Vulnerability Development mailing list archives
Re: GNU sharutils 4.2.1 PoC
From: Vade 79 <v9 () fakehalo deadpig org>
Date: 9 Apr 2004 21:38:57 -0000
In-Reply-To: <200404091202.i39C21sr051841 () mailserver1 hushmail com>
below are some details -> [sharutils-4.2.1/src/shar.c] .. static char output_base_name[50]; .. case 'o': strcpy (output_base_name, optarg); .. sam@slackware:~$ /usr/bin/shar -o `perl -e 'print "a" x 4000'` Segmentation fault
...looked at this program awhile ago, the same buffer also gets used as a format string later on... you can abuse it that way if you like... static void open_output () { sprintf (output_filename, output_base_name, ++part_number); output = fopen (output_filename, "w"); if (!output) error (EXIT_FAILURE, errno, _("Opening `%s'"), output_filename); } ...although, you can get this program to execute code all over the place(non-memory corruption)...not that its a real threat, if its just for fun i get it. a better method is to create a trojan'd archive for it to 'unshar'...which is quite doable.
Current thread:
- GNU sharutils 4.2.1 PoC sambooka (Apr 09)
- <Possible follow-ups>
- Re: GNU sharutils 4.2.1 PoC Vade 79 (Apr 10)