1 |
Only if you could force a hostname resolution with arbitrary input (and a host of other requirements, see below). That's why an email server is the ideal target for this attack. ZK probably dodged this one by not dealing with emails at all. I can't think of anywhere else untrusted domains would be resolved.
|
1 |
Only if you could force a hostname resolution with arbitrary input (and a host of other requirements, see below). That's why an email server is the ideal target for this attack. ZK probably dodged this one by not dealing with emails at all. I can't think of anywhere else untrusted domains would be resolved.
|
2 |
\n
|
2 |
\n
|
3 |
EDIT:
|
3 |
EDIT:
|
4 |
\n
|
4 |
\n
|
5 |
Reading
a
bit
more
of
the
technical
details,
you
only
get
sizeof(
char*)
bytes
(
4
or
8)
.
So
all
you
can
really
do
is
(
hopefully)
clobber
a
return
address
if
you're
lucky
enough
to
have
the
buffer
on
the
stack.
The
vast
majority
of
programs
will
use
gethostbyname,
which
means
you're
looking
at
a
heap
overflow
instead.
In
this
case
you're
praying
to
blow
away
a
function
pointer
with
the
address
of
some
other
function
that
does
which
you
want
(
you'll
need
to
have
the
address
of
your
target
handy)
.
Also,
any
pre-resolution
hostname
validation
will
catch
exploit
attempts.
Add
on
to
that
the
fact
that
only
[0-9.
]
and
\0
can
be
used
in
the
payload,
and
this
attack
really
becomes
esoteric
and
impractical
outside
of
a
lab.
In
order
to
reliably
exploit
this
you'd
need
to
have
knowledge
or
control
of
so
many
factors
that
you
either
already
pwned
the
server
or
have
more
feasible
attack
vectors.
|
5 |
Reading
a
bit
more
of
the
technical
details,
you
only
get
sizeof(
char*)
bytes
(
4
or
8)
.
So
all
you
can
really
do
is
(
hopefully)
clobber
a
return
address
if
you're
lucky
enough
to
have
the
buffer
on
the
stack.
The
vast
majority
of
programs
will
use
non
re-entrant
gethostbyname,
which
means
you're
looking
at
a
heap
overflow
instead.
In
this
case
you're
praying
to
blow
away
a
function
pointer
with
the
address
of
some
other
function
that
does
which
you
want
(
you'll
need
to
have
the
address
of
your
target
handy)
.
Also,
any
pre-resolution
hostname
validation
will
catch
exploit
attempts.
Add
on
to
that
the
fact
that
only
[0-9.
]
and
\0
can
be
used
in
the
payload,
and
this
attack
really
becomes
esoteric
and
impractical
outside
of
a
lab.
In
order
to
reliably
exploit
this
you'd
need
to
have
knowledge
or
control
of
so
many
factors
that
you
either
already
pwned
the
server
or
have
more
feasible
attack
vectors.
|
6 |
\n
|
6 |
\n
|
7 |
All in all, probably nothing to see here.
|
7 |
All in all, probably nothing to see here.
|
8 |
\n
|
8 |
\n
|
9 |
EDIT Again:
|
9 |
EDIT Again:
|
10 |
nmap thinks zero-k.info is running on a windows server. not sure if that runs the other junk too.
|
10 |
nmap thinks zero-k.info is running on a windows server. not sure if that runs the other junk too.
|