[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    rlogin bug and buffer overflow thoughts
From:       Laslo Orto <cc317 () freenet ! toronto ! on ! ca>
Date:       1996-08-28 20:37:14
[Download RAW message or body]

The bug exists also in FreeBSD (dont know what version exactly but i
think all of them) , BSDI 2.1 and SunOs 4.1.4 (and probably other versions).
I haven't been able to exploit it becouse (i might be wrong) :
The vulnerable function does not use return (value) , it uses exit(value)
instead , so the overflowed part of the stack with the changed address is
never accessed.
I wrote a "vulnerable" test to check it.
-----------------------------------------------------------------
#include <stdlib.h>

main()
{
        char string[256];

        strcpy(string,getenv("TERM"));
/* everything that comes after this call still works, like: */
        printf("%s",string);
}
-----------------------------------------------------------------
This gives me a shell when the TERM is a long string with the proper
instructions.
But this one didn't gave a shell :
-----------------------------------------------------------------
#include <stdlib.h>

main()
{
        char string[256];

        strcpy(string,getenv("TERM));
        exit(0);
}
----------------------------------------------------------------
Any comments ?

[prev in list] [next in list] [prev in thread] [next in thread]