So, I have been studying buffer overflows in a bit more detail lately. This weekend, I've found my first buffer overflow vulnerability and wrote my first exploit. The feeling when you're finally able to see something along the lines of
# nc -l 5555 id uid=0(root) gid=0(root) groups=0(root)
is definitely worth the work :-) I'm still amazed at how easy it was in the end to find something, though. The buffer overflow is a classical strcpy() bug, to say it with Ilja: »The 90's called, they want their bugs back :-p«
Now I am waiting for the author to respond and trying to figure out who actually uses this piece of software (it seems to be used in some WLAN access points, but I haven't really confirmed the vulnerability there) ...Update (16/03/2007): The author is unresponsive, the vulnerability is not present in the WLAN AP case and about 20 servers out of 2.000.000 actually use this thing. Looks like I'll be releasing the advisory pretty soon. Stay tuned.