[19986] in bugtraq
Re: .. ptrace improvement
daemon@ATHENA.MIT.EDU (Brian Parris)
Mon Apr 2 00:17:31 2001
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-ID: <002c01c0bad4$94b8b560$413c2904@c705263a>
Date: Sun, 1 Apr 2001 12:52:53 -0500
Reply-To: Brian Parris <brian.parris@VERIZON.NET>
From: Brian Parris <brian.parris@VERIZON.NET>
X-To: Tim Yardley <yardley@UIUC.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
I keep trying all these exploits posted on the list on my webserver with no
success, they all say "bug exploited successfully" but don't give root, am I
doing something wrong?
Brian Parris
brian.parris@verizon.net
----- Original Message -----
From: "Tim Yardley" <yardley@UIUC.EDU>
To: <BUGTRAQ@SECURITYFOCUS.COM>
Sent: Saturday, March 31, 2001 9:12 PM
Subject: .. ptrace improvement
> As always, there are always ways to improve things. This version of the
> exploit posted here previously overwrites the dl _start routine and doesnt
> modify eip. This will help on stack non-exec systems and doesnt require
> you to calculate the bss offset. I didn't test it, but this should still
> work on a stackguard compiled program as well.
>
> your mileage may vary, and this will still suffer from the disk cache
issue
> (speed becoming a paramount concern). the recent post by "Ihq" where his
> exploit created a big file, is one way to fill out the cache so that the
> suid binary is not in the cache. manual methods are just as easy.
>
> rsh, gpasswd, passwd, etc etc are all common choices for hitting.
anything
> will work.
>
> more details lay within the code. enjoy.
>
> /tmy
----------------------------------------------------------------------------
----
>
> -- Diving into infinity my consciousness expands in inverse
> proportion to my distance from singularity
>
> +-------- ------- ------ ----- ---- --- -- --- ------ ------- -------- -
> --------------+
> | Tim Yardley (yardley@uiuc.edu)
> | http://www.students.uiuc.edu/~yardley/
> +-------- ------- ------ ----- ---- --- -- --- ------ ------- -------- -
> --------------+
>
