Are you sure you didn't just crash the client? Which binary did gdb say the core file came from? telnet or telnetd? On 17 Feb 2002, Aramis Orlando wrote: > > > Well .. once again we proved that the coders are to > busy to look at they`re code... > I discovered a bug on telnetd... > what this : > ====================================== > ========= > [root@localhost telnet]# telnet 127.0.0.1 -l "`perl - > e 'printf "A"x9000'`" > Trying 127.0.0.1... > Connected to localhost.localdomain (127.0.0.1). > Escape character is '^]'. > Segmentation fault (core dumped) > [root@localhost telnet]# > ====================================== > ========= > gdb output : > (gdb) info registers > eax 0x1 1 > ecx 0x401eff00 1075773184 > edx 0x807d398 134730648 > ebx 0x401f19e4 1075780068 > esp 0xbfffd3e8 0xbfffd3e8 > ebp 0xbfffd410 0xbfffd410 > esi 0x41414140 1094795584 > edi 0x807d190 134730128 > eip 0x40146df0 0x40146df0 > eflags 0x10202 66050 > cs 0x23 35 > ss 0x2b 43 > ds 0x2b 43 > es 0x2b 43 > fs 0x2b 43 > gs 0x2b 43 > fctrl 0x0 0 > fstat 0x0 0 > ftag 0x0 0 > fiseg 0x0 0 > fioff 0x0 0 > foseg 0x0 0 > fooff 0x0 0 > fop 0x0 0 > (gdb) > ====================================== > == > but we can`t write a local exploit because : > [root@localhost telnet]# ls -al `which telnet` > -rwxr-xr-x 1 root root 130956 Mar 30 > 2001 /usr/kerberos/bin/telnet > [root@localhost telnet]# > ====================================== > == > --==Aramis==-- >
This archive was generated by hypermail 2b30 : Sun Feb 17 2002 - 09:20:06 PST