There are a handful of cases where a malicious server / mitm could cause the Framework to run out of memory. We aren' t that concerned with it -- if you can find a way to do something useful (run code, etc), let us know. We might look at limiting this in version 3.0, but no matter what 'max size' we place on a protocol response, its never going to be small enough to account for the low-end system or big enough to handle truly gigantic (legit) replies. The SMB, DCERPC, and BackupExec protocols also suffer from 'arbitrary malloc and die' issues.
-HD On Monday 23 January 2006 08:40, H D Moore wrote: > Nice DoS bug, next time try emailing us first :-) > > -HD > > On Monday 23 January 2006 04:23, cranium pain wrote: > > WMF Exploit vulnerable? > > > > [*] Starting Reverse Handler. > > [*] Waiting for connections to http://0.0.0.0:80/ > > [*] Got connection from 0.0.0.0:443 <-> 1.1.1.1:42121 > > [*] Sending Stage (2834 bytes) > > [*] Sleeping before sending dll. > > [*] Uploading dll to memory (69643), Please wait... > > [*] Upload completed > > meterpreter> Out of memory during "large" request for 2147487744 > > bytes, total sbrk() is 17950720 bytes at > > /home/framework/lib/Pex/Meterpreter/Packet.pm line 509 > > > > > > 509: $res -1 if ($res >= 0 and not defined(recv($fd, $tempBuffer, > > $tempBufferLength, 0))); > > > > -- > > > > "haxxoring haxxors for fun and fun" > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/