smbmount problem?

From: Chris Evans (chrisat_private)
Date: Tue Apr 21 1998 - 04:05:43 PDT

Next message: David LeBlanc: "Re: NT configuration caution"

Previous message: Hamdi Tounsi: "code to crash cistron's radius"
Next in thread: Czako Krisztian: "Re: smbmount problem?"
Reply: Czako Krisztian: "Re: smbmount problem?"
Reply: Chris Evans: "Re: smbmount problem?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

smbmount is a linux program to mount NT filesystem shares.

/usr/sbin/smbmount //a/b /
/usr/sbin/smbmount must be installed suid root

Ohhh, that's nice. On my system (RH) it doesn't seem to be, which is
probably very lucky! I expect it might be suid on other distributions
maybe?

# export USER=`perl -e 'print "A" x 10000'`
# /usr/sbin/smbmount //a/b /
Segmentation fault

The buffer overflowed is on the stack, however it's of the form

struct a {
  .. blah ..
  char user[32];
  .. blah ..
};

int
main()
{
  struct a;

  strcpy (&a.user, getenv("USER"));
}


I am interested to know if we can do anything malicious with this, since
obviously the function "main" doesn't return and hand control to our
overwritten stack frame. The eventual segfault is from within libc.

Can someone enlighten us as to what use an overflow on the stack in
functiom main() is? Aleph? :-)

Cheers
Chris

Next message: David LeBlanc: "Re: NT configuration caution"
Previous message: Hamdi Tounsi: "code to crash cistron's radius"
Next in thread: Czako Krisztian: "Re: smbmount problem?"
Reply: Czako Krisztian: "Re: smbmount problem?"
Reply: Chris Evans: "Re: smbmount problem?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:50:01 PDT