of thing ? I thought the .plan and .project files
    were just supposed to be a pure text file which was displayed.


    David Webb
    Security team leader
    CCSS
    Middlesex University

  10. Re: DEFCON 16 and Hacking OpenVMS

    On Aug 15, 1:11 pm, VAXman- @SendSpamHere.ORG wrote:
    > In article <6e77d46c-8fd3-4b11-be3b-64f53ae45...@y38g2000hsy.googlegroups.com>, b...@signedness.org writes:>{...snip...}
    > >LOL
    > >The bug is not in DCL, and if you care to watch the videos you will
    > >see that an arbitrary program can be run with higher privileges.
    > >As an example we wrote FILE.EXE (since we can not get any output to

    >
    > __________________________________^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^>the terminal from 'show proc/priv' when exploiting) which simply
    >
    > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^
    >
    > WHy not?
    >
    > >writes the privileges of the current process to PRIVS.TXT.
    > >We first execute FILE.EXE from the shell to show that the user has the
    > >default privileges.
    > >FILE.EXE is then executed with higher privileges from the program that
    > >we are exploiting (install, tcpip and telnet, but there are others as
    > >well).

    >
    > >Oh, and you need the vmware codecs installed to watch the videos.

    >
    > Why not .MPG which doesn't require the download of some questionable
    > software from some site on the internet?
    >
    > --
    > VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM
    >
    > ... pejorative statements of opinion are entitled to constitutional protection
    > no matter how extreme, vituperous, or vigorously expressed they may be. (NJSC)
    >
    > Copr. 2008 Brian Schenkenberger. Publication of _this_ usenet article outside
    > of usenet _must_ include its contents in its entirety including this copyright
    > notice, disclaimer and quotations.


    As we have mentioned earlier we have no output stream to write the
    output of 'show proc/priv' to when executing the shellcode.
    That is the reason for using the FILE.EXE program.

  11. Re: DEFCON 16 and Hacking OpenVMS

    david20@alpha1.mdx.ac.uk wrote:

    > [...snip...]
    >
    > The same happens on Alpha VMS 7.3-1 with
    > Compaq TCP/IP Services for OpenVMS Alpha Version V5.3 - ECO 2
    >
    > and it happens with %n in a .project file as well as a .plan file.
    >
    > Whilst I was at it I thought I'd check what happened with % in front of other
    > characters.
    >
    > so I set up a .plan file with
    >
    > %a
    > [...snip...]


    As far as I can see, this is probably very sloppy programming in
    TCP/IP's Finger client. It looks like the "%" is being
    interpreted by the C RTL, which is probably expecting some other
    argument(s) to format according to the "%".

    Looking at the PC from the access violation:

    Wizard» anal/sys

    OpenVMS system analyzer

    SDA> map FFFFFFFF80BA3BA4
    Image Resident Section Base End Image Offset
    DECC$SHR_EV56 80A94000 80C909FF 0010FBA4

  12. Re: DEFCON 16 and Hacking OpenVMS

    In article , bugs@signedness.org writes:
    >On Aug 15, 3:03=A0am, patrick jankowiak wrote:
    >> Forgive me, but all this "enter exactly 511 characters and press the up
    >> arrow three times" business reminds me of the old Dick Van Dyke episode
    >> schtick that started with a telephone call and ended with "..then swing
    >> the bag over your head and scream like a chicken"
    >>
    >> Vaxman -please e-mail me your shipment receiving address.. I am a couple
    >> years remiss in sending you something.
    >>
    >> Patrick J

    >
    >We are not going to release the exploits for some time.. Seven "%n"
    >should be more than enough to hit something you cant write to and
    >crash the finger client (provided that HP has not patched it, we have
    >not heard from them in weeks even though we asked for updates)


    I don't run finger but I enabled it to see what you are on about.
    I get nothing but a stream of %n%n%n%n%n%n back.


    >System service numbers seems to move around between releases (like
    >windows system calls), since all our payloads assumes 8.3 (alpha) and
    >7.3 (vax) it would probably just mean that we get another bunch of
    >replies saying "it only crashes the binary and won't get "SYSTEM"".
    >Another thing is that at least the VAX shellcode was written purely
    >for demo purposes and got my username hardcoded into it (uses a system
    >service to enable all privs on my account)
    >
    >If anybody is in or around London I'd be happy to settle whether or
    >not we are bull****ting with a live demo at a dc4420 meeting or
    >similar event..
    >
    >The alpha exploits uses the sys$creprc system service to execute the
    >file FILE.EXE that happens to show the privs of the process. The
    >reason we took that route instead of spawning a new "shell" with
    >higher privs is that it was easier to test/debug.


