From owner-freebsd-security Thu Jul 12 13: 6:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [66.92.98.149]) by hub.freebsd.org (Postfix) with SMTP id 5962337B401 for ; Thu, 12 Jul 2001 13:06:14 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 88227 invoked from network); 12 Jul 2001 20:06:16 -0000 Received: from localhost.nexgen.com (HELO alexus) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 12 Jul 2001 20:06:16 -0000 Message-ID: <001801c10b0e$1976d370$97625c42@alexus> From: "alexus" To: "Gabriel Rocha" , "Mike Tancsa" Cc: References: <001f01c10af7$9b42f120$97625c42@alexus> <5.1.0.14.0.20010712132715.035c48a0@marble.sentex.ca> Subject: Re: FreeBSD 4.3 local root Date: Thu, 12 Jul 2001 16:06:12 -0400 Organization: NexGen MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2499.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2499.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org doesn't work for me on 4.2R ----- Original Message ----- From: "Mike Tancsa" To: "Gabriel Rocha" Cc: Sent: Thursday, July 12, 2001 1:28 PM Subject: Re: FreeBSD 4.3 local root > > Is the program called vv or a.out ? > > As a non priv user, try this > > cp /bin/sh /tmp/sh > gcc exploitcode.c -o vv > ./vv > > > ---Mike > > > At 01:29 PM 7/12/01 -0400, Gabriel Rocha wrote: > >couple of points: > > 1-It does not work for me; > > > > FreeBSD lorax.neutraldomain.org 4.3-RELEASE FreeBSD > > 4.3-RELEASE #0: Sat Jun 23 01:52:58 PDT 2001 > > root@lorax.neutraldomain.org:/usr/src/sys/compile/lorax > > i386 > > > > 2-At first I tried it with /tmp mounted no-exec (thats what i > > have in fstab) I thought that was why the exploit didnt work, > > remounted /tmp without the no-exec flag and tried again. It > > still does not work, it hangs for hours on end, this last > > iteration has been running for a couple days now and nothing has > > come of it. > > > >Ideas on why it doesnt work? --gabe > > > > > >,----[ On Thu, Jul 12, at 01:25PM, alexus wrote: ]-------------- > >| is there any fix for that? > >| > >| > > about how long does the exploit run before giving you a root shell? > >| > > >| > Immediately. Shellcode calls /tmp/sh, not /bin/sh, so copy it to /tmp. > >`----[ End Quote ]--------------------------- > > > >-- > > > >"It's not brave if you're not scared." > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message