Jonkman Microblog
  • Login
Show Navigation

  • Public

    • Public
    • Network
    • Groups
    • Popular
    • People

Conversation

Notices

  1. kaniini (kaniini@mastodon.dereferenced.org)'s status on Friday, 02-Feb-2018 16:18:40 EST kaniini kaniini

    exploitation of CVE-2016-4478 is simple: generate an XMLRPC request that will generate exactly multiple of 64 bytes output,
    excluding the nul terminator.

    remember, this is a Pascal string used in the xmlrpc code because Trystan was smart and realized he should use Pascal strings when dealing with webshit.

    later on some fuckwit "optimized" the code by dumping the raw string instead of converting properly, and probably didn't notice because the scratch buffer saved him.

    (pascal strings are typically overallocated to ensure alignment and avoid spurious reallocs)

    once you have such a response, you will also get back the contents of the vtable.

    you can take it from there

    In conversation Friday, 02-Feb-2018 16:18:40 EST from mastodon.dereferenced.org permalink
  • Help
  • About
  • FAQ
  • TOS
  • Privacy
  • Source
  • Version
  • Contact

Jonkman Microblog is a social network, courtesy of SOBAC Microcomputer Services. It runs on GNU social, version 1.2.0-beta5, available under the GNU Affero General Public License.

Creative Commons Attribution 3.0 All Jonkman Microblog content and data are available under the Creative Commons Attribution 3.0 license.

Switch to desktop site layout.