    Why SYS$CREPRC to get privs? Why not SYS$GETJPI?



    >btw for those of you who doubt us, check this out
    >http://www.securityfocus.com/archive/1/495207 either we set a new
    >trend making it fashionable to bull**** about OpenVMS bugs or maybe it


    Multinet!

    --
    VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM

    .... pejorative statements of opinion are entitled to constitutional protection
    no matter how extreme, vituperous, or vigorously expressed they may be. (NJSC)

    Copr. 2008 Brian Schenkenberger. Publication of _this_ usenet article outside
    of usenet _must_ include its contents in its entirety including this copyright
    notice, disclaimer and quotations.

  13. Re: DEFCON 16 and Hacking OpenVMS

    On Aug 15, 1:42 pm, VAXman- @SendSpamHere.ORG wrote:
    > In article , b...@signedness.org writes:
    >
    > >On Aug 15, 3:03=A0am, patrick jankowiak wrote:
    > >> Forgive me, but all this "enter exactly 511 characters and press the up
    > >> arrow three times" business reminds me of the old Dick Van Dyke episode
    > >> schtick that started with a telephone call and ended with "..then swing
    > >> the bag over your head and scream like a chicken"

    >
    > >> Vaxman -please e-mail me your shipment receiving address.. I am a couple
    > >> years remiss in sending you something.

    >
    > >> Patrick J

    >
    > >We are not going to release the exploits for some time.. Seven "%n"
    > >should be more than enough to hit something you cant write to and
    > >crash the finger client (provided that HP has not patched it, we have
    > >not heard from them in weeks even though we asked for updates)

    >
    > I don't run finger but I enabled it to see what you are on about.
    > I get nothing but a stream of %n%n%n%n%n%n back.
    >
    >
    >
    > >System service numbers seems to move around between releases (like
    > >windows system calls), since all our payloads assumes 8.3 (alpha) and
    > >7.3 (vax) it would probably just mean that we get another bunch of
    > >replies saying "it only crashes the binary and won't get "SYSTEM"".
    > >Another thing is that at least the VAX shellcode was written purely
    > >for demo purposes and got my username hardcoded into it (uses a system
    > >service to enable all privs on my account)

    >
    > >If anybody is in or around London I'd be happy to settle whether or
    > >not we are bull****ting with a live demo at a dc4420 meeting or
    > >similar event..

    >
    > >The alpha exploits uses the sys$creprc system service to execute the
    > >file FILE.EXE that happens to show the privs of the process. The
    > >reason we took that route instead of spawning a new "shell" with
    > >higher privs is that it was easier to test/debug.

    >
    > Why SYS$CREPRC to get privs? Why not SYS$GETJPI?
    >
    > >btw for those of you who doubt us, check this out
    > >http://www.securityfocus.com/archive/1/495207either we set a new
    > >trend making it fashionable to bull**** about OpenVMS bugs or maybe it

    >
    > Multinet!
    >
    > --
    > VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM
    >
    > ... pejorative statements of opinion are entitled to constitutional protection
    > no matter how extreme, vituperous, or vigorously expressed they may be. (NJSC)
    >
    > Copr. 2008 Brian Schenkenberger. Publication of _this_ usenet article outside
    > of usenet _must_ include its contents in its entirety including this copyright
    > notice, disclaimer and quotations.


    Why SYS$CREPRC to get privs? Why not SYS$GETJPI?

    SYS$CREPRC is used in the shellcode to allow for arbitrary programs to
    be
    run with inherited privileges. SYS$GETJPI is used by the FILE.EXE
    program to _get_
    privileges and print them to a file.
    That should be obvious to any OpenVMS user.

  14. Re: DEFCON 16 and Hacking OpenVMS

    In article <48a56b86$0$90265$14726298@news.sunsite.dk>, "R.A.Omond" writes:
    > david20@alpha1.mdx.ac.uk wrote:
    >
    >> [...snip...]
    >>
    >> The same happens on Alpha VMS 7.3-1 with
    >> Compaq TCP/IP Services for OpenVMS Alpha Version V5.3 - ECO 2
    >>
    >> and it happens with %n in a .project file as well as a .plan file.
    >>
    >> Whilst I was at it I thought I'd check what happened with % in front of other
    >> characters.
    >>
    >> so I set up a .plan file with
    >>
    >> %a
    >> [...snip...]

