Full Disclosure mailing list archives

Re: /usr/bin/trn local root exploit

From: Frank Thyes <thyes () gmx net>
Date: Wed, 26 Jan 2005 13:41:11 +0100

+++ Z z a g o r R [Wed, Jan 26, 2005 at 09:27:28AM CET]:

/*
/usr/bin/trn local root exploit
By ZzagorR - http://www.rootbinbash.com
*/
/*
sh-2.05b$ ./trn
 usage   : ./trn ret buf
 example : ./trn 0xbfffff64
 [+] mandrake   9.2  = 0xbfffff96
 [+] slackware 10.0.0= 0xbfffff98
 [+] slackware  9.1.0= 0xbfffff84
sh-2.05b$
sh-2.05b$ ./trn 0xbfffff84 128
 [BOO  %] 128
 [RET  %] bfffff84
sh-2.05b#
sh-2.05b# id
 uid=0(root) gid=98(nobody) groups=98(nobody)


I didnt understand how you will get root? Afaik trn isnt suid. I
didnt have Mandrake or another Linux here so i cant test it.

Please explain.

Regards
Frank

-- 
In the beginning was the word and the word was content-type: text/plain
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

/usr/bin/trn local root exploit Z z a g o r R (Jan 26)
- Re: /usr/bin/trn local root exploit msh at datakill (Jan 26)
  - Re: Re: /usr/bin/trn local root exploit Honza Vlach (Jan 26)
  - Re: /usr/bin/trn local root exploit Z z a g o r R (Jan 26)
- Re: /usr/bin/trn local root exploit Frank Thyes (Jan 26)
- <Possible follow-ups>
- Re: /usr/bin/trn local root exploit ntx0f (Jan 27)
  - Re: /usr/bin/trn local root exploit Wojciech Pawlikowski (Jan 27)