https://obsolescenceguaranteed.blogspot.com/2023/11/stack-buffer-overflow-attack-211bsd-on.html

 
Nov
14

Stack buffer overflow attack: 211BSD on the PDP-11  

[belong-to-us-pdp11]

What to do with a PDP-11? 
Or, same thing, with a modern PiDP-11 replica?

Well, if you lack any productive ideas, maybe hack your way into it.
A PDP-11 is a (in fact, the original) networked unix machine.
Retrohacking on good old telnet!

Aiden and Luis(*) sat down in front of my PiDP-11 at the recent
Zurich Vintage Computer Festival. Five minutes of clacking away on
the terminal and they told me that 'all your PDP-11 are belong to us
now'.

Well, not really. But they did this nice stack buffer overflow attack
on the machine in just a few lines of code. 


A demonstration, really:

[hackme]


So, only shortish names will fit in 'char user[16]'. Anything more
will overwrite the next item(s) on the stack, logically here that
would be the main() function return address on the stack. 

The PDP-11 stores the least significant byte at the lower memory
address for a 16-bit word (like little-endian, but careful with that
term for the 11), and thus, if the 17th byte on the stack is modified
to jump to the flag() function, that otherwise unused function is
called. All you need to do is find the address of flag() and put it
into a longish name. 

You could find it through the unix adb debugger (no gdb here!), which
is a nice excuse to learn about that: 

[adb]

Or just use the more concise:

[nm]

So octal 114 is the byte value we want. This little program will
abuse that:

[exploit]

And thus:

[captured]

As simple as that. I thought that was pretty and simple
non-productive fun on vintage unix. Something to chew on. Thanks to
Aiden & Luis, this is why I love VCFs. 

Now I'm off fantasizing about how to organise a hack-my-11 contest on
the PiDP-11 Google Group. Have BSD on an online PiDP-11, and see who
can capture the root flag first through a user telnet connection?
There's a lot of vintage unix skills to be learned/shared, and a lot
of quality time on 211BSD to be spent this way. 

Would that not be a great way to spend quality time on vintage unix
and the 11?

But that is for later. 

(*) They preferred first-name-only credits

PS - Two more things to chew on, fun to investigate after this post:

  * Why does the exploit still print "Hello, a.out!" at the end?
  * Why is it obvious that the return from main() is the next thing
    on the stack?


Posted 2 days ago by Unknown
0

Add a comment

Obsolescence Guaranteed

small retrocomputing projects

[                    ]
Magazine

  * Classic
  * Flipcard
  * Magazine
  * Mosaic
  * Sidebar
  * Snapshot
  * Timeslide

Pages

  * Please Visit the --> Obsolescence Home Page <--
  *  

  
Loading