IRIX telnetd exploit for 5.3

[Damian Menscher <menscher () uiuc edu>]

Hello all,

I'm sure you're aware of the LSD post of the remote root exploit for Irix
5.3 that takes advantage of telnetd.  In their post (and SGI confirms) it
is stated that Irix 6.2 and up is vulnerable, as well as patched versions
down to 5.2.  But the code is only written for 6.2 and up.

I would like to extend their efforts to include a patched 5.3 system.  If
I understand what they've done, I would expect a successful exploit from
adding and using the line:
    { 0, 0x56, 0x0fb5302c,   0, 0x7fc44240, 0x14 }
in tab2.  Unfortunately this doesn't work, and I'd appreciate some help
figuring out why, and how to correct it.

In what follows, I'll assume you've read the August 14 BugTraq post.

I obtained the number 0x0fb5302c from libc.so.1 [abort], and the number
0x7fc44240 from telnetd [read].  The other numbers in the entry were just
copied from the 6.2 section, since they tend to relate to the difference
between o32 and n32 ELF binaries.  The fourth entry is zero since its
effect is taken into account in the third entry.

Anyway, if you have ideas on where to go from here, please send an email.
(I'm not on the list, but I'll monitor it for a while.)  Thanks,

Damian Menscher
--
--==## Grad. student & Sys. Admin. @ U. Illinois at Urbana-Champaign ##==--
--==## <menscher () uiuc edu> www.uiuc.edu/~menscher/ Ofc:(217)333-0038 ##==--
--==## Physics Dept, 1110 W Green, Urbana IL 61801 Fax:(217)333-9819 ##==--