2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of Service Exploit 23 R D Shaun Colley

Damian Weber dweber at htw-saarland.de
Wed Nov 11 19:22:18 UTC 2009 


On Wed, 11 Nov 2009, Bjoern A. Zeeb wrote:

> Date: Wed, 11 Nov 2009 18:59:24 +0000 (UTC)
> From: Bjoern A. Zeeb <bzeeb-lists at lists.zabbadoz.net>
> To: Damian Weber <dweber at htw-saarland.de>
> Cc: freebsd-security at freebsd.org, wkoszek at freebsd.org,
>     Oliver Pinter <oliver.pntr at gmail.com>
> Subject: Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of
>     Service  Exploit 23 R D Shaun Colley
> 
> On Wed, 11 Nov 2009, Damian Weber wrote:
> 
> > 
> > 
> > On Wed, 11 Nov 2009, Bjoern A. Zeeb wrote:
> > 
> > > Date: Wed, 11 Nov 2009 17:37:50 +0000 (UTC)
> > > From: Bjoern A. Zeeb <bzeeb-lists at lists.zabbadoz.net>
> > > To: Oliver Pinter <oliver.pntr at gmail.com>
> > > Cc: freebsd-security at freebsd.org, wkoszek at freebsd.org
> > > Subject: Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of
> > >     Service  Exploit 23 R D Shaun Colley
> > > 
> > > On Mon, 20 Jul 2009, Oliver Pinter wrote:
> > > 
> > > Hi,
> > > 
> > > > http://milw0rm.com/exploits/9206
> > > 
> > > has anyone actually been able to reproduce a problem scenario with
> > > this on any supported releases (7.x or 6.x)?
> > > 
> > > The only thing I gould get from that was:
> > > 	execve returned -1, errno=8: Exec format error
> > > 
> > 
> > FWIW, I got another result on 6.4-STABLE
> > 
> > FreeBSD mymachine.local 6.4-STABLE FreeBSD 6.4-STABLE #6: Sat Oct  3
> > 13:06:12 CEST 2009     root at hypercrypt.local:/usr/obj/usr/src/sys/MYMACHINE
> > i386
> > 
> > $ ./pecoff
> > MZaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaîîîîaaaa
> > [I'm truncating here, ~3500 a's follow]aaaaa: File name too long
> 
> 
> Not sure if you'd see it with ktrace or not;  I ran into that with my
> tests as well and was told that it's a shell problem.
> 
> try to run it from this:
> ------------------------------------------------------------------------
> #include <unistd.h>
> #include <err.h>
> 
> int
> main(int argc, char *argv[])
> {
> 
> 	if (execl("./pecoff", "./pecoff", NULL) == -1)
> 		err(1, "execl()");
> 
> 	return (0);
> }
> ------------------------------------------------------------------------

execl() and /usr/local/bin/bash (bash-3.2.48_1) produce same result 

ktrace/kdump show

...
 2380 pecoff   CALL  open(0x8048764,0x1,0)
 2380 pecoff   NAMI  "evilprog.exe"
 2380 pecoff   RET   open 3
 2380 pecoff   CALL  write(0x3,0xbfbfce80,0xfe0)
 2380 pecoff   GIO   fd 3 wrote 4064 bytes
       0x0000 4d5a 6161 6161 6161 6161 6161 6161 6161 6161  |MZaaaaaaaaaaaaaaaa|
       0x0012 6161 6161 6161 6161 6161 6161 6161 6161 6161  |aaaaaaaaaaaaaaaaaa|
...

More information about the freebsd-security mailing list