Re: Digital Unix 4.0 exploitable buffer overflows

[gang_w () goselecttech com (GANG WANG)]

Here is what I got.

% uname -a
OSF1 xxx V4.0 878 alpha
% head -1 /etc/motd
Digital UNIX V4.0D  (Rev. 878); Tue Jul  7 08:39:27 EDT 1998
% ls -l /usr/bin/mh/inc
-rws--x--x   1 root     bin        73728 Dec 30  1997 /usr/bin/mh/inc*

% /usr/bin/mh/inc +foo -audit `perl -e 'print "a" x 8167'` foo
Word too long.
% /usr/bin/mh/inc +foo -audit `perl -e 'print "a" x 2040'` foo
inc: usage: inc [+folder] [switches]
% /usr/bin/mh/inc +foo -audit `perl -e 'print "a" x 2048'` foo
Word too long.

Seems this inc bug has been fixed already.

-----Original Message-----
From: Larry W. Cashdollar <lwcashd () TROUT BIW COM>
To: BUGTRAQ () NETSPACE ORG <BUGTRAQ () NETSPACE ORG>
Date: Wednesday, January 27, 1999 9:40 AM
Subject: Re: Digital Unix 4.0 exploitable buffer overflows


> I decided to inspect this a little more on a Digital unix box I had access
too.
> alpha>> uname -a
> OSF1 xxx V4.0 878 alpha
> alpha>> head -1 /etc/motd
> Digital UNIX V4.0D  (Rev. 878); Tue Jul  7 08:39:27 EDT 1998
> alpha>> ls -l /usr/bin/mh/inc
> -rws--x--x   1 root     bin        73728 Dec 29  1997 /usr/bin/mh/inc*
>
> alpha>> /usr/bin/mh/inc +foo -audit `perl -e 'print "a" x 8169'` foo
> Segmentation fault
> alpha>> /usr/bin/mh/inc +foo -audit `perl -e 'print "a" x 8168'` foo
> Illegal instruction
> alpha>> /usr/bin/mh/inc +foo -audit `perl -e 'print "a" x 8167'` foo
> Segmentation fault
> alpha>> /usr/bin/mh/inc +foo -audit `perl -e 'print "a" x 8166'` foo
> inc: usage: inc [+folder] [switches]
>
> We see at 8168 a's we have overflowed the return address.  If I wasnt
married
> I could probably follow this up with the exploit.  Just a little nop
padding and
> I think it would be the perfect example of a buffer overflow exploit.
>
>
> -- Larry W. Cashdollar