I found this a while back and there was a whole nonsuid overflow discussion over it... http://www.security-focus.com/cgi-bin/archive.pl?id=82&start=2002-02-13&end=2002-02-19&threads=1&tid=189062 -KF Aramis Orlando wrote: > > ====================================== > ==== > = VI Overflow Tested in RedHat 7.0/7.1/7.2 = > =----------------------------------------= > = Author: Andrew Tofan = > =----------------------------------------= > = Email: aramisat_private = > =----------------------------------------= > ====================================== > ==== > > > I've found a problem in vi > , which is located in /bin/vi". > Here are some tests I've made in << VIM version > 5.7.8>>. > > Take a look at my test: > > [root@softly /root]# vi -t "`perl -e 'printf "A"x9000'`" > [root@softly /root]# gdb vi core > gdb output: > ========== > > Program terminated with signal 11, Segmentation > fault. > Reading symbols from /lib/libtermcap.so.2...(no > debugging symbols found)...done. > Loaded symbols for /lib/libtermcap.so.2 > Reading symbols from /lib/libc.so.6...done. > Loaded symbols for /lib/libc.so.6 > Reading symbols from /lib/ld-linux.so.2...done. > Loaded symbols for /lib/ld-linux.so.2 > Reading symbols from /lib/libnss_files.so.2...done. > Loaded symbols for /lib/libnss_files.so.2 > #0 0x80644a7 in strcpy () > at ../sysdeps/generic/strcpy.c:31 > 31 ../sysdeps/generic/strcpy.c: No such file or > directory. > > then take a look at the registers: > ==================================== > (gdb) info registers > eax 0x41414141 1094795585 > ecx 0x41414141 1094795585 > edx 0x1 1 > ebx 0x1 1 > esp 0xbfffd1c4 0xbfffd1c4 > ebp 0xbfffd1dc 0xbfffd1dc > esi 0x41414141 1094795585 > edi 0x0 0 > eip 0x80644a7 0x80644a7 > eflags 0x10206 66054 > cs 0x23 35 > ss 0x2b 43 > ds 0x2b 43 > es 0x2b 43 > fs 0x2b 43 > gs 0x2b 43 > fctrl 0x0 0 > fstat 0x0 0 > ftag 0x0 0 > fiseg 0x0 0 > fioff 0x0 0 > foseg 0x0 0 > fooff 0x0 0 > fop 0x0 0 > I did't waste my time writing an exploit becouse this: > -rwxr-xr-x 1 root root 361852 Aug 7 > 2000 /bin/vi > > --==Aramis==-- > > >
This archive was generated by hypermail 2b30 : Sat Feb 16 2002 - 09:06:58 PST