On 01/20/2014 09:32 PM, Jorge SoydelBierzo wrote:
I've tested this several years ago, may be the get needs to be bigger
for a buffer overflow (over 1012 bytes, no matters if you use A, U or
5 ;-D)
Where would the buffer overflow originate? Is it in one of the c
libraries, or the code for nweb? If you're saying it's in the code for
nweb I don't see where it would happen. It either reads the request
using a fixed buffer size or it doesn't parse it.
The reason I started fooling with nweb is because I actually have a
fighting chance of understanding what these 200 lines of code do. And it
could be shaved down even more to have the server do even less with the
arbitrary strings that the internet is shooting at it.
It seems like having the bare minimum moving parts is a better approach
than starting with a server that does too much and turning off the parts
I don't want. But I admit that's just a gut feeling which is why I
posted on here. :)
-Jonathan
When buffer overflow works, you can get a core dump file.
With ESP and EIP values in core dump, and patternOffset tool from
Metasploit, you can calculate word alignment, EIP offset, etc.
With ESP value, buffer size, ESP offset and generated shellcode, using
http-esploit.pl <http://http-esploit.pl> can make a payload to sent to
nweb.
Nweb is a PoC, hope nobody uses it in the wild.
El martes, 21 de enero de 2014, Andrés Leopoldo Pacheco Sanfuentes
<[email protected] <javascript:_e({}, 'cvml',
'[email protected]');>> escribió:
On Mon, Jan 20, 2014 at 7:06 PM, Jonathan Wilkes
<[email protected]> wrote:
> GET
>
/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAA
>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> HTTP/1.0
would it work the same if one replace the "A" for "U," for example? :D
Best Regards | Cordiales Saludos | Grato,
Andrés L. Pacheco Sanfuentes
<[email protected]>
+1 (817) 271-9619
--
Liberationtech is public & archives are searchable on Google.
Violations of list guidelines will get you moderated:
https://mailman.stanford.edu/mailman/listinfo/liberationtech.
Unsubscribe, change to digest, or change password by emailing
moderator at [email protected].
--
Liberationtech is public & archives are searchable on Google. Violations of
list guidelines will get you moderated:
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe,
change to digest, or change password by emailing moderator at
[email protected].
