dll:77d70494
0006ffb0 -> USER32.dll:77d70494
0006ffe0 -> NIPRINT3.EXE:00414708
ffffffff -> kernel32.dll:7c8399f3
The graphing option comes in handy when you have complex vulnerabilities and need
to visually identify the functions involved. However, this is a straightforward buffer
overflow and eip was smashed.
Analysis of Network Traffic
Nowthatwe have found some bugs in the target server, let??™s look at the packets that caused
the damage. If you look in the sulley\audits\niprint_lpr_515 folder, you will find too
many pcap files to sort through manually. Even though they are numbered, we would like
to filter out all benign requests and focus on the ones that caused crashes. Sulley provides
a neat tool to do just that called pcap_cleaner.py. We will use the script as follows:
{common host-guest path to sulley}>python utils\pcap_cleaner.py audits\
niprint_lpr_515_a.crashbin audits\niprint_lpr_515
Now we are left with only pcap files containing the request that crashed the server. We
can open them in Wireshark and learn what caused the crash.
From Figure 17-2 we can see that a request was made to ???start print job,??? which started
with ???\x01??™ and a queue name ???\x2f\x2e\x3a\x2f??™ and then many As.
Pages:
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801