Bugtraq mailing list archives
[LSD] some unpublished LSD exploit codes
From: LSD <contact () LSD-PL NET>
Date: Wed, 2 Aug 2000 12:24:31 -0700
hello,
We decided to publish some of the codes we've developed in the past.
These are the codes that we've been using for a long time so far -
the ones that have never been published before.
Because they got somewhat old during the last couple of years we see no
reason to still keep them unrevealed.
Most of the codes have been rewritten and tested on various IRIX IP
platforms. We did our best to tune the exploits so that they work
fine in all cases.
[1] /usr/sbin/gr_osview IRIX 6.2 6.3
http://lsd-pl.net/files/get?IRIX/irx_gr_osview
[2] libgl.so $HOME IRIX 6.2
http://lsd-pl.net/files/get?IRIX/irx_libgl
[3] /sbin/pset IRIX 6.2 6.3
http://lsd-pl.net/files/get?IRIX/irx_pset2
[4] /usr/sbin/dmplay IRIX 6.2 6.3
http://lsd-pl.net/files/get?IRIX/irx_dmplay
[5] /usr/bsd/rlogin IRIX 5.2 5.3 6.2 6.3
http://lsd-pl.net/files/get?IRIX/irx_rlogin
[6] /bin/lpstat IRIX 6.2 6.3
http://lsd-pl.net/files/get?IRIX/irx_lpstat
[7] /usr/lib/InPerson/inpview IRIX 6.5 6.5.8
http://lsd-pl.net/files/get?IRIX/irx_inpview
The codes above are all buffer overflows except inpview. They can be
exploited up to IRIX 6.3. This is due to the fact that IRIX 6.4 and up
uses N32 ELF binary formats with 64 bit pointers on the stack.
There are also some old codes exploiting known bugs. Some of them have
already been published by other authors but in our opinion they didn't
work how they should.
[1] libXt.so -xrm IRIX 5.2 5.3 6.2 6.3
http://lsd-pl.net/files/get?IRIX/irx_libxt
[2] truncate() IRIX 6.2 6.3 6.4
http://lsd-pl.net/files/get?IRIX/irx_truncate
[3] libc.so $NLSPATH IRIX 6.2
http://lsd-pl.net/files/get?IRIX/irx_libc
[4] /usr/bin/mail IRIX 6.2 6.3
http://lsd-pl.net/files/get?IRIX/irx_mail
[5] libXaw.so inputMethod IRIX 6.2
http://lsd-pl.net/files/get?IRIX/irx_libxaw
[6] arrayd IRIX 6.2 6.3 6.4 6.5 6.5.4
http://lsd-pl.net/files/get?IRIX/irx_arrayd
truncate "exploits" the bug in the code part of IRIX kernel handling xfs
filesystem (truncate system call *does not* check for user creds).
mail was never published for IRIX, the same considers libXaw which was
only implemented for X11R6 on Linux.
arrayd is a classic example showing the state of the art in the security
area done by SGI folks and the way they design authentication in software.
The exploit code for it was never published before and should work also on
Cray UNICOS 9.0.x.x 10.0.0.6 systems.
We would also like to recommend you our versions of some remote exploits for
IRIX and Solaris, that have been published in very limited circles:
[1] IRIX rpc.ttdbserverd IRIX 5.2 5.3 6.2 6.3 6.4 6.5 6.5.2
http://lsd-pl.net/files/get?IRIX/irx_rpc.ttdbserverd
[2] Solaris rpc.ttdbserverd Solaris 2.3 2.4 2.5 2.5.1 2.6 sparc
http://lsd-pl.net/files/get?SOLARIS/solsparc_rpc.ttdbserverd
[3] Solaris rpc.cmsd Solaris 2.5 2.5.1 2.6 2.7 sparc
http://lsd-pl.net/files/get?SOLARIS/solsparc_rpc.cmsd
Contrary to the previously published versions of these exploits (sh -c command
execution), ours are capable to provide remote shell connection. To achieve
that we use findsckcode which walks the descriptor table of an exploited process
in a search for an established TCP connection. Found TCP socket descriptor is
then duplicated on stdin,stdout and stderr and /bin/sh is spawned. In our
opinion this technique is pretty useful for obtaining remote shell connection
when exploiting RPC services.
For those who found our objectserver account exploit useful (published on
Bugtraq in march) we also recommend it's second version which may be of some
use in a TCP wrapped environments:
[4] IRIX objectserver (export exploit) IRIX 5.2 5.3 6.2
http://lsd-pl.net/files/get?IRIX/irx_objectserver
Finally, we would like to invite you all to our tiny place in Internet at
the following address: http://lsd-pl.net
regards,
lsd folks
Current thread:
- [LSD] some unpublished LSD exploit codes LSD (Aug 02)