Vulnerability Development: Re: os/2 shellcode?

[Michael Wojcik <Michael.Wojcik () MERANT COM>]

> From: Bluefish (P.Magnusson) [mailto:11a () GMX NET]
> Sent: Monday, August 28, 2000 10:37 AM
> IMHO doing something like:
>   http://www.hack.co.za/shellcode/linux-x86/execve_binsh.c
>
> and make something similar for OS/2 shouldn't prove very hard to do if we
> knew how to execute a file. C:\COMMAND.COM exist under OS/2 as well I
> believe, but it was a long time since I used OS/2 so I may be wrong. If it
> exists and reads from stdin, I'd say we're about done :)
You'd probably want to execute CMD.EXE, not COMMAND.COM; COMMAND.COM under
OS/2 is the DOS-box command interpreter.

It's been a long time since I did any low-level OS/2 programming either, and
I've never paid much attention to shellcode construction, but my guess is
that it would not be difficult to build some for OS/2.  Besides the ordinary
techniques, OS/2 (especially later releases) is full of weird hooks to get
things like Win-OS/2 and DIVE working.  And OS/2 was designed as a
single-user, physically-secured system; it doesn't have any sort of security
architecture in place by default.  (There were some IBM security add-ons,
and probably third-party as well.)

Oh, and Java shipped with Merlin, and I doubt those JVMs have been
rigorously updated, so the early JVM security holes may work.

Unfortunately my OS/2 internals books (actually a co-worker's; I didn't have
to do much envelope-pushing) are long gone.  It shouldn't be hard to find
some at a larged used-books outlet, though.

Michael Wojcik             michael.wojcik () merant com
MERANT
Department of English, Miami University