Date: Thu, 12 Jul 2001 13:28:56 -0400 From: Mike Tancsa <mike@sentex.net> To: Gabriel Rocha <grocha@geeksimplex.org> Cc: security@freebsd.org Subject: Re: FreeBSD 4.3 local root Message-ID: <5.1.0.14.0.20010712132715.035c48a0@marble.sentex.ca> In-Reply-To: <20010712132953.C1020@geeksimplex.org> References: <001f01c10af7$9b42f120$97625c42@alexus>
next in thread | previous in thread | raw e-mail | index | archive | help
Is the program called vv or a.out ? As a non priv user, try this cp /bin/sh /tmp/sh gcc exploitcode.c -o vv ./vv ---Mike At 01:29 PM 7/12/01 -0400, Gabriel Rocha wrote: >couple of points: > 1-It does not work for me; > > FreeBSD lorax.neutraldomain.org 4.3-RELEASE FreeBSD > 4.3-RELEASE #0: Sat Jun 23 01:52:58 PDT 2001 > root@lorax.neutraldomain.org:/usr/src/sys/compile/lorax > i386 > > 2-At first I tried it with /tmp mounted no-exec (thats what i > have in fstab) I thought that was why the exploit didnt work, > remounted /tmp without the no-exec flag and tried again. It > still does not work, it hangs for hours on end, this last > iteration has been running for a couple days now and nothing has > come of it. > >Ideas on why it doesnt work? --gabe > > >,----[ On Thu, Jul 12, at 01:25PM, alexus wrote: ]-------------- >| is there any fix for that? >| >| > > about how long does the exploit run before giving you a root shell? >| > >| > Immediately. Shellcode calls /tmp/sh, not /bin/sh, so copy it to /tmp. >`----[ End Quote ]--------------------------- > >-- > >"It's not brave if you're not scared." > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20010712132715.035c48a0>