NX-stack bypass w(1) Local Root Exploit Realization <3 - Pt. 19
Woo-Hoo. I’m finally ready to release source code :D
Bazz's Code Developments
Heap-Based Execution from UTMPX entries – Pt. 17
there’s only enough room in the name[32] field for 28-4 = 24 bytes of ‘authentic’ asm instructions, followed by the 8 necessary for the call / branch instruction. What’s the difference between a call and a branch instruction.. Is it …
Heap-Based Execution from UTMPX entries – Pt. 17 Read more »
Race Condition SHMACE ShmUh’SMISION – pt. 16
WELL WELL WELL. I’m getting the shell.. but what’s this!?! As user .. “DAEMON!??!” UID of 1 ??? I thought to myself WTF.. So I tried touching a file.. this is the code I’m using to do that: So I …
Race Condition Determination – Pt. 15
It appears to be a blind race!?!? :[ But it is NOT so. There is a way to determine where my cool cat program IS in the race!! By adding the overflow entry as a USER_PROCESS entry, it can be …
Possible Circumvention — Pt. 14
In t_delete /* make op the root of the tree */ if (PARENT(op)) t_splay(op); make the parent point to another entry before in the heap… this is a entry/shellcode starter.. entry/shellcode (pp) starter format: SIZE(PP) is the first 8 bytes …
Analysis Utilities — Pt. 13
Yes, The TREE Structure in the TREE UTMPX Entry must start on WORD-aligned boundary (8-byte aligned 32 bits), (16-byte aligned address on 64-bit) To understand the 32/64 TREE structure in raw form: Demontrated difference between ALIGN on 32-bit vs. 64-bit …
3 Things today — Pt. 12
1 thing: Compiling 64-bit GDB 2 : Analyzing how the heap could be brute-forced in this exploit. 3: Discovering that the address returned by malloc is consistent across runs, on different machines!! With different UTMPX file sizes!! AWESOME!! The stack …
Being Awesome Pt. 11
No this is really a comparison of Stack space between Solaris 10 and Solaris 8.. at least the machines in question.. Solaris 10 box: without one-million argV[1]: 0xffbfe000 0xffbfffff 0x2000 0 -s–rwx with it: 0xffb0a000 0xffbfffff 0xf6000 0 -s–rwx Solaris …
Raw dissection of malloc – Pt. 10
Sorry this section and possibly others are not ordered properly.. It is raw research slate. Here is why ut_line parsing is important.. The test has lots of requirements to satisfy.. must be in /dev/ directory.. we have to be able …
Hacking a temporary “W(1)” — pt. 9
In order to do this exploit properly, 2 UTMPX entries will need to be used. 1 is the “last” one in the table and it must be pre-destined before takeoff. In other words, must be setup before calling “W.” It …