[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] /usr/bin/trn local root exploit
- To: Z z a g o r R <zzagorrzzagorr@xxxxxxxxxxx>
- Subject: Re: [Full-Disclosure] /usr/bin/trn local root exploit
- From: Frank Thyes <thyes@xxxxxxx>
- Date: Wed, 26 Jan 2005 13:41:11 +0100
+++ Z z a g o r R [Wed, Jan 26, 2005 at 09:27:28AM CET]:
> /*
> /usr/bin/trn local root exploit
> By ZzagorR - http://www.rootbinbash.com
> */
> /*
> sh-2.05b$ ./trn
> usage : ./trn ret buf
> example : ./trn 0xbfffff64
> [+] mandrake 9.2 = 0xbfffff96
> [+] slackware 10.0.0= 0xbfffff98
> [+] slackware 9.1.0= 0xbfffff84
> sh-2.05b$
> sh-2.05b$ ./trn 0xbfffff84 128
> [BOO %] 128
> [RET %] bfffff84
> sh-2.05b#
> sh-2.05b# id
> uid=0(root) gid=98(nobody) groups=98(nobody)
I didnt understand how you will get root? Afaik trn isnt suid. I
didnt have Mandrake or another Linux here so i cant test it.
Please explain.
Regards
Frank
--
In the beginning was the word and the word was content-type: text/plain
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html