/* irix 6.5 Mediamail buffer overflow!!! CALL BRAVO TEAM */ /* by: bazarr */ /* bazarr@ziplip.com */ /* bazarr episode #2 */ ------------------- PREFACE THIS ADVISORY HAS BEEN HIGHLY HIGHLY HIGHLY CENSORED FOR EXTREME CONTENT PLEASE GOTO http://geocities.com/rrazab/adv/bazarr-episode-2.txt FOR THE UNCENSORED ADVISORY. PARENTAL GUIDENCE IS ADVISED. the world aint ready for dis young bazarr. ------------------- BEEF while playing some of the demos my SGI came wid i decided to open up an actual terminal dis time. here is my experiances in dis terminal opening session: (dees machines are not networked so i have to copy byte for byte from da sgi screen to dis laptop its tedious work) sh$ pwd /usr/people/rabzar/.grannyporn sh$ uname -a IRIX slipperysnake 6.5-ALPHA-1275071320 10150048 IP32 sh$ ls -al /usr/bin/X11/MediaMail -rwxr-sr-x 1 root mail 2674280 Sep 28 1998 /usr/bin/X11/MediaMail sh$ #ok well it seems to be some sort of media mail type program sh$ /usr/demos/General_Demos/doom/sgixdoom -4 >/dev/null & [1] 9614 ... about 3 hours later when i am done playing doom and eating gram crackers ... sh$ #anyways back to the media mailer sh$ export $HOME=`perl -e 'print "A"x12096' #i pioneered this tekneeq on irix sh$ /usr/bin/X11/MediaMail five million A's are displayed here AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ... ... ... MediaMail: Bus error remove all tempfiles? [y] Abort sh$ ... most of you essentially thinking dat Bus error means you cant ride da bus today (WRONG) bus error is like da drunken Segment fault! CALL DELTA SQUADREN WE GOTTA BUFFER OVERFLOW HERE but in dis situwation MediaMail is catching da SIGBUS signal ... later on when gdbing dis (i cant use dbx dat good) dis is conclusion of gdb session (gdb) r ..... . . . . .... .. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA .... .... .... ... Program received signal SIGSEGV, Segment fault. init_user () at init.c:177 init.c:177: No such file or directory. (gdb) q The program is running. Quit anyways (and kill it)? (y or n) y sh$ #and that is conclusion of media mailer session media mailer is obvisously vulnerable to a buffer overflow wid da $HOME enviroment varible , wich if xploited will allow a hacker to gain gid mail. but since i dunno nothing bout da irix operating system and da mips arch ($gp???) so i cannot provide dis community wid elite xploit to gain gid mail on irix 6.5. ------------------- PATCH dis is a obvisous problem but i cannot provide src code patch to non source disclosed operating system. yes da rumar has been confirmed not everyone likes to program multi million dollar operating systems for free. ------------------- END NOTES obvisously not everyone vulnerable to dis bug cuz not everyone use irix, but der is many a public access unix systems in shrelaunka who run irix who just might find demselfs wid no /var/mail cuz a hacker used dis bug to gain gid mail. so next time you meet kadaphie from shelaunka and he makes fun of you den you can go break him off a lil somdin somdin wid dis bug and show him what up.