Vulnerability Development mailing list archives
Re: VIM Buffer Overflow
From: KF <dotslash () snosoft com>
Date: Fri, 15 Feb 2002 17:23:12 -0500
I found this a while back and there was a whole nonsuid overflow discussion over it...
http://www.security-focus.com/cgi-bin/archive.pl?id=82&start=2002-02-13&end=2002-02-19&threads=1&tid=189062 -KF Aramis Orlando wrote:
====================================== ==== = VI Overflow Tested in RedHat 7.0/7.1/7.2 = =----------------------------------------= = Author: Andrew Tofan = =----------------------------------------= = Email: aramis () easynet ro = =----------------------------------------= ====================================== ==== I've found a problem in vi, which is located in /bin/vi". Here are some tests I've made in << VIM version 5.7.8>>.Take a look at my test: [root@softly /root]# vi -t "`perl -e 'printf "A"x9000'`" [root@softly /root]# gdb vi core gdb output: ==========Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/libtermcap.so.2...(no debugging symbols found)...done.Loaded symbols for /lib/libtermcap.so.2 Reading symbols from /lib/libc.so.6...done. Loaded symbols for /lib/libc.so.6 Reading symbols from /lib/ld-linux.so.2...done. Loaded symbols for /lib/ld-linux.so.2 Reading symbols from /lib/libnss_files.so.2...done. Loaded symbols for /lib/libnss_files.so.2#0 0x80644a7 in strcpy () at ../sysdeps/generic/strcpy.c:31 31 ../sysdeps/generic/strcpy.c: No such file or directory.then take a look at the registers: ==================================== (gdb) info registers eax 0x41414141 1094795585 ecx 0x41414141 1094795585 edx 0x1 1 ebx 0x1 1 esp 0xbfffd1c4 0xbfffd1c4 ebp 0xbfffd1dc 0xbfffd1dc esi 0x41414141 1094795585 edi 0x0 0 eip 0x80644a7 0x80644a7 eflags 0x10206 66054 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x2b 43 gs 0x2b 43 fctrl 0x0 0 fstat 0x0 0 ftag 0x0 0 fiseg 0x0 0 fioff 0x0 0 foseg 0x0 0 fooff 0x0 0 fop 0x0 0 I did't waste my time writing an exploit becouse this:-rwxr-xr-x 1 root root 361852 Aug 7 2000 /bin/vi--==Aramis==--
Current thread:
- VIM Buffer Overflow Aramis Orlando (Feb 15)
- Re: VIM Buffer Overflow KF (Feb 16)
- Re: VIM Buffer Overflow Felipe Cerqueira (Feb 17)
- Re: VIM Buffer Overflow KF (Feb 16)