Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > C Programming > Re: How to bypass Visual C++ security cookies

Reply
Thread Tools

Re: How to bypass Visual C++ security cookies

 
 
1 2
Guest
Posts: n/a
 
      09-18-2012
On Sep 17, 11:05*pm, Ian Collins <(E-Mail Removed)> wrote:
> On 09/18/12 02:23 PM, (E-Mail Removed) wrote:
>
> Please wrap lines to a sensible length.


I'll try the old Google Groups.

> > Does anybody know how to bypass Visual C++ security cookies (generated by the /GS switch) in order to exploit a buffer overrun vulnerability in a program compiled with Visual C++?

>
> Probably. *Now what was your C++ question?


I know that this group doesn't deal with specific environments but
I've asked in other forums and haven't gotten answers.

Cross-posted to comp.lang.c in case someone there knows the answer.
 
Reply With Quote
 
 
 
 
James Kuyper
Guest
Posts: n/a
 
      09-18-2012
On 09/18/2012 01:36 AM, 1 2 wrote:
> On Sep 17, 11:05�pm, Ian Collins <(E-Mail Removed)> wrote:
>> On 09/18/12 02:23 PM, (E-Mail Removed) wrote:
>>
>> Please wrap lines to a sensible length.

>
> I'll try the old Google Groups.
>
>>> Does anybody know how to bypass Visual C++ security cookies (generated by the /GS switch) in order to exploit a buffer overrun vulnerability in a program compiled with Visual C++?

>>
>> Probably. �Now what was your C++ question?

>
> I know that this group doesn't deal with specific environments but
> I've asked in other forums and haven't gotten answers.


It not just the environmental specificity of your question. It's also
the content. People like yourself don't generally use these forums to
discuss such matters. I'm sure there are other forums where such issues
are discussed, but I've no idea where. If I knew of one that was being
carefully watched by the authorities or unusually heavily infested with
malware, I'd recommend it to you, but I don't - sorry!
--
James Kuyper
 
Reply With Quote
 
 
 
 
1 2
Guest
Posts: n/a
 
      09-18-2012
On Sep 18, 6:22*am, James Kuyper <(E-Mail Removed)> wrote:
> If I knew of one that was being
> carefully watched by the authorities


There's nothing illegal about exploiting vulnerabilities as long as
you don't do it to make any actual crimes.

> or unusually heavily infested with
> malware, I'd recommend it to you, but I don't - sorry!


Well that'd just make you an asshole, sorry.
 
Reply With Quote
 
Jorgen Grahn
Guest
Posts: n/a
 
      09-18-2012
On Tue, 2012-09-18, James Kuyper wrote:
> On 09/18/2012 01:36 AM, 1 2 wrote:
>> On Sep 17, 11:05???pm, Ian Collins <(E-Mail Removed)> wrote:
>>> On 09/18/12 02:23 PM, (E-Mail Removed) wrote:


>>>> Does anybody know how to bypass Visual C++ security cookies
>>>> (generated by the /GS switch) in order to exploit a buffer overrun
>>>> vulnerability in a program compiled with Visual C++?
>>>
>>> Probably. ???Now what was your C++ question?

>>
>> I know that this group doesn't deal with specific environments but
>> I've asked in other forums and haven't gotten answers.

>
> It not just the environmental specificity of your question. It's also
> the content. People like yourself don't generally use these forums to
> discuss such matters.


You mean you think he's a cracker? Personally, if I was using Visual
C++ and there /were/ ways to bypass that thing, I'd like to know too,
and I'd like to know how they worked.
Legitimate users need to know about vulnerabilities.

/Jorgen

--
// Jorgen Grahn <grahn@ Oo o. . .
\X/ snipabacken.se> O o .
 
Reply With Quote
 
James Kuyper
Guest
Posts: n/a
 
      09-18-2012
On 09/18/2012 10:19 AM, Jorgen Grahn wrote:
....
> You mean you think he's a cracker? Personally, if I was using Visual
> C++ and there /were/ ways to bypass that thing, I'd like to know too,
> and I'd like to know how they worked.
> Legitimate users need to know about vulnerabilities.


