/* irix 6.5 Mediamail buffer overflow!!! CALL BRAVO TEAM */
/* by: bazarr                                            */
/* bazarr@ziplip.com                                     */
/* bazarr episode #2                                     */


-------------------
PREFACE

THIS ADVISORY HAS BEEN HIGHLY HIGHLY HIGHLY CENSORED FOR EXTREME CONTENT
PLEASE GOTO http://geocities.com/rrazab/adv/bazarr-episode-2.txt
FOR THE UNCENSORED ADVISORY. PARENTAL GUIDENCE IS ADVISED.

the world aint ready for dis young bazarr.

-------------------
BEEF

while playing some of the demos my SGI came wid i decided to open up 
an actual terminal dis time. here is my experiances in dis terminal opening
session:

(dees machines are not networked so i have to copy byte for byte 
from da sgi screen to dis laptop its tedious work)

sh$ pwd 
/usr/people/rabzar/.grannyporn
sh$ uname -a   
IRIX slipperysnake 6.5-ALPHA-1275071320 10150048 IP32
sh$ ls -al /usr/bin/X11/MediaMail
-rwxr-sr-x     1 root      mail      2674280 Sep 28 1998 /usr/bin/X11/MediaMail 
sh$ #ok well it seems to be some sort of media mail type program
sh$ /usr/demos/General_Demos/doom/sgixdoom -4 >/dev/null &
[1] 9614

... about 3 hours later when i am done playing doom and eating gram crackers ...

sh$ #anyways back to the media mailer 
sh$ export $HOME=`perl -e 'print "A"x12096' #i pioneered this tekneeq on irix 
sh$ /usr/bin/X11/MediaMail 

five million A's are displayed here 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
... ... ...

MediaMail: Bus error 
remove all tempfiles? [y]
Abort
sh$ 

...
most of you essentially thinking dat 
Bus error means you cant ride da bus today (WRONG) 
bus error is like da drunken Segment fault! 
CALL DELTA SQUADREN WE GOTTA BUFFER OVERFLOW HERE  
but in dis situwation MediaMail is catching da SIGBUS signal  
...

later on when gdbing dis (i cant use dbx dat good) 

dis is conclusion of gdb session

(gdb) r 
..... . . . . .... .. 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
.... .... .... ... 

Program received signal SIGSEGV, Segment fault.
init_user () at init.c:177
init.c:177: No such file or directory.
(gdb) q
The program is running. Quit anyways (and kill it)? (y or n) y
sh$ #and that is conclusion of media mailer session 

media mailer is obvisously vulnerable to a buffer overflow wid da
$HOME enviroment varible , wich if xploited will allow a hacker to gain 
gid mail. but since i dunno nothing bout da irix operating
system and da mips arch ($gp???) so
i cannot provide dis community wid elite 
xploit to gain gid mail on irix 6.5.

-------------------
PATCH

dis is a obvisous problem but i cannot provide src code patch to 
non source disclosed operating system. yes da rumar has been confirmed
not everyone likes to program multi million dollar operating systems
for free.

-------------------
END NOTES

obvisously not everyone vulnerable to dis bug 
cuz not everyone use irix, but der is many a public 
access unix systems in shrelaunka 
who run irix who just might find demselfs wid no /var/mail
cuz a hacker used dis bug to gain gid mail.

so next time you meet kadaphie from shelaunka and he makes fun of you
den you can go break him off a lil somdin somdin wid dis bug and show 
him what up.