Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
--2065465572-539146762-1257967336=:60800
Content-Type: TEXT/PLAIN; charset=ISO-8859-1
Content-Transfer-Encoding: 8BIT
On Wed, 11 Nov 2009, Bjoern A. Zeeb wrote:
> Date: Wed, 11 Nov 2009 18:59:24 +0000 (UTC)
> From: Bjoern A. Zeeb <bzeeb-lists@lists.zabbadoz.net>
> To: Damian Weber <dweber@htw-saarland.de>
> Cc: freebsd-security@freebsd.org, wkoszek@freebsd.org,
> Oliver Pinter <oliver.pntr@gmail.com>
> Subject: Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of
> Service Exploit 23 R D Shaun Colley
>
> On Wed, 11 Nov 2009, Damian Weber wrote:
>
> >
> >
> > On Wed, 11 Nov 2009, Bjoern A. Zeeb wrote:
> >
> > > Date: Wed, 11 Nov 2009 17:37:50 +0000 (UTC)
> > > From: Bjoern A. Zeeb <bzeeb-lists@lists.zabbadoz.net>
> > > To: Oliver Pinter <oliver.pntr@gmail.com>
> > > Cc: freebsd-security@freebsd.org, wkoszek@freebsd.org
> > > Subject: Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of
> > > Service Exploit 23 R D Shaun Colley
> > >
> > > On Mon, 20 Jul 2009, Oliver Pinter wrote:
> > >
> > > Hi,
> > >
> > > > http://milw0rm.com/exploits/9206
> > >
> > > has anyone actually been able to reproduce a problem scenario with
> > > this on any supported releases (7.x or 6.x)?
> > >
> > > The only thing I gould get from that was:
> > > execve returned -1, errno=8: Exec format error
> > >
> >
> > FWIW, I got another result on 6.4-STABLE
> >
> > FreeBSD mymachine.local 6.4-STABLE FreeBSD 6.4-STABLE #6: Sat Oct 3
> > 13:06:12 CEST 2009 root@hypercrypt.local:/usr/obj/usr/src/sys/MYMACHINE
> > i386
> >
> > $ ./pecoff
> > MZaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa闇闇aaaa
> > [I'm truncating here, ~3500 a's follow]aaaaa: File name too long
>
>
> Not sure if you'd see it with ktrace or not; I ran into that with my
> tests as well and was told that it's a shell problem.
>
> try to run it from this:
> ------------------------------------------------------------------------
> #include <unistd.h>
> #include <err.h>
>
> int
> main(int argc, char *argv[])
> {
>
> if (execl("./pecoff", "./pecoff", NULL) == -1)
> err(1, "execl()");
>
> return (0);
> }
> ------------------------------------------------------------------------
execl() and /usr/local/bin/bash (bash-3.2.48_1) produce same result
ktrace/kdump show
....
2380 pecoff CALL open(0x8048764,0x1,0)
2380 pecoff NAMI "evilprog.exe"
2380 pecoff RET open 3
2380 pecoff CALL write(0x3,0xbfbfce80,0xfe0)
2380 pecoff GIO fd 3 wrote 4064 bytes
0x0000 4d5a 6161 6161 6161 6161 6161 6161 6161 6161 |MZaaaaaaaaaaaaaaaa|
0x0012 6161 6161 6161 6161 6161 6161 6161 6161 6161 |aaaaaaaaaaaaaaaaaa|
....
--2065465572-539146762-1257967336=:60800
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
--2065465572-539146762-1257967336=:60800--
討論串 (同標題文章)
完整討論串 (本文為第 8 之 11 篇):