Re: Buffer overflow in Solaris 2.6/2.7 /usr/bin/lpstat

[gang_w () goselecttech com (GANG WANG)]

Things are a little different on Solaris 2.6 Sparc. lpstat only
accepts a buffer which doesn't contain \x20,\x0a or \x3b.
Can sb teach me how to write a shellcode on solaris sparc
without those charaters? I feel that I'm so stupid:-(

G.

-----Original Message-----
From: plasmoid deep/thc/clb <plasmoid () PIMMEL COM>
To: BUGTRAQ () NETSPACE ORG <BUGTRAQ () NETSPACE ORG>
Date: Wednesday, January 27, 1999 11:16 AM
Subject: Buffer overflow in Solaris 2.6/2.7 /usr/bin/lpstat


> On Aug/25/98 Sun released the following patches for lp:
>
> Solaris2.6 Sparc: 106235-02
> Solaris2.6 x86:   106236
>
> It is quite sad, that they did not fix another overflow in
> /usr/bin/lpstat. I testified this bug on either Solaris 2.7 x86
> and 2.6 Sparc, I assume that it is also present on Solaris 2.6
> x86 and 2.7 Sparc.
>
> Solaris 2.7 x86
> % plasmoid@gorkie:foo> lpstat -c `perl -e 'print "A" x 998'`
> % UX:lpstat: ERROR: Class
>                    [...]
> %                   AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" does
> %                   not exist.
> %           TO FIX: Use the "lpstat -c all" command to list
> %                   all known classes.
> % Segmentation Fault
> % plasmoid@gorkie:foo>
>
> Solaris 2.6 Sparc
> % plasmoid@bock:foo> lpstat -c `perl -e 'print "AAAA" x 250'`
> % UX:lpstat: ERROR: Class
>                    [...]
> %                   AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" does not
> %                   exist.
> %          TO FIX: Use the "lpstat -c all" command to list
> %                  all known classes.
> % Segmentation Fault
> % plasmoid@bock:foo>
>
> This overflow is definitly exploitable, i attached the exploit for
> Solaris x86. Quality patches for all Solaris versions can be obtained
> from www.hert.org, a fast security source.
>
> plasmoid deep/thc/clb
> http://thc.inferno.tusculum.edu