Looking back, I have been finding and exploiting security vulnerabilities for almost a decade at this point and have always loved remote code injection exploits the most. Notice that I didn’t call them “buffer overflows,” because I think that is too specific. The rest of the industry has started calling them “remote code execution,” which is much better, but I still prefer my terminology from back when I was playing hacker-turned academic.
I refer to these vulnerabilities as memory trespass vulnerabilities since that is a more general term that is an accurate description of buffer overflow, format string injection, out-of-bounds array access, double-free, and uninitialized variable vulnerabilities where the attacker can write to memory outside of the semantics of the programming language runtime. While these vulnerabilities can be exploited in a number of ways, the most popular technique is a code injection exploit where a standalone machine code fragment, the exploit payload, is executed by the target process via an injection vector. Popular injection vectors include overwriting stack return addresses, exception handlers, and other code pointers. I consider techniques that do not inject payloads but merely reuse code that already exists in the address space (i.e. return into system() to run a chosen command) a different way to exploit memory trespass vulnerabilities. Those are far less common anyway.
So what does this have to do with anything and what is the “Dead Bugs Society?” This will be an until-I-get-bored-with-it blog feature where I dredge up some old exploit, publish it, and wax poetic about it. Most of these will be of the code injection variety, so I wanted to introduce my terms. To be clear, these are all old long-ago patched vulnerabilities. I will also only publish an exploit or detailed information for a vulnerability that has been fixed for at least a year. These are for educational purposes only, unless you have a time machine in which case you better share because I’d like to go rock 1994 with my 2008 skills also.
For the debut of this series, I’m publishing the first remote zero-day code execution exploit that I wrote: a remote format string/stack overflow exploit against the AnswerBook2 web server that was enabled by default in Solaris 2.6 – 8 on TCP port 8888. I reported these vulnerabilities to Sun immediately, but they took their sweet time in fixing them and I finally published the advisory 2 years later. I tend to comment heavily, so it should be pretty self-explanatory. Enjoy the antique warez!