Vulnerability Development mailing list archives
Re: telnet overflow
From: "Larry W. Cashdollar" <lwc () vapid dhs org>
Date: Sun, 17 Feb 2002 12:01:11 -0500 (EST)
Are you sure you didn't just crash the client? Which binary did gdb say the core file came from? telnet or telnetd? On 17 Feb 2002, Aramis Orlando wrote:
Well .. once again we proved that the coders are to busy to look at they`re code... I discovered a bug on telnetd... what this : ====================================== ========= [root@localhost telnet]# telnet 127.0.0.1 -l "`perl - e 'printf "A"x9000'`" Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. Segmentation fault (core dumped) [root@localhost telnet]# ====================================== ========= gdb output : (gdb) info registers eax 0x1 1 ecx 0x401eff00 1075773184 edx 0x807d398 134730648 ebx 0x401f19e4 1075780068 esp 0xbfffd3e8 0xbfffd3e8 ebp 0xbfffd410 0xbfffd410 esi 0x41414140 1094795584 edi 0x807d190 134730128 eip 0x40146df0 0x40146df0 eflags 0x10202 66050 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x2b 43 gs 0x2b 43 fctrl 0x0 0 fstat 0x0 0 ftag 0x0 0 fiseg 0x0 0 fioff 0x0 0 foseg 0x0 0 fooff 0x0 0 fop 0x0 0 (gdb) ====================================== == but we can`t write a local exploit because : [root@localhost telnet]# ls -al `which telnet` -rwxr-xr-x 1 root root 130956 Mar 30 2001 /usr/kerberos/bin/telnet [root@localhost telnet]# ====================================== == --==Aramis==--
Current thread:
- telnet overflow Aramis Orlando (Feb 17)
- Re: telnet overflow Larry W. Cashdollar (Feb 17)
- Re: telnet overflow J. Mallett (Feb 17)
- Re: telnet overflow Replugge [Rod] (Feb 17)
- Re: telnet overflow Larry W. Cashdollar (Feb 17)