[Snort-users] Promiscuous interface hacks?

Paul Schmehl pauls at ...6838...
Fri May 2 07:22:43 EDT 2003

Ahhh...that makes sense.  Thanks.

--On Thursday, May 01, 2003 06:54:15 PM -0400 Matt Kettler 
<mkettler at ...4108...> wrote:

> At 05:42 PM 5/1/2003 -0500, Paul Schmehl wrote:
>> But once the bo is exploited, even if a root shell is obtained, how does
>> the attacker then "get to" that shell?  Since there's no IP associated
>> with it, I'm having trouble understanding how the attacker could then
>> proceed to exploit the box.
> This approach is exactly what I was discrediting when I said:
>          Note that a buffer overflow need not be a plain jane "exec
> bin/sh over the already established tcp session"...
> You've got one example of a kind of buffer-overflow exploit code in
> mind.. he can execute ANY code he wants. No, really.. ANY code. exec
> /bin/sh is just ONE possility.
> Now constrain yourself to this:
> If you can install and execute any code you want that is under 1kb in
> size, can you gain control of the box?
> Of course you can.
> Think about it for a while.. here's a hint.. that code can always create
> a brand new socket and connect to a custom-made server on your machine...
> think of it as inverse telnet where the console is on the server side and
> the shell is on the client side of the tcp connection.

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member

More information about the Snort-users mailing list