Monthly Archives: October 2014

Uncovering ‘W(1)’ Heap Overflow Exploit — Pt 7

Messing with programs I learned that there is a 8-byte window after the buffer, where the first 4 actually “say” something.. Don’t know what yet.. but all it takes is that first byte to be overwritten AND a subsequent call

Posted in buffer overflow, C, Sparc/Solaris

DTrace — Pt. 6

This thing is incredible. I’m learning from the book “DTrace Dynamic Tracing in Oracle┬« Solaris, Mac OS X, and FreeBSD” by Brendan Gregg Jim Mauro It’s a good book so far. I’m in Ch. 1 30,000 trace points.. Here are

Posted in Uncategorized

Solaris 10 .. Part 5

Welcome to the 5th series in a research effort to divulge the kernel execution vulnerability to gain root privileges via an undisclosed vector in a vulnerable NameFS kernel module, present in Solaris 8, 9, & 10. I was originally only

Posted in Uncategorized

Solaris 7 8 9 modload user upload kernel module

“The Shellcoder’s Handbook” comes supplied with a ready exploit against http://www.securitytracker.com/id/1008833 But, it has some problems. the kernel module compiling script is broken (needs -c flag), else it will bitch about _init and _fini being defined twice.. This script uses

Posted in Sparc/Solaris

NameFS Follow up, Sun Studio 11 — Pt. 4

I learned something cool about NameFS today.. You can mount a file descriptor to a folder and that entire folder’s contents are irretrievable. The folder becomes what I like to think as a symbolic link to the file descriptor. Isn’t

Posted in Sparc/Solaris

File Descriptors – More than Meets the Eye – Pt. 3

A search on “what is a file descriptor” : http://en.wikipedia.org/wiki/File_descriptor “In computer programming, a file descriptor (FD) is an abstract indicator for accessing a file” — the “file” keyword is clickable and it goes on to compare “files” to “documents”

Posted in C, Sparc/Solaris

Learning NameFS, MDB — Pt. II

Here is an important excerpt from Solaris Internals, present in both the old version and the new (up to Solaris 10):

Posted in C, NameFS, Sparc/Solaris

Going after an undocumented Local Privilege Escalation OS vulnerability

First thing’s first.. getting started with Solaris 8 mdb, a kernel debugging utility. a modular debugger. The vulnerability is in NameFS, according to these articles: Sun Bug Id# 6581308 https://blogs.oracle.com/sunsecurity/entry/sun_alert_237986_a_security http://dl.packetstormsecurity.net/0808-advisories/sa31356.txt http://www.securityfocus.com/bid/30513/discuss Good hint here: http://www.rapid7.com/db/vulnerabilities/sunpatch-114984

Posted in C, NameFS, Sparc/Solaris

Stay out of the logs — /var/log/auth.log

PROBLEM: the auth.log gets appended to after logging out… Oct 24 00:38:23 gateway sshd[1801]: pam_unix(sshd:session): session closed for user root You can erase all other traces but not that… Let’s try adding a process right before logging out, and NOHUP’ing

Posted in Bash, C

PREFACE – Hacking UMB’s CS Apply program

This page serves as a preface to the 11-part series of research I have written directly to blog. There is an ‘apply’ program in the Computer Science (CS) department at my university, University of Massachusetts Boston. This program allows students,faculty,staff,alumni,and

Posted in Uncategorized
Skip to toolbar