Blog Archives

Epic GDB session of “userspace” utmp_update — pt. 8

Summary: id is what makes new entries to utmpx file possible… pad couldn’t be “1” but “aa” is working… The “PID” check is OFF

Posted in Sparