|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Larry W. Cashdollar (lwc
vapid.dhs.org)Date: Sun Feb 17 2002 - 11:01:11 CST
Are you sure you didn't just crash the client? Which binary did gdb say
the core file came from? telnet or telnetd?
On 17 Feb 2002, Aramis Orlando wrote:
>
>
> Well .. once again we proved that the coders are to
> busy to look at they`re code...
> I discovered a bug on telnetd...
> what this :
> ======================================
> =========
> [rootlocalhost telnet]# telnet 127.0.0.1 -l "`perl -
> e 'printf "A"x9000'`"
> Trying 127.0.0.1...
> Connected to localhost.localdomain (127.0.0.1).
> Escape character is '^]'.
> Segmentation fault (core dumped)
> [rootlocalhost telnet]#
> ======================================
> =========
> gdb output :
> (gdb) info registers
> eax 0x1 1
> ecx 0x401eff00 1075773184
> edx 0x807d398 134730648
> ebx 0x401f19e4 1075780068
> esp 0xbfffd3e8 0xbfffd3e8
> ebp 0xbfffd410 0xbfffd410
> esi 0x41414140 1094795584
> edi 0x807d190 134730128
> eip 0x40146df0 0x40146df0
> eflags 0x10202 66050
> cs 0x23 35
> ss 0x2b 43
> ds 0x2b 43
> es 0x2b 43
> fs 0x2b 43
> gs 0x2b 43
> fctrl 0x0 0
> fstat 0x0 0
> ftag 0x0 0
> fiseg 0x0 0
> fioff 0x0 0
> foseg 0x0 0
> fooff 0x0 0
> fop 0x0 0
> (gdb)
> ======================================
> ==
> but we can`t write a local exploit because :
> [rootlocalhost telnet]# ls -al `which telnet`
> -rwxr-xr-x 1 root root 130956 Mar 30
> 2001 /usr/kerberos/bin/telnet
> [rootlocalhost telnet]#
> ======================================
> ==
> --==Aramis==--
>
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]