Re: suid scotty (ntping) overflow

From: Larry W. Cashdollar (lwcat_private)
Date: Wed Jun 13 2001 - 12:48:23 PDT

Next message: H D Moore: "Re: IBM HTTP Server"

Previous message: KF: "SCO atcronsh auditsh termsh overflows"
In reply to: KF: "suid scotty (ntping) overflow"
Next in thread: Larry W. Cashdollar: "Re: suid scotty (ntping) overflow"
Reply: Larry W. Cashdollar: "Re: suid scotty (ntping) overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 12 Jun 2001, KF wrote:

> I am not sure that this made it on to the list the first time I sent
> it... so sorry 
> if this is a duplicate
> 

Well anyway here is an exploit I was toying with.  Perhaps someone with
better overflow skills can tweak it a bit.

I got it to spit out a shell at various offsets, you can use the brute.pl
script to automate the process.

Tested Mandrake 8.0

I think the overflow occurs at line 643, that line is 

643:	strcpy (tmp, hname);

where tmp is declared as char tmp [512]; and hname is char *hname;

Perhaps changing line 643 to strncpy (tmp,hname,512) might be a better
idea....

-- Larry W. Cashdollar
   http://vapid.dhs.org

TEXT/PLAIN attachment: ntping_exp.c

TEXT/PLAIN attachment: brute.pl

Next message: H D Moore: "Re: IBM HTTP Server"
Previous message: KF: "SCO atcronsh auditsh termsh overflows"
In reply to: KF: "suid scotty (ntping) overflow"
Next in thread: Larry W. Cashdollar: "Re: suid scotty (ntping) overflow"
Reply: Larry W. Cashdollar: "Re: suid scotty (ntping) overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jun 14 2001 - 14:19:05 PDT