Vulnerability Development mailing list archives
Re: suid scotty (ntping) overflow
From: "Larry W. Cashdollar" <lwc () Vapid dhs org>
Date: Wed, 13 Jun 2001 15:48:23 -0400 (EDT)
On Tue, 12 Jun 2001, KF wrote:
I am not sure that this made it on to the list the first time I sent it... so sorry if this is a duplicate
Well anyway here is an exploit I was toying with. Perhaps someone with better overflow skills can tweak it a bit. I got it to spit out a shell at various offsets, you can use the brute.pl script to automate the process. Tested Mandrake 8.0 I think the overflow occurs at line 643, that line is 643: strcpy (tmp, hname); where tmp is declared as char tmp [512]; and hname is char *hname; Perhaps changing line 643 to strncpy (tmp,hname,512) might be a better idea.... -- Larry W. Cashdollar http://vapid.dhs.org
Attachment:
ntping_exp.c
Description:
Attachment:
brute.pl
Description:
Current thread:
- suid scotty (ntping) overflow KF (Jun 13)
- Re: suid scotty (ntping) overflow Larry W. Cashdollar (Jun 14)
- Re: suid scotty (ntping) overflow Larry W. Cashdollar (Jun 15)
- Re: suid scotty (ntping) overflow Larry W. Cashdollar (Jun 14)