In poking around, I discovered it's possible to bus-error /usr/bin/ps
on Solaris 2.5.1. (Not certain if any patches affecting ps have been
applied to the system I discovered this on.)
Giving "-u" a suitably large argument produces the bus error. I've not
yet managed to exploit it. Here's my analysis so far:
user arg >9 chars: null termination lost, extra garbage in error msg.
user arg >32 chars: ps gets completely confused about commandline and
prints generic usage information.
user arg >95 chars: ps starts segmentation faulting.
user arg >100 chars: ps starts bus-erroring.
(This is using a commandline of the form 'ps -u aaaaa....aaaa'.)
It appears from this that the return address is at offset 96. Now it's
just a matter of someone digging out the generic Solaris 'sploit and
tuning 'er up.
--Joe
-- +--------------Joseph Zbiciak--------------+ |- - - - - jzbiciak@micro.ti.com - - - - -| | - - http://ee1.bradley.edu/~im14u2c/ - - | Not your average "Joe." |- - - - Texas Instruments, Dallas - - - -| +-------#include <std_disclaimer.h>--------+