Re: Thwarting /bin/bash, an anti-overflow concept ?

["Vlad Tsyrklevich" <vlad () sig11 zemos net>]

> Ofcourse we could rename /bin/bash to /bin/whatever_we_want, and thus add
> some security by obscurity, but the next exploit is going to cat
> /etc/shells or /etc/passwd, and then the attacker knows the name of the
shell.

When you said this I thought why nobody has done this and created a beta
that reads /etc/shells to
find the first "/" and execute it (A bug being currently even if it resides
in a comment). It's 96
bytes (Pretty big) and has been tested on 2.4 and 2.6 kernels', later on I
may add checking to it
so that it doesn't get fooled by comments.

$ ./shells
Shellcode = 96 bytes
[/home/vlad/test/shells]$



http://sig11.zemos.net/vlad/shells.c
http://sig11.zemos.net/vlad/shells.asm