[Snort-users] Promiscuous interface hacks?

Paul Schmehl pauls at ...6838...
Fri May 2 07:22:43 EDT 2003


Ahhh...that makes sense.  Thanks.

--On Thursday, May 01, 2003 06:54:15 PM -0400 Matt Kettler 
<mkettler at ...4108...> wrote:

> At 05:42 PM 5/1/2003 -0500, Paul Schmehl wrote:
>> But once the bo is exploited, even if a root shell is obtained, how does
>> the attacker then "get to" that shell?  Since there's no IP associated
>> with it, I'm having trouble understanding how the attacker could then
>> proceed to exploit the box.
>
> This approach is exactly what I was discrediting when I said:
>
>          Note that a buffer overflow need not be a plain jane "exec
> bin/sh over the already established tcp session"...
>
> You've got one example of a kind of buffer-overflow exploit code in
> mind.. he can execute ANY code he wants. No, really.. ANY code. exec
> /bin/sh is just ONE possility.
>
> Now constrain yourself to this:
>
> If you can install and execute any code you want that is under 1kb in
> size, can you gain control of the box?
>
> Of course you can.
>
> Think about it for a while.. here's a hint.. that code can always create
> a brand new socket and connect to a custom-made server on your machine...
> think of it as inverse telnet where the console is on the server side and
> the shell is on the client side of the tcp connection.
>
>
>
>
>
>



Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu




More information about the Snort-users mailing list