    >
    > As far as I can see, this is probably very sloppy programming in
    > TCP/IP's Finger client. It looks like the "%" is being
    > interpreted by the C RTL, which is probably expecting some other
    > argument(s) to format according to the "%".
    >


    I suspect that anyone who's written some C code knows what TCP/IP
    Engineering have almost certainly done while writing the finger
    client code.

    I also suspect that, like me, many programmers here with C experience
    also regard this as a first year undergraduate type programming mistake
    and that code review procedures should have stopped this type of mistake
    from _ever_ appearing within production code for a enterprise quality
    operating system.

    I wonder how many other mistakes like this are just waiting to be found
    within the UCX code base ?

    Simon.

    --
    Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
    Microsoft: Bringing you 1980's technology to a 21st century world

  15. Re: DEFCON 16 and Hacking OpenVMS

    In article <3eTvgpv1kpLI@eisner.encompasserve.org>, clubley@remove_me.eisner.decus.org-Earth.UFP (Simon Clubley) writes:
    >In article <48a56b86$0$90265$14726298@news.sunsite.dk>, "R.A.Omond" writes:
    >> david20@alpha1.mdx.ac.uk wrote:
    >>
    >>> [...snip...]
    >>>
    >>> The same happens on Alpha VMS 7.3-1 with
    >>> Compaq TCP/IP Services for OpenVMS Alpha Version V5.3 - ECO 2
    >>>
    >>> and it happens with %n in a .project file as well as a .plan file.
    >>>
    >>> Whilst I was at it I thought I'd check what happened with % in front of other
    >>> characters.
    >>>
    >>> so I set up a .plan file with
    >>>
    >>> %a
    >>> [...snip...]

    >>
    >> As far as I can see, this is probably very sloppy programming in
    >> TCP/IP's Finger client. It looks like the "%" is being
    >> interpreted by the C RTL, which is probably expecting some other
    >> argument(s) to format according to the "%".
    >>

    >
    >I suspect that anyone who's written some C code knows what TCP/IP
    >Engineering have almost certainly done while writing the finger
    >client code.
    >
    >I also suspect that, like me, many programmers here with C experience
    >also regard this as a first year undergraduate type programming mistake
    >and that code review procedures should have stopped this type of mistake
    >from _ever_ appearing within production code for a enterprise quality
    >operating system.
    >
    >I wonder how many other mistakes like this are just waiting to be found
    >within the UCX code base ?
    >

    Considering that UCX was rewritten at version 5.0 to be based upon the same
    code as the TCPIP stack for Tru64 I wondered whether that would have the same
    problem.
    A quick test on a Tru64 V5.1B box showed that it doesn't have this problem.

    David Webb
    Security team leader
    CCSS
    Middlesex University


    >Simon.
    >
    >--
    >Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
    >Microsoft: Bringing you 1980's technology to a 21st century world


  16. Re: DEFCON 16 and Hacking OpenVMS

    In article , bugs@signedness.org writes:
    >On Aug 15, 1:11 pm, VAXman- @SendSpamHere.ORG wrote:
    >> In article <6e77d46c-8fd3-4b11-be3b-64f53ae45...@y38g2000hsy.googlegroups.com>, b...@signedness.org writes:>{...snip...}
    >> >LOL
    >> >The bug is not in DCL, and if you care to watch the videos you will
    >> >see that an arbitrary program can be run with higher privileges.
    >> >As an example we wrote FILE.EXE (since we can not get any output to

    >>
    >> __________________________________^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^>the terminal from 'show proc/priv' when exploiting) which simply
    >>
    >> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^
    >>
    >> WHy not?
    >>
    >> >writes the privileges of the current process to PRIVS.TXT.
    >> >We first execute FILE.EXE from the shell to show that the user has the
    >> >default privileges.
    >> >FILE.EXE is then executed with higher privileges from the program that
    >> >we are exploiting (install, tcpip and telnet, but there are others as
    >> >well).

    >>
    >> >Oh, and you need the vmware codecs installed to watch the videos.

    >>
    >> Why not .MPG which doesn't require the download of some questionable
    >> software from some site on the internet?
    >>
    >> --
    >> VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM
    >>
    >> ... pejorative statements of opinion are entitled to constitutional protection
    >> no matter how extreme, vituperous, or vigorously expressed they may be. (NJSC)
    >>
    >> Copr. 2008 Brian Schenkenberger. Publication of _this_ usenet article outside
    >> of usenet _must_ include its contents in its entirety including this copyright
    >> notice, disclaimer and quotations.

    >
    >As we have mentioned earlier we have no output stream to write the
    >output of 'show proc/priv' to when executing the shellcode.
    >That is the reason for using the FILE.EXE program.



