Re: GNU sharutils 4.2.1 PoC

[Vade 79 <v9 () fakehalo deadpig org>]

In-Reply-To: <200404091202.i39C21sr051841 () mailserver1 hushmail com>

> below are some details ->
>
> [sharutils-4.2.1/src/shar.c]
> ..
>
> static char output_base_name[50];
>
> ..
>      case 'o':
>        strcpy (output_base_name, optarg);
>
> ..
>
> sam@slackware:~$ /usr/bin/shar -o `perl -e 'print "a" x 4000'`
> Segmentation fault

...looked at this program awhile ago, the same buffer also gets used as a format string later on... you can abuse it 
that way if you like...

static void
open_output ()
{
  sprintf (output_filename, output_base_name, ++part_number);
  output = fopen (output_filename, "w");
  if (!output)
    error (EXIT_FAILURE, errno, _("Opening `%s'"), output_filename);
}

...although, you can get this program to execute code all over the place(non-memory corruption)...not that its a real 
threat, if its just for fun i get it.  a better method is to create a trojan'd archive for it to 'unshar'...which is 
quite doable.