The NT version is vulnerable to a boundary condition as well. If memory serves (I looked at this last april, so it may be foggy) I was able to sucessfully modify the EIP but found no obvious way to get back to the overflowing buffer (where my egg would be). When I left off I found some code that would jump me back a little bit before the buffer. Unfortunately, the data formed some invalid opcodes, so no luck. I'm sure someone can figure it out, I'm sick having my clock off by 6 hours from SoftIce warp :) At 18:37 10/15/99 -0500, you wrote: >Hmm. I wonder if I should start numbering these things now. 8) > >Overview: > >A serious security hole has been found in the web configuration utility >that comes with OpenLink 3.2. This hole will allow remote users to >execute arbitrary code as the user id under which the web configurator is >run (inherited from the request broker, oplrqb). The hole is a >run-of-the-mill buffer overflow, due to lack of parameter checking when >strcpy() is used. <CUT> Seth M. McGann / smmat_private "Security is making it http://www.wpi.edu/~smm to the bathroom in time." KeyID: 2048/1024/E2501C80 Fingerprint 3344 DFA2 8E4A 977B 63A7 19E3 6AF7 4AE7 E250 1C80
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:07:40 PDT