-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! I think that the isprint() check is NOT limiting the exploitation of this bug at all. You can still exploit this vulnerability by overwriting stack frames (you can read more about it here: http://www.phrack.org/show.php?p=59&a=7) and by using the shellcode as the password field which will be located on the heap. So, this would be exploitable even on no-exec stacks. There are some limitations of this technique, it does not work on latest Linux glibcs, but on FreeBSD and Solaris is doable. I've attached a first version of my exploit for this vulnerability; it was tested on a FreeBSD 4.10-RELEASE, thanks to andrewg. >this can't be exploited to execute code, as any non printable characters are >turned into '.' before the buffer is passed to fprintf(). well actually, if >there is some platform where the relevant addresses can be reached with only >printable characters it's possible, but i'm not aware of any such platform. > Andrei Catalin aka ktha ktha at hush dot com [ Need a challenge ? ] [ Visit http://www.pulltheplug.com ] -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.4 wkYEARECAAYFAkErHYEACgkQsV/nUjPdEq5v3ACghGvRGHH0swz60I0V9d6wq66j8rYA oKmE0Amk48PZ7wgEkbT851sl0fJA =N/5B -----END PGP SIGNATURE-----
Attachment:
sm00ny-courier_imap_fsx.c
Description: Binary data
-----BEGIN PGP SIGNATURE----- Version: Hush 2.4 Charset: UTF8 wkYEABECAAYFAkErHU8ACgkQsV/nUjPdEq7FawCgl1VNwSuJ/WnHg1baqOo3ExD3R7wA oIxojsPrFqayexnGsuMebtp1FDvJ =sLRy -----END PGP SIGNATURE-----