Re: /usr/bin/ddate buffer overflow

["enthh () FLASH NET" <enthh () FLASH NET>]

# gdb -c core /usr/bin/ddate
(gdb) info registers esp

This will give you the esp, and from there, you can brute force the offset
until it drops you a shell.

jumping 0xbffff717 off: 0
bash#

0xbffff717 would be the ret address you are looking for (ie: it dropped you
a bash shell). I believe it was an offset of -3128 from the esp, although I
may be wrong.

----- Original Message -----
From: "Strange" <strange () ec rr com>
To: <enthh () FLASH NET>
Sent: 10 February, 2001 10:22 PM
Subject: Re: /usr/bin/ddate buffer overflow


> I'm pretty new to this, but how did you find the ret address or ddate? I
used
> gdb and read a few tutorials, but even with those tools I wasn't able to
find
> the ret address. I'd be very greatful if you could help me out. Thanks.
>
> Strange.
>
>
> On Saturday 10 February 2001 17:31, you wrote:
>
> > > no, although out of boredom, heres an exploit
> >
> > ----- Original Message -----
> > From: "Blue Boar" <BlueBoar () THIEVCO COM>
> > To: <VULN-DEV () SECURITYFOCUS COM>
> > Sent: 10 February, 2001 3:17 PM
> > Subject: Re: /usr/bin/ddate buffer overflow
> >
> > > Are any of these setuid?
> > >
> > > BB
> > >
> > > SosPiro wrote:
> > > > I found a buffer overflow in /usr/bin/ddate (version unknown)
"converts
> > > > Gregorian dates to Discordian dates.."
> > > > I tested it on my Linux Box (RedHat 6.2)
> > > > Look at this:
> > > >
> > > > #ddate +AAAA...x 408
> > > > Segmentation Fault (core dumped)
> > > >
> > > > sospiro
>
> ----------------------------------------
> Content-Type: application/octet-stream; charset="iso-8859-1";
name="ddate.c"
> Content-Transfer-Encoding: quoted-printable
> Content-Description:
> ----------------------------------------