Things are a little different on Solaris 2.6 Sparc. lpstat only accepts a buffer which doesn't contain \x20,\x0a or \x3b. Can sb teach me how to write a shellcode on solaris sparc without those charaters? I feel that I'm so stupid:-( G. -----Original Message----- From: plasmoid deep/thc/clb <plasmoidat_private> To: BUGTRAQat_private <BUGTRAQat_private> Date: Wednesday, January 27, 1999 11:16 AM Subject: Buffer overflow in Solaris 2.6/2.7 /usr/bin/lpstat > >On Aug/25/98 Sun released the following patches for lp: > > Solaris2.6 Sparc: 106235-02 > Solaris2.6 x86: 106236 > >It is quite sad, that they did not fix another overflow in >/usr/bin/lpstat. I testified this bug on either Solaris 2.7 x86 >and 2.6 Sparc, I assume that it is also present on Solaris 2.6 >x86 and 2.7 Sparc. > >Solaris 2.7 x86 >% plasmoid@gorkie:foo> lpstat -c `perl -e 'print "A" x 998'` >% UX:lpstat: ERROR: Class > [...] >% AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" does >% not exist. >% TO FIX: Use the "lpstat -c all" command to list >% all known classes. >% Segmentation Fault >% plasmoid@gorkie:foo> > >Solaris 2.6 Sparc >% plasmoid@bock:foo> lpstat -c `perl -e 'print "AAAA" x 250'` >% UX:lpstat: ERROR: Class > [...] >% AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" does not >% exist. >% TO FIX: Use the "lpstat -c all" command to list >% all known classes. >% Segmentation Fault >% plasmoid@bock:foo> > >This overflow is definitly exploitable, i attached the exploit for >Solaris x86. Quality patches for all Solaris versions can be obtained >from www.hert.org, a fast security source. > >plasmoid deep/thc/clb >http://thc.inferno.tusculum.edu > > >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:33:11 PDT