On Thu, Jul 31, 2003 at 10:19:18PM -0000, DownBload wrote: > In-Reply-To: <20030729162007.7689.qmailat_private> > > You can use strings for easy finding potential vulnerable functions. > # strings /bin/ls | grep strcpy > # strings /bin/sh | grep sprintf > # strings /bin/tralalal | grep syslog > # strings /bin/format | grep fprintf > If potential vulnerable function is found, you only know that function is > used, but you don't know if that function is used in wrong way. > Try to disassemble with gdb and look for flaws or brute force args and env. Sorry, but this thread is now getting ridiculous, reverse engineering using strings is silly. If you insist on looking for vulnerable functions you should actually look for function imports using the correct tool for the binary file you're looking at, e.g: $ elfdump -s /bin/ls | grep strcpy [81] 0x00024190 0x00000000 FUNC GLOB D 0 UNDEF strcpy If you decide you want to verify those calls you should run the code through a good disassembler (though I guess objdump is pretty much your only option that is free for Solaris) and study the code that provides the parameters (and their origin). Any which way you look at it, doing this well is hard and time consuming work. Cheers, Shaun
This archive was generated by hypermail 2b30 : Fri Aug 01 2003 - 08:50:24 PDT