2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of Service Exploit 23 R D Shaun Colley

Wed Nov 11 19:00:12 UTC 2009

On Wed, 11 Nov 2009, Damian Weber wrote:

>
>
> On Wed, 11 Nov 2009, Bjoern A. Zeeb wrote:
>
>> Date: Wed, 11 Nov 2009 17:37:50 +0000 (UTC)
>> From: Bjoern A. Zeeb <bzeeb-lists at lists.zabbadoz.net>
>> To: Oliver Pinter <oliver.pntr at gmail.com>
>> Cc: freebsd-security at freebsd.org, wkoszek at freebsd.org
>> Subject: Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of
>>     Service  Exploit 23 R D Shaun Colley
>>
>> On Mon, 20 Jul 2009, Oliver Pinter wrote:
>>
>> Hi,
>>
>>> http://milw0rm.com/exploits/9206
>>
>> has anyone actually been able to reproduce a problem scenario with
>> this on any supported releases (7.x or 6.x)?
>>
>> The only thing I gould get from that was:
>> 	execve returned -1, errno=8: Exec format error
>>
>
> FWIW, I got another result on 6.4-STABLE
>
> FreeBSD mymachine.local 6.4-STABLE FreeBSD 6.4-STABLE #6: Sat Oct  3 13:06:12 CEST 2009     root at hypercrypt.local:/usr/obj/usr/src/sys/MYMACHINE  i386
>
> $ ./pecoff
> MZaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaîîîîaaaa
> [I'm truncating here, ~3500 a's follow]aaaaa: File name too long

Not sure if you'd see it with ktrace or not;  I ran into that with my
tests as well and was told that it's a shell problem.

try to run it from this:
------------------------------------------------------------------------
#include <unistd.h>
#include <err.h>

int
main(int argc, char *argv[])
{

 	if (execl("./pecoff", "./pecoff", NULL) == -1)
 		err(1, "execl()");

 	return (0);
}
------------------------------------------------------------------------

/bz

-- 
Bjoern A. Zeeb         It will not break if you know what you are doing.