Date: Thu, 12 Jul 2001 13:28:56 -0400 From: Mike Tancsa <mike@sentex.net> To: Gabriel Rocha <grocha@geeksimplex.org> Cc: security@freebsd.org Subject: Re: FreeBSD 4.3 local root Message-ID: <5.1.0.14.0.20010712132715.035c48a0@marble.sentex.ca> In-Reply-To: <20010712132953.C1020@geeksimplex.org> References: <001f01c10af7$9b42f120$97625c42@alexus>
next in thread | previous in thread | raw e-mail | index | archive | help
Is the program called vv or a.out ?
As a non priv user, try this
cp /bin/sh /tmp/sh
gcc exploitcode.c -o vv
./vv
---Mike
At 01:29 PM 7/12/01 -0400, Gabriel Rocha wrote:
>couple of points:
> 1-It does not work for me;
>
> FreeBSD lorax.neutraldomain.org 4.3-RELEASE FreeBSD
> 4.3-RELEASE #0: Sat Jun 23 01:52:58 PDT 2001
> root@lorax.neutraldomain.org:/usr/src/sys/compile/lorax
> i386
>
> 2-At first I tried it with /tmp mounted no-exec (thats what i
> have in fstab) I thought that was why the exploit didnt work,
> remounted /tmp without the no-exec flag and tried again. It
> still does not work, it hangs for hours on end, this last
> iteration has been running for a couple days now and nothing has
> come of it.
>
>Ideas on why it doesnt work? --gabe
>
>
>,----[ On Thu, Jul 12, at 01:25PM, alexus wrote: ]--------------
>| is there any fix for that?
>|
>| > > about how long does the exploit run before giving you a root shell?
>| >
>| > Immediately. Shellcode calls /tmp/sh, not /bin/sh, so copy it to /tmp.
>`----[ End Quote ]---------------------------
>
>--
>
>"It's not brave if you're not scared."
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20010712132715.035c48a0>