Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: Internet Security | DShield SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Building a remote buffer overflow for the Snort 2.6.1 DCE/RPC flaw
Every so often I get asked about buffer overflow research in practice and for once there is a lengthy, worked-out example for me to point at.

Trirat Puttaraksa recently blogged in two parts his work in turning the Snort 2.6.1 DCE/RPC flaw into a working exploit. The first part discusses the "easy bit", that is to say how to turn the vulnerability into a denial-of-service attack whereas the second part discusses how to exploit it to actually execute code.

It is a very thorough write-up, including pretty pictures explaining how he uses the Snort source code to figure out the layout of the packets he is going to send, the setup of the packets to ensure that he triggers the fault and, in part 2, how to inject the payload to execute.  The final result is that he runs calc.exe from Snort.

28 Posts
Mar 7th 2007

Sign Up for Free or Log In to start participating in the conversation!