Re: DEFCON 16 and Hacking OpenVMS

On Aug 15, 9:49 pm, JF Mezei <jfmezei.spam...@xxxxxxxxxxxxx> wrote:
samp...@xxxxxxxxx wrote:
3. It is possible to execute shellcode stored in logicals, however.
4. Therefore the code injected after the overflow executes some other
code stored in a logical.

Since there is no such thing as "shellcode" in VMS, it would greatly
help if you use terminology native to VMS so we could understand it.

For an application to execute the content of a logical name, it would
need to first extract those contents into memory, and then declare that
area of memory to be executable and then branch to it. This doesn't
happen by mistake/luck.

There sure is shellcode for OpenVMS, we wrote it. :)
And there is no need to extract the contents of a logical into memory,
since it is already part of the memory in a process.

You can check out wikipedia for information about the shellcode that
we refer to:
http://en.wikipedia.org/wiki/Shellcode

And here is an entry about exploits as well:
http://en.wikipedia.org/wiki/Exploit_%28computer_security%29

And one on format string vulnerabilities:
http://en.wikipedia.org/wiki/Format_string_attack

Oh, and just for the record, you don't find an exploit, you find a
vulnerability and write an exploit for it. :)

As stated earlier, we will not release the exploit to the public yet.
We have informed HP about the problems (we did this about two months
ago
together with information about how to reproduce the bugs)
so there will hopefully be a patch for it in a near future.

And no, FILE.EXE does not require any privileges, it is just a simple
tool
to write the current privileges of the process to a file.

Please don't tell us to "*** off", it makes some of us belive that it
is
a good idea to post sensitive information to fd.

And there still is enough information in the previous posts to
reproduce the bugs on a vulnerable machine.
.

Quantcast