Here is what I got. % uname -a OSF1 xxx V4.0 878 alpha % head -1 /etc/motd Digital UNIX V4.0D (Rev. 878); Tue Jul 7 08:39:27 EDT 1998 % ls -l /usr/bin/mh/inc -rws--x--x 1 root bin 73728 Dec 30 1997 /usr/bin/mh/inc* % /usr/bin/mh/inc +foo -audit `perl -e 'print "a" x 8167'` foo Word too long. % /usr/bin/mh/inc +foo -audit `perl -e 'print "a" x 2040'` foo inc: usage: inc [+folder] [switches] % /usr/bin/mh/inc +foo -audit `perl -e 'print "a" x 2048'` foo Word too long. Seems this inc bug has been fixed already. -----Original Message----- From: Larry W. Cashdollar <lwcashdat_private> To: BUGTRAQat_private <BUGTRAQat_private> Date: Wednesday, January 27, 1999 9:40 AM Subject: Re: Digital Unix 4.0 exploitable buffer overflows >I decided to inspect this a little more on a Digital unix box I had access too. > > > >alpha>> uname -a >OSF1 xxx V4.0 878 alpha >alpha>> head -1 /etc/motd >Digital UNIX V4.0D (Rev. 878); Tue Jul 7 08:39:27 EDT 1998 >alpha>> ls -l /usr/bin/mh/inc >-rws--x--x 1 root bin 73728 Dec 29 1997 /usr/bin/mh/inc* > >alpha>> /usr/bin/mh/inc +foo -audit `perl -e 'print "a" x 8169'` foo >Segmentation fault >alpha>> /usr/bin/mh/inc +foo -audit `perl -e 'print "a" x 8168'` foo >Illegal instruction >alpha>> /usr/bin/mh/inc +foo -audit `perl -e 'print "a" x 8167'` foo >Segmentation fault >alpha>> /usr/bin/mh/inc +foo -audit `perl -e 'print "a" x 8166'` foo >inc: usage: inc [+folder] [switches] > >We see at 8168 a's we have overflowed the return address. If I wasnt married >I could probably follow this up with the exploit. Just a little nop padding and >I think it would be the perfect example of a buffer overflow exploit. > > >-- Larry W. Cashdollar
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:31:45 PDT