No, there was nothing useful on the stack. Just a few static strings and pointers to the code section of various DLLs, followed by thousands of zeros. I've tryed many possibilities for about 3 weeks and then I've gave it up. Now I want to know if it's really exploitable and how.
-FistFucker (aka FistFuXXer) ----- Original Message ----- From: "H D Moore" <[EMAIL PROTECTED]> To: "FistFucker" <[EMAIL PROTECTED]> Sent: Friday, December 16, 2005 4:09 PM Subject: Re: [Full-disclosure] iDEFENSE Security Advisory 12.06.05: Ipswitch > Doh, oh well. If you send %p x 512, is there anything else in memory that > you can control? An idea might be to send a long mail from: before using > a rcpt to: with the format specifier. Doing something similar for a CGI > app right now. > > -HD > > On Friday 16 December 2005 09:05, FistFucker wrote: > > I've already tryed this, but argument-skipping isn't supported by the > > called funtion. > > > > > > -FistFucker (aka FistFuXXer) > > > > > > > > ----- Original Message ----- > > From: "H D Moore" <[EMAIL PROTECTED]> > > To: <[email protected]> > > Sent: Friday, December 16, 2005 3:59 PM > > Subject: Re: [Full-disclosure] iDEFENSE Security Advisory 12.06.05: > > Ipswitch > > > > > This may not be a limitation if you can use the argument-skipping > > > syntax in msvcrt (ie. %4000$x). > > > > > > -HD > > > > > > On Friday 16 December 2005 08:32, FistFucker wrote: > > > >I don't think it's > exploitable because the user controlled string > > > > is many thousand bytes away from the stack pointer and you can only > > > > send 512 bytes to the SMTP daemon. > > > > > > [snip] > > > > > > > If someone was able to exploit this, I would be interested in > > > > exploit code or an explanation to learn from him. > > > > > > _______________________________________________ > > > Full-Disclosure - We believe in it. > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
