- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 19039
- Проверка EDB
-
- Пройдено
- Автор
- ANONYMOUS
- Тип уязвимости
- REMOTE
- Платформа
- BSD
- CVE
- null
- Дата публикации
- 1988-10-01
Код:
source: https://www.securityfocus.com/bid/2/info
fingerd is a remote user information server that implements
the protocol defined in RFC742. There exists a buffer
overflow in finderd that allows a remote attacker to execute
any local binaries.
finderd reads input from its socket using the gets()
standard C library call passing it a 512-byte automatic
buffer allocated in main(). gets() reads the input and
stores it into the buffer without performing any bounds
checking. This results in a standard stack buffer
overflow when main() return.
The Internet Worm used a string of 536 bytes to
overflow the input buffer of fingerd on the VAX. The
VAX machine code it used was:
pushl $68732f 'sh\0'
pushl $6e69622f '/bin'
movl sp, r10
pushl $0
pushl $0
pushl r10
pushl $3
movl sp, ap
chmk $3b
This code executed execve("/bin/sh", 0, 0).- Источник
- www.exploit-db.com