    OK. Perhaps I don't understand your "shell code" comment. You report
    that you are executing DCL (shell) commands. I have no problem getting
    output from SHOW PROCESS/PRIVILEGE from a DCL 'shell'.

    --
    VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM

    .... pejorative statements of opinion are entitled to constitutional protection
    no matter how extreme, vituperous, or vigorously expressed they may be. (NJSC)

    Copr. 2008 Brian Schenkenberger. Publication of _this_ usenet article outside
    of usenet _must_ include its contents in its entirety including this copyright
    notice, disclaimer and quotations.

  17. Re: DEFCON 16 and Hacking OpenVMS

    In article <50f78810-9630-4a1d-aad4-91f071bab9ad@d45g2000hsc.googlegroups.com>, bugs@signedness.org writes:
    {...snip...}
    >SYS$CREPRC is used in the shellcode to allow for arbitrary programs to
    >be
    >run with inherited privileges. SYS$GETJPI is used by the FILE.EXE
    >program to _get_
    >privileges and print them to a file.
    >That should be obvious to any OpenVMS user.


    OK. I'm most confused. How do you invoke SYS$CREPRC from DCL?

    Also, I just scanned all of DCL and the only SYS$CREPRC in it is in
    the SPAWN command. Are you spawning the FILE.EXE program? You've
    been incessantly terse explaining this.

    --
    VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM

    .... pejorative statements of opinion are entitled to constitutional protection
    no matter how extreme, vituperous, or vigorously expressed they may be. (NJSC)

    Copr. 2008 Brian Schenkenberger. Publication of _this_ usenet article outside
    of usenet _must_ include its contents in its entirety including this copyright
    notice, disclaimer and quotations.

  18. Re: DEFCON 16 and Hacking OpenVMS

    On Aug 15, 2:10*pm, VAXman- @SendSpamHere.ORG wrote:
    > OK. *I'm most confused. *How do you invoke SYS$CREPRC from DCL? *
    >
    > Also, I just scanned all of DCL and the only SYS$CREPRC in it is in
    > the SPAWN command. *Are you spawning the FILE.EXE program? *You've
    > been incessantly terse explaining this.


    I think you might be confused (not saying you are) by the term
    "shellcode".

    It means the machine code payload of the exploit, typically used to
    launch a shell,
    not some kind of DCL script, therefore the SYS$CREPRC call is made
    from
    machine code, not DCL.

    Sampsa


  19. Re: DEFCON 16 and Hacking OpenVMS

    In article , sampsal@gmail.com writes:
    >On Aug 15, 2:10=A0pm, VAXman- @SendSpamHere.ORG wrote:
    >> OK. =A0I'm most confused. =A0How do you invoke SYS$CREPRC from DCL? =A0
    >>
    >> Also, I just scanned all of DCL and the only SYS$CREPRC in it is in
    >> the SPAWN command. =A0Are you spawning the FILE.EXE program? =A0You've
    >> been incessantly terse explaining this.

    >
    >I think you might be confused (not saying you are) by the term
    >"shellcode".
    >
    >It means the machine code payload of the exploit, typically used to
    >launch a shell,
    >not some kind of DCL script, therefore the SYS$CREPRC call is made
    >from
    >machine code, not DCL.


    And where does this come into play in the 511 characters and 3 up arrows?


    --
    VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM

    .... pejorative statements of opinion are entitled to constitutional protection
    no matter how extreme, vituperous, or vigorously expressed they may be. (NJSC)

    Copr. 2008 Brian Schenkenberger. Publication of _this_ usenet article outside
    of usenet _must_ include its contents in its entirety including this copyright
    notice, disclaimer and quotations.

  20. Re: DEFCON 16 and Hacking OpenVMS

    On Aug 15, 2:40*pm, VAXman- @SendSpamHere.ORG wrote:
    > In article , samp...@gmail.com writes:
    > >It means the machine code payload of the exploit, typically used to
    > >launch a shell,
    > >not some kind of DCL script, therefore the SYS$CREPRC call is made
    > >from
    > >machine code, not DCL.

    >
    > And where does this come into play in the 511 characters and 3 up arrows?


    I think what they do (more or less) is to inject some shellcode into a
    logical before running the exploit, then insert some other code after
    the overflow that executes the code in the logical. Signedness guys
    care to comment, I didn't see the demo, just have the notes second
    hand?

    Sampsa


+ Reply to Thread
Page 4 of 35 FirstFirst ... 2 3 4 5 6 14 ... LastLast