Bugtraq mailing list archives
glibc/locale sploit for ImmunixOS
From: Mariusz Woloszyn <emsi () IPARTNERS PL>
Date: Tue, 19 Sep 2000 23:15:18 +0200
I just developed the first publicly known sploit that bypases StackGuard protection in real world. I decided to publish it as the patch for glibc ImmunixOS is out. It's also the proof of concept described about year ago in our (my and Bulba's) Phrack article published in May this year. [http://phrack.infonexus.com/search.phtml?view&article=p56-5] The sploit is as simple as possible, it does not take any arguments and produces shell with euid==0. All addresses are fixed (stack and env). The exploiting string overwrites exit() GOT entry and makes it point to our shellcode (it's sufficient if the stack is executable) just like we described it in phrack article long time ago :) The exploit won't work if glibc is patched (ImmunixOS patched glibc can be found at: http://www.immunix.org:8080/ImmunixOS/6.2/updates/RPMS/ glibc-2.1.3-21_StackGuard.i386.rpm glibc-devel-2.1.3-21_StackGuard.i386.rpm glibc-profile-2.1.3-21_StackGuard.i386.rpm nscd-2.1.3-21_StackGuard.i386.rpm). I would like to remind that by using StackGuarded binaries you're still adding extra security level that can be bypassed ONLY under certain circumstances! Greetings go to all best Polish security specialists! Regards, -- Mariusz WoÅoszyn Internet Security Specialist, Internet Partners, GTS Poland
Attachment:
33_su.c
Description:
Current thread:
- glibc/locale exploit for linux/x86 Warning3 (Sep 06)
- Re: glibc/locale exploit for linux/x86 Olaf Kirch (Sep 07)
- <Possible follow-ups>
- Re: glibc/locale exploit for linux/x86 Raśl Saura (Sep 07)
- glibc/locale sploit for ImmunixOS Mariusz Woloszyn (Sep 20)