Blog Archives

NX-stack bypass w(1) Local Root Exploit Realization <3 - Pt. 19

Woo-Hoo. I’m finally ready to release source code :D

Posted in Asm, buffer overflow, C, NameFS, Sparc/Solaris

Heap-Based Execution from UTMPX entries – Pt. 17

there’s only enough room in the name[32] field for 28-4 = 24 bytes of ‘authentic’ asm instructions, followed by the 8 necessary for the call / branch instruction. What’s the difference between a call and a branch instruction.. Is it

Posted in Asm, GDB, Sparc/Solaris

Race Condition SHMACE ShmUh’SMISION – pt. 16

WELL WELL WELL. I’m getting the shell.. but what’s this!?! As user .. “DAEMON!??!” UID of 1 ??? I thought to myself WTF.. So I tried touching a file.. this is the code I’m using to do that: So I

Posted in Uncategorized

Race Condition Determination – Pt. 15

It appears to be a blind race!?!? :[ But it is NOT so. There is a way to determine where my cool cat program IS in the race!! By adding the overflow entry as a USER_PROCESS entry, it can be

Posted in Uncategorized

Possible Circumvention — Pt. 14

In t_delete /* make op the root of the tree */ if (PARENT(op)) t_splay(op); make the parent point to another entry before in the heap… this is a entry/shellcode starter.. entry/shellcode (pp) starter format: SIZE(PP) is the first 8 bytes

Posted in Uncategorized

Analysis Utilities — Pt. 13

Yes, The TREE Structure in the TREE UTMPX Entry must start on WORD-aligned boundary (8-byte aligned 32 bits), (16-byte aligned address on 64-bit) To understand the 32/64 TREE structure in raw form: Demontrated difference between ALIGN on 32-bit vs. 64-bit

Posted in Uncategorized

3 Things today — Pt. 12

1 thing: Compiling 64-bit GDB 2 : Analyzing how the heap could be brute-forced in this exploit. 3: Discovering that the address returned by malloc is consistent across runs, on different machines!! With different UTMPX file sizes!! AWESOME!! The stack

Posted in Uncategorized

Being Awesome Pt. 11

No this is really a comparison of Stack space between Solaris 10 and Solaris 8.. at least the machines in question.. Solaris 10 box: without one-million argV[1]: 0xffbfe000 0xffbfffff 0x2000 0 -s–rwx with it: 0xffb0a000 0xffbfffff 0xf6000 0 -s–rwx Solaris

Posted in Uncategorized

Raw dissection of malloc – Pt. 10

Sorry this section and possibly others are not ordered properly.. It is raw research slate. Here is why ut_line parsing is important.. The test has lots of requirements to satisfy.. must be in /dev/ directory.. we have to be able

Posted in Uncategorized

Hacking a temporary “W(1)” — pt. 9

In order to do this exploit properly, 2 UTMPX entries will need to be used. 1 is the “last” one in the table and it must be pre-destined before takeoff. In other words, must be setup before calling “W.” It

Posted in Uncategorized
Skip to toolbar