Home | hacker invade | crack analyzes | hacker course | Exploit | encryption decipher | network management | System crack | the virus to be related | invades the examination | firewall
You are here: hacking technology > hacker invade > Content
Hot Articles
The local area network i
Manual injection ASP scr
Simulates the intruder t
Invades the chinalinux s
Invades the Linux operat
Invades in the process t
Invades once more using
Invades the WINDOWS serv
PHP pours into the invas
Brief analysis Linux sys
Invades the Turkish webs
Invades RedHat the Linux
Buffer overflow analysis
Invades the Linux system
The study contains the c
Recommend Articles
Manual injection ASP scr
Simulates the intruder t
Invades the chinalinux s
The local area network i
Invades the Linux operat
Invades in the process t
Invades once more using
Invades the WINDOWS serv
PHP pours into the invas
Brief analysis Linux sys
Invades the Turkish webs
Invades RedHat the Linux
Buffer overflow analysis
Invades the Linux system
The study contains the c
New Articles
Invades the Turkish webs
Invades RedHat the Linux
Buffer overflow analysis
Invades the Linux system
The study contains the c
System revelation passwo
Has the firewall website
Invades RedHat the Linux
Breaks through Stationma
The RPC crack invades
dcomrpc invasion
Environment variable in
One time attempts IRIX t
The security examines AS
Three minutes do hide th
Buffer overflow analysis
  Add date: 07/29/2008   Publishing date: 07/29/2008   Hits: 1
Total 5 pages, Current page:1, Jump to page:
 
1. Synopsis

I saw on http://www.hack.co.za/ Lam3rZ group Kil3r writes aims at
redhat 6.1 (and others) /usr/bin/man exploit, after downloading, direct compilation movement, and
Has not completed the attack. Notes original exploit is aims at cannot carry out the storehouse environment compilation, but I test main engine
Has not hit cannot carry out storehouse patch and so on. Actually aims at cannot carry out the storehouse environment buffer overflow technology to be possible similarly
Uses in " the convention " the environment, therefore makes a complete description on this attack, offers a few ordinary introductory remarks so that others may offer their valuable ideas, to be laughed.

2. Question description

/usr/bin/man will use the MANPAGER environment variable, will invite man about this variable's detail the man examination.
When the MANPAGER variable establishes Cheng Chaochang the string of character, will cause /usr/bin/man to carry out the buffer overflow.

[scz@ /home/scz/src] > export MANPAGER= `perl - e 'print “A " x1' `
[scz@ /home/scz/src] > man ls
sh: A: command not found
Error executing formatting or display command.
System command (cd /usr/man; (echo - e “.ll 9.9i \ n.pl 1100i”;
/bin/cat /usr/man/man1/ls.1; echo “.pl \ n (nlu+10”) | /usr/bin/gtbl |
/usr/bin/groff - Tlatin1 - mandoc | A) exited with status 127.
No manual entry for ls ^
[scz@ /home/scz/src] > |
                      |
                      ------<------ Pays attention to here is the MANPAGER variable

Notes the order to adopt the pipeline symbol finally '|' transmitted has given the procedure which the MANPAGER variable assigned.

We are redundant the similar operation, enlarges the MANPAGER variable unceasingly the length, until has the overflow. With " dichotomy "
Determined quickly works as the length most to be small is 3945, the buffer overflows and causes the section mistake.

[scz@ /home/scz/src] > export MANPAGER= `perl - e 'print “A " x3945' `
[scz@ /home/scz/src] > man ls
sh: A…A: command not found
Error executing formatting or display command.
System command (cd /usr/man; (echo - e “.ll 9.9i \ n.pl 1100i”;
/bin/cat /usr/man/man1/ls.1; echo “.pl \ n (nlu+10”) | /usr/bin/gtbl |
/usr/bin/groff - Tlatin1 - mandoc | A…A) exited with status 127.
Segmentation fault <-- -- -- Here already presented the section mistake, usually is the indicator operation visit illegal
[the scz@ /home/scz/src] > the site creates, the very possible some function's return address already to be covered
[scz@ /home/scz/src] > unset MANPAGER <-- -- -- Here deletes this environment variable to restore normally

3. Attack mentality

In the supposition /usr/bin/man implementation reads the MANPAGER variable for the time being to a buffer, because has not done

 
Other pages: : 1 * 2 * 3 * 4 * 5 * Next>>
Prev:Invades the Linux system example Next:Invades RedHat the Linux system example

Comment:

Category: Home > hacker invade
Home