Re: buffer overflow in nslookup?

From: Willy TARREAU (tarreauat_private)
Date: Mon Aug 31 1998 - 01:38:50 PDT

Next message: Diane Bruce: "Re: FreeBSD's RST validation"

Previous message: Yaron Yanay: "Hole in Oracle Server/Developer 2000 - authentication protocol."
Maybe in reply to: Peter van Dijk: "buffer overflow in nslookup?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Segmentation fault (core dumped)
>
> At first, this does not seem a problem: nslookup is not suid root or anything.
> But several sites have cgi-scripts that call nslookup... tests show that these
> will coredump when passed enough characters. Looks exploitable to me...

It is, I've successfully got a shell using my old generic exploit, with 260
bytes followed by a pointer to esp-400.

                                        Willy

--
+----------------------------------------------------------------------------+
| Willy Tarreau - tarreauat_private - http://www-miaif.lip6.fr/willy/  |
| System and Network Engineer - NOVECOM - http://novworld.novecom.fr/        |
| Magistere d'Informatique Appliquee de l'Ile de France ( MIAIF ), Year 1997 |
+----------------------------------------------------------------------------+

Next message: Diane Bruce: "Re: FreeBSD's RST validation"
Previous message: Yaron Yanay: "Hole in Oracle Server/Developer 2000 - authentication protocol."
Maybe in reply to: Peter van Dijk: "buffer overflow in nslookup?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:14:14 PDT