[20205] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: SUN SOLARIS 5.6/5.7 FTP Globbing Exploit !

daemon@ATHENA.MIT.EDU (Half Adder)
Fri Apr 13 13:09:53 2001

MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID:  <Pine.LNX.3.96.1010413064243.18976A-100000@Lib-Vai.lib.asu.edu>
Date:         Fri, 13 Apr 2001 06:45:05 -0700
Reply-To: Half Adder <dps@LIB-VAI.LIB.ASU.EDU>
From: Half Adder <dps@LIB-VAI.LIB.ASU.EDU>
X-To:         Crist Clark <crist.clark@GLOBALSTAR.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To:  <3AD62BA2.888966F4@globalstar.com>

> curious how you plan to inject code if the only way to get the seg. fault
> is to enter a bare '~'? Kinda limits what you can get on the stack, no?

Actually you can do this:

CWD ~/fffffffffffffffffffffff.. (etc)

I could fit about 390 bytes after the ~/ when I tried it against Solaris
7.

also works with MKD RMD

Try it, you'll like it.


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[20205] in bugtraq

Re: SUN SOLARIS 5.6/5.7 FTP Globbing Exploit !

daemon@ATHENA.MIT.EDU (Half Adder)Fri Apr 13 13:09:53 2001

daemon@ATHENA.MIT.EDU (Half Adder)
Fri Apr 13 13:09:53 2001