2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of
Service Exploit 23 R D Shaun Colley
Damian Weber
dweber at htw-saarland.de
Wed Nov 11 19:22:18 UTC 2009
On Wed, 11 Nov 2009, Bjoern A. Zeeb wrote:
> Date: Wed, 11 Nov 2009 18:59:24 +0000 (UTC)
> From: Bjoern A. Zeeb <bzeeb-lists at lists.zabbadoz.net>
> To: Damian Weber <dweber at htw-saarland.de>
> Cc: freebsd-security at freebsd.org, wkoszek at freebsd.org,
> Oliver Pinter <oliver.pntr at gmail.com>
> Subject: Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of
> Service Exploit 23 R D Shaun Colley
>
> On Wed, 11 Nov 2009, Damian Weber wrote:
>
> >
> >
> > On Wed, 11 Nov 2009, Bjoern A. Zeeb wrote:
> >
> > > Date: Wed, 11 Nov 2009 17:37:50 +0000 (UTC)
> > > From: Bjoern A. Zeeb <bzeeb-lists at lists.zabbadoz.net>
> > > To: Oliver Pinter <oliver.pntr at gmail.com>
> > > Cc: freebsd-security at freebsd.org, wkoszek at freebsd.org
> > > Subject: Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of
> > > Service Exploit 23 R D Shaun Colley
> > >
> > > On Mon, 20 Jul 2009, Oliver Pinter wrote:
> > >
> > > Hi,
> > >
> > > > http://milw0rm.com/exploits/9206
> > >
> > > has anyone actually been able to reproduce a problem scenario with
> > > this on any supported releases (7.x or 6.x)?
> > >
> > > The only thing I gould get from that was:
> > > execve returned -1, errno=8: Exec format error
> > >
> >
> > FWIW, I got another result on 6.4-STABLE
> >
> > FreeBSD mymachine.local 6.4-STABLE FreeBSD 6.4-STABLE #6: Sat Oct 3
> > 13:06:12 CEST 2009 root at hypercrypt.local:/usr/obj/usr/src/sys/MYMACHINE
> > i386
> >
> > $ ./pecoff
> > MZaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaîîîîaaaa
> > [I'm truncating here, ~3500 a's follow]aaaaa: File name too long
>
>
> Not sure if you'd see it with ktrace or not; I ran into that with my
> tests as well and was told that it's a shell problem.
>
> try to run it from this:
> ------------------------------------------------------------------------
> #include <unistd.h>
> #include <err.h>
>
> int
> main(int argc, char *argv[])
> {
>
> if (execl("./pecoff", "./pecoff", NULL) == -1)
> err(1, "execl()");
>
> return (0);
> }
> ------------------------------------------------------------------------
execl() and /usr/local/bin/bash (bash-3.2.48_1) produce same result
ktrace/kdump show
...
2380 pecoff CALL open(0x8048764,0x1,0)
2380 pecoff NAMI "evilprog.exe"
2380 pecoff RET open 3
2380 pecoff CALL write(0x3,0xbfbfce80,0xfe0)
2380 pecoff GIO fd 3 wrote 4064 bytes
0x0000 4d5a 6161 6161 6161 6161 6161 6161 6161 6161 |MZaaaaaaaaaaaaaaaa|
0x0012 6161 6161 6161 6161 6161 6161 6161 6161 6161 |aaaaaaaaaaaaaaaaaa|
...
More information about the freebsd-security
mailing list