Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Building a remote buffer overflow for the Snort 2.6.1 DCE/RPC flaw - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Building a remote buffer overflow for the Snort 2.6.1 DCE/RPC flaw
Every so often I get asked about buffer overflow research in practice and for once there is a lengthy, worked-out example for me to point at.

Trirat Puttaraksa recently blogged in two parts his work in turning the Snort 2.6.1 DCE/RPC flaw into a working exploit. The first part discusses the "easy bit", that is to say how to turn the vulnerability into a denial-of-service attack whereas the second part discusses how to exploit it to actually execute code.

It is a very thorough write-up, including pretty pictures explaining how he uses the Snort source code to figure out the layout of the packets he is going to send, the setup of the packets to ensure that he triggers the fault and, in part 2, how to inject the payload to execute.  The final result is that he runs calc.exe from Snort.
Arrigo

28 Posts

Sign Up for Free or Log In to start participating in the conversation!