Re: Digital Unix 4.0 exploitable buffer overflows

From: Larry W. Cashdollar (lwcashdat_private)
Date: Tue Jan 26 1999 - 12:46:27 PST

Next message: Larry W. Cashdollar: "oshare testing"

Previous message: Bruno Coelho: "Re: Win98 Crash?"
Maybe in reply to: Lamont Granquist: "Digital Unix 4.0 exploitable buffer overflows"
Next in thread: Seth Michael McGann: "Re: Digital Unix 4.0 exploitable buffer overflows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I decided to inspect this a little more on a Digital unix box I had access too.



alpha>> uname -a
OSF1 xxx V4.0 878 alpha
alpha>> head -1 /etc/motd
Digital UNIX V4.0D  (Rev. 878); Tue Jul  7 08:39:27 EDT 1998
alpha>> ls -l /usr/bin/mh/inc
-rws--x--x   1 root     bin        73728 Dec 29  1997 /usr/bin/mh/inc*

alpha>> /usr/bin/mh/inc +foo -audit `perl -e 'print "a" x 8169'` foo
Segmentation fault
alpha>> /usr/bin/mh/inc +foo -audit `perl -e 'print "a" x 8168'` foo
Illegal instruction
alpha>> /usr/bin/mh/inc +foo -audit `perl -e 'print "a" x 8167'` foo
Segmentation fault
alpha>> /usr/bin/mh/inc +foo -audit `perl -e 'print "a" x 8166'` foo
inc: usage: inc [+folder] [switches]

We see at 8168 a's we have overflowed the return address.  If I wasnt married
I could probably follow this up with the exploit.  Just a little nop padding and
I think it would be the perfect example of a buffer overflow exploit.


-- Larry W. Cashdollar

Next message: Larry W. Cashdollar: "oshare testing"
Previous message: Bruno Coelho: "Re: Win98 Crash?"
Maybe in reply to: Lamont Granquist: "Digital Unix 4.0 exploitable buffer overflows"
Next in thread: Seth Michael McGann: "Re: Digital Unix 4.0 exploitable buffer overflows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:31:13 PDT