Just so that you guys can physcially see what I am talking about ... here are some snippets from 2 seperate boxes... they both handled it differently... This may help in determining how exploitable this may or may not be. I will be testing on a TRU64 and SunOS box tonight ... I will let you know how it goes. [080706f7] select(4, 0xbffff5f0, 0, 0, 0xbffff678) = 1 [08070725] read(3, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..., 512) = 512 [080706f7] select(4, 0xbffff5f0, 0, 0, 0xbffff678) = 1 [08070725] read(3, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..., 512) = 403 [080706f7] select(4, 0xbffff5f0, 0, 0, 0xbffff678) = 1 [08070725] read(3, "", 512) = 0 [080634a6] close(3) = 0 [080634b3] __errno_location() = 0x401adb80 [080634dc] __errno_location() = 0x401adb80 [08086734] sigemptyset(0xbffff7f4, 0x41414141, 0x41414141, 0x41414141,0x41414141) = 0 [08086760] sigaction(10, 0xbffff7f0, 0xbffff760, 0x41414141, 0x41414141) = 0 and this guy use x's instead of A's > >close(5) = 0 > >__errno_location() = 0x401fee60 > >sigemptyset(0xbffff934, 0x78787878, 0x78787878, 0x78787878, 0x0808c9ac) = 0 > >sigaction(10, 0xbffff930, 0xbffff8a4, 0x08069bcc, 0xbffff934) = 0 > >waitpid(7651, 0, 1, 0, 0x0808c984) = 7651 > >accept(18, 0xbffff9ec, 0xbffff9e8, 0x0805c67b, 0 <unfinished ...> > > > >so sigaction is not touched (yet). -KF
This archive was generated by hypermail 2b30 : Wed Jun 19 2002 - 17:11:42 PDT