|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: GNU sharutils 4.2.1 PoC
From: Vade 79 (v9
fakehalo.deadpig.org)
Date: Fri Apr 09 2004 - 16:38:57 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
In-Reply-To: <200404091202.i39C21sr051841mailserver1.hushmail.com>
>below are some details ->
>
>[sharutils-4.2.1/src/shar.c]
>..
>
>static char output_base_name[50];
>
>..
> case 'o':
> strcpy (output_base_name, optarg);
>
>..
>
>samslackware:~$ /usr/bin/shar -o `perl -e 'print "a" x 4000'`
>Segmentation fault
...looked at this program awhile ago, the same buffer also gets used as a format string later on... you can abuse it that way if you like...
static void
open_output ()
{
sprintf (output_filename, output_base_name, ++part_number);
output = fopen (output_filename, "w");
if (!output)
error (EXIT_FAILURE, errno, _("Opening `%s'"), output_filename);
}
...although, you can get this program to execute code all over the place(non-memory corruption)...not that its a real threat, if its just for fun i get it. a better method is to create a trojan'd archive for it to 'unshar'...which is quite doable.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]