His response to my message says that he considers it perfectly
acceptable to exploit such a vulnerability - that is not the attitude of
someone looking for information to help defend against such exploits.
 
Reply With Quote
 
red floyd
Guest
Posts: n/a
 
      09-18-2012
On 9/17/2012 10:36 PM, 1 2 wrote:
> On Sep 17, 11:05 pm, Ian Collins <(E-Mail Removed)> wrote:
>> On 09/18/12 02:23 PM, (E-Mail Removed) wrote:
>>
>> Please wrap lines to a sensible length.

>
> I'll try the old Google Groups.
>
>>> Does anybody know how to bypass Visual C++ security cookies (generated by the /GS switch) in order to exploit a buffer overrun vulnerability in a program compiled with Visual C++?

>>
>> Probably. Now what was your C++ question?

>
> I know that this group doesn't deal with specific environments but
> I've asked in other forums and haven't gotten answers.
>


I wanted some meat, but the butcher shop was closed, so I figured
I'd get my meat at the greengrocers.


 
Reply With Quote
 
Jorgen Grahn
Guest
Posts: n/a
 
      09-18-2012
On Tue, 2012-09-18, James Kuyper wrote:
> On 09/18/2012 10:19 AM, Jorgen Grahn wrote:
> ...
>> You mean you think he's a cracker? Personally, if I was using Visual
>> C++ and there /were/ ways to bypass that thing, I'd like to know too,
>> and I'd like to know how they worked.
>> Legitimate users need to know about vulnerabilities.

>
> His response to my message


That would be his "There's nothing illegal about exploiting
vulnerabilities as long as you don't do it to make any actual crimes".

> says that he considers it perfectly
> acceptable to exploit such a vulnerability - that is not the attitude of
> someone looking for information to help defend against such exploits.


Why not? To fix such a problem, you must be able to recreate it.
We cannot protect ourselves from attackers if we are ignorant of the
techniques they use.

/Jorgen

--
// Jorgen Grahn <grahn@ Oo o. . .
\X/ snipabacken.se> O o .
 
Reply With Quote
 
James Kuyper
Guest
Posts: n/a
 
      09-18-2012
On 09/18/2012 05:23 PM, Jorgen Grahn wrote:
> On Tue, 2012-09-18, James Kuyper wrote:
>> On 09/18/2012 10:19 AM, Jorgen Grahn wrote:
>> ...
>>> You mean you think he's a cracker? Personally, if I was using Visual
>>> C++ and there /were/ ways to bypass that thing, I'd like to know too,
>>> and I'd like to know how they worked.
>>> Legitimate users need to know about vulnerabilities.

>>
>> His response to my message

>
> That would be his "There's nothing illegal about exploiting
> vulnerabilities as long as you don't do it to make any actual crimes".
>
>> says that he considers it perfectly
>> acceptable to exploit such a vulnerability - that is not the attitude of
>> someone looking for information to help defend against such exploits.

>
> Why not? To fix such a problem, you must be able to recreate it.
> We cannot protect ourselves from attackers if we are ignorant of the
> techniques they use.


I'd have expected substantially different wording from someone with the
motives you're suggesting. I'd have expected such a person to mention
his legitimate motives, to counter suspicions that they might be
illegitimate.

To be fair, I'd expect exactly the same kind of disclaimer from any
sufficiently intelligent cracker, in order to masquerade as someone with
a legitimate motive (unless he knew that he was in a cracker forum). The
wording actually used suggests, to me, a cracker wannabe with
insufficient intelligence to recognize the desirability of acquiring
such camouflage. If you're right, then he's a good guy with insufficient
intelligence to recognize the need for such disclaimers.


 
Reply With Quote
 
1 2
Guest
Posts: n/a
 
      09-19-2012
On Sep 18, 4:48*pm, James Kuyper <(E-Mail Removed)> wrote:
> On 09/18/2012 05:23 PM, Jorgen Grahn wrote:
>
>
>
>
>
> > On Tue, 2012-09-18, James Kuyper wrote:
> >> On 09/18/2012 10:19 AM, Jorgen Grahn wrote:
> >> ...
> >>> You mean you think he's a cracker? *Personally, if I was using Visual
> >>> C++ and there /were/ ways to bypass that thing, I'd like to know too,
> >>> and I'd like to know how they worked.
> >>> Legitimate users need to know about vulnerabilities.

>
> >> His response to my message

>
> > That would be his "There's nothing illegal about exploiting
> > vulnerabilities as long as you don't do it to make any actual crimes".

>
> >> says that he considers it perfectly
> >> acceptable to exploit such a vulnerability - that is not the attitude of
> >> someone looking for information to help defend against such exploits.

>
> > Why not? *To fix such a problem, you must be able to recreate it.
> > We cannot protect ourselves from attackers if we are ignorant of the
> > techniques they use.

>
> I'd have expected substantially different wording from someone with the
> motives you're suggesting. I'd have expected such a person to mention
> his legitimate motives, to counter suspicions that they might be
> illegitimate.
>
> To be fair, I'd expect exactly the same kind of disclaimer from any
> sufficiently intelligent cracker, in order to masquerade as someone with
> a legitimate motive (unless he knew that he was in a cracker forum). The
> wording actually used suggests, to me, a cracker wannabe with
> insufficient intelligence to recognize the desirability of acquiring
> such camouflage. If you're right, then he's a good guy with insufficient
> intelligence to recognize the need for such disclaimers.


That would be deception, which I don't do. The fact that you don't
have any pride or self-respect doesn't mean everyone else is like you.
 
Reply With Quote
 
Jorgen Grahn
Guest
Posts: n/a
 
      09-19-2012
On Tue, 2012-09-18, James Kuyper wrote:
> On 09/18/2012 05:23 PM, Jorgen Grahn wrote:
>> On Tue, 2012-09-18, James Kuyper wrote:
>>> On 09/18/2012 10:19 AM, Jorgen Grahn wrote:
>>> ...
>>>> You mean you think he's a cracker? Personally, if I was using Visual
>>>> C++ and there /were/ ways to bypass that thing, I'd like to know too,
>>>> and I'd like to know how they worked.
>>>> Legitimate users need to know about vulnerabilities.
>>>
>>> His response to my message

>>
>> That would be his "There's nothing illegal about exploiting
>> vulnerabilities as long as you don't do it to make any actual crimes".
>>
>>> says that he considers it perfectly
>>> acceptable to exploit such a vulnerability - that is not the attitude of
>>> someone looking for information to help defend against such exploits.

>>
>> Why not? To fix such a problem, you must be able to recreate it.
>> We cannot protect ourselves from attackers if we are ignorant of the
>> techniques they use.

>
> I'd have expected substantially different wording from someone with the
> motives you're suggesting.


Yeah, well, I didn't care so much about his motives. Whatever they
are, what he would have learned from an answer, the rest of us would
have learned too. (And the *real* crackers already know, of course.)

But let's agree to disagree. There's that whole debate about how open
you should be with disclosing vulnerabilities, and it won't be settled
here.

/Jorgen

--
// Jorgen Grahn <grahn@ Oo o. . .
\X/ snipabacken.se> O o .
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: How include a large array? Edward A. Falk C Programming 1 04-04-2013 08:07 PM
How to bypass Visual C++ security cookies s0suk3@gmail.com C++ 21 09-20-2012 03:34 PM
Give Request.Cookies and Response.Cookies is there any reason to use another method to use cookies? _Who ASP .Net 7 09-18-2008 07:49 PM
Microsoft Office Embedded Shockwave Flash Object Security Bypass Weakness imhotep Computer Security 0 06-23-2006 03:49 AM
Bypass cookies using workstation login teddysnips@hotmail.com ASP .Net 0 12-13-2005 03:50 PM



Advertisments