[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: rlogin bug and buffer overflow thoughts
From: Laslo Orto <cc317 () freenet ! toronto ! on ! ca>
Date: 1996-08-28 20:37:14
[Download RAW message or body]
The bug exists also in FreeBSD (dont know what version exactly but i
think all of them) , BSDI 2.1 and SunOs 4.1.4 (and probably other versions).
I haven't been able to exploit it becouse (i might be wrong) :
The vulnerable function does not use return (value) , it uses exit(value)
instead , so the overflowed part of the stack with the changed address is
never accessed.
I wrote a "vulnerable" test to check it.
-----------------------------------------------------------------
#include <stdlib.h>
main()
{
char string[256];
strcpy(string,getenv("TERM"));
/* everything that comes after this call still works, like: */
printf("%s",string);
}
-----------------------------------------------------------------
This gives me a shell when the TERM is a long string with the proper
instructions.
But this one didn't gave a shell :
-----------------------------------------------------------------
#include <stdlib.h>
main()
{
char string[256];
strcpy(string,getenv("TERM));
exit(0);
}
----------------------------------------------------------------
Any comments ?
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic