Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of Service Exploit 23 R D Shaun Colley

Wed, 11 Nov 2009 11:23:06 -0800 


On Wed, 11 Nov 2009, Bjoern A. Zeeb wrote:

> Date: Wed, 11 Nov 2009 18:59:24 +0000 (UTC)
> From: Bjoern A. Zeeb <[email protected]>
> To: Damian Weber <[email protected]>
> Cc: [email protected], [email protected],
>     Oliver Pinter <[email protected]>
> Subject: Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of
>     Service  Exploit 23 R D Shaun Colley
> 
> On Wed, 11 Nov 2009, Damian Weber wrote:
> 
> > 
> > 
> > On Wed, 11 Nov 2009, Bjoern A. Zeeb wrote:
> > 
> > > Date: Wed, 11 Nov 2009 17:37:50 +0000 (UTC)
> > > From: Bjoern A. Zeeb <[email protected]>
> > > To: Oliver Pinter <[email protected]>
> > > Cc: [email protected], [email protected]
> > > Subject: Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of
> > >     Service  Exploit 23 R D Shaun Colley
> > > 
> > > On Mon, 20 Jul 2009, Oliver Pinter wrote:
> > > 
> > > Hi,
> > > 
> > > > http://milw0rm.com/exploits/9206
> > > 
> > > has anyone actually been able to reproduce a problem scenario with
> > > this on any supported releases (7.x or 6.x)?
> > > 
> > > The only thing I gould get from that was:
> > >   execve returned -1, errno=8: Exec format error
> > > 
> > 
> > FWIW, I got another result on 6.4-STABLE
> > 
> > FreeBSD mymachine.local 6.4-STABLE FreeBSD 6.4-STABLE #6: Sat Oct  3
> > 13:06:12 CEST 2009     [email protected]:/usr/obj/usr/src/sys/MYMACHINE
> > i386
> > 
> > $ ./pecoff
> > MZaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaîîîîaaaa
> > [I'm truncating here, ~3500 a's follow]aaaaa: File name too long
> 
> 
> Not sure if you'd see it with ktrace or not;  I ran into that with my
> tests as well and was told that it's a shell problem.
> 
> try to run it from this:
> ------------------------------------------------------------------------
> #include <unistd.h>
> #include <err.h>
> 
> int
> main(int argc, char *argv[])
> {
> 
>       if (execl("./pecoff", "./pecoff", NULL) == -1)
>               err(1, "execl()");
> 
>       return (0);
> }
> ------------------------------------------------------------------------

execl() and /usr/local/bin/bash (bash-3.2.48_1) produce same result 

ktrace/kdump show

...
 2380 pecoff   CALL  open(0x8048764,0x1,0)
 2380 pecoff   NAMI  "evilprog.exe"
 2380 pecoff   RET   open 3
 2380 pecoff   CALL  write(0x3,0xbfbfce80,0xfe0)
 2380 pecoff   GIO   fd 3 wrote 4064 bytes
       0x0000 4d5a 6161 6161 6161 6161 6161 6161 6161 6161  |MZaaaaaaaaaaaaaaaa|
       0x0012 6161 6161 6161 6161 6161 6161 6161 6161 6161  |aaaaaaaaaaaaaaaaaa|
...


_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[email protected]"

Reply via email to