On Wed, 28 Nov 2001, Juliano Rizzo wrote: > > Does anyone successfuly exploited any format string vulnerability on > > PA-RISC architecture (on any other archjitecture with aligned memory > > access)??? > > Yes and there are publicly available exploits for these architectures > (wuftpd site exec, irix telnetd) > MIPS!=PA-RISC. Irix telnetd uses GOT overwrite aproach which cannot be used on HP-UX. > > unaligned address i'm getting SIGBUS. > > > > Actually, you have several ways to write values to memory using format > strings, you > can use one %n, four %n, two %hn, etc. Different combinations of these > format modifiers > will let you overcome the limitations you proposed. > I'm exploting syslog() which stops to interprete format string after printing 2048 characters. Also fout %n wont work (unaligned access). -- Mariusz Wołoszyn Internet Security Specialist, Internet Partners
This archive was generated by hypermail 2b30 : Tue Dec 04 2001 - 11:07:44 PST