From owner-freebsd-security Thu Jul 12 10:34:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.sentex.ca (smtp1.sentex.ca [199.212.134.4]) by hub.freebsd.org (Postfix) with ESMTP id 82BB837B403 for ; Thu, 12 Jul 2001 10:34:50 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simoeon.sentex.net (simeon.sentex.ca [209.112.4.47]) by smtp1.sentex.ca (8.11.2/8.11.1) with ESMTP id f6CHYbM18435; Thu, 12 Jul 2001 13:34:37 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20010712132715.035c48a0@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Thu, 12 Jul 2001 13:28:56 -0400 To: Gabriel Rocha From: Mike Tancsa Subject: Re: FreeBSD 4.3 local root Cc: security@freebsd.org In-Reply-To: <20010712132953.C1020@geeksimplex.org> References: <001f01c10af7$9b42f120$97625c42@alexus> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Is the program called vv or a.out ? As a non priv user, try this cp /bin/sh /tmp/sh gcc exploitcode.c -o vv ./vv ---Mike At 01:29 PM 7/12/01 -0400, Gabriel Rocha wrote: >couple of points: > 1-It does not work for me; > > FreeBSD lorax.neutraldomain.org 4.3-RELEASE FreeBSD > 4.3-RELEASE #0: Sat Jun 23 01:52:58 PDT 2001 > root@lorax.neutraldomain.org:/usr/src/sys/compile/lorax > i386 > > 2-At first I tried it with /tmp mounted no-exec (thats what i > have in fstab) I thought that was why the exploit didnt work, > remounted /tmp without the no-exec flag and tried again. It > still does not work, it hangs for hours on end, this last > iteration has been running for a couple days now and nothing has > come of it. > >Ideas on why it doesnt work? --gabe > > >,----[ On Thu, Jul 12, at 01:25PM, alexus wrote: ]-------------- >| is there any fix for that? >| >| > > about how long does the exploit run before giving you a root shell? >| > >| > Immediately. Shellcode calls /tmp/sh, not /bin/sh, so copy it to /tmp. >`----[ End Quote ]--------------------------- > >-- > >"It's not brave if you're not scared." > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message