[7174] in bugtraq
allocslip
daemon@ATHENA.MIT.EDU (CyberPsychotic)
Mon Jul 6 21:29:00 1998
Date: Sat, 4 Jul 1998 11:10:54 -0500
Reply-To: CyberPsychotic <fygrave@FREENET.BISHKEK.SU>
From: CyberPsychotic <fygrave@FREENET.BISHKEK.SU>
X-To: dillon@apollo.west.oic.com
To: BUGTRAQ@NETSPACE.ORG
I have the feeling that allocslip in dslip package has overflow
in it, (since it's setuid it should bring a rootshell with careful
exploit).
Here's how i tested it:
pakage Dslip, version 2.03
(sunsite.unc.edu/pub/Linux/system/Network/serial/dslip203.tgz)
The package is rather old, but I found it being used on some Linux
machines around.
gdb allocslip
GDB is free software and you are welcome to distribute copies of it
under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.16 (i586-unknown-linux), Copyright 1996 Free Software Foundation,
Inc... (no debugging symbols found)... (gdb) run b_s `perl -e ' printf
"A" x 300'` [usual GDB mesages]
GO! sh: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA: command
not found
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb)
info registers shows: ebp 0x41414141 0x41414141
esi 0x40001fb0 1073749936
edi 0x80487f8 134514680
eip 0x41414141 0x41414141
obviously stack is smashed.
