Vulnerability Development mailing list archives
Re: vim bufferoverflow
From: elguapo <dotslash () snosoft com>
Date: Sun, 11 Nov 2001 20:39:19 -0500
Heres what the registers look like on OpenUnix8 $ gdb -q /bin/vi (no debugging symbols found)...(gdb) run `perl -e 'print "A" x 9000'` Starting program: /bin/vi `perl -e 'print "A" x 9000'` (no debugging symbols found)...(no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x8301c34 in malloc () (gdb) bt #0 0x8301c34 in malloc () #1 0x83276fc in environ () (gdb) i r eax 0x0 0 ecx 0x4 4 edx 0x8043a20 134494752 ebx 0x41414141 1094795585 esp 0x8043be8 0x8043be8 ebp 0x83276fc 0x83276fc esi 0x41414149 1094795593 edi 0x800 2048 eip 0x8301c34 0x8301c34 eflags 0x10206 66054 cs 0x17 23 ss 0x1f 31 ds 0x1f 31 es 0x1f 31 fs 0x0 0 gs 0x0 0 -KF Izik wrote:
Hello
i've took a closer look on this vim buffer overflow, and it's seems that
data you input or pass trough the as arg.
has no effect on the ret (eip register) address. this mean it can't be
used to build an exploit for it.
what does look weird it that's part of the buffer is bascily your
current directory.
[ my box ]
(root@izik [~])# uname -a
Linux izik 2.2.19 #93 Thu Jun 21 01:09:03 PDT 2001 i686 unknown
(root@izik [~])# cat /etc/slackware-version
8.0.0 (åtta)
(root@izik [~])#
[ the overflow ]
(gdb) r `perl -e 'print "A" x 9000'`
Starting program: /usr/bin/vim `perl -e 'print "A" x 9000'`
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x403b0434 in strcat (dest=0x810ee88 "/root/", 'A' <repeats 194 times>...,
src=0x8100cb8 'A' <repeats 200 times>...) at
../sysdeps/generic/strcat.c:46
46 ../sysdeps/generic/strcat.c: No such file or directory.
(gdb)
izik @ http://www.tty64.org.
Current thread:
- vim bufferoverflow Izik (Nov 11)
- Re: vim bufferoverflow elguapo (Nov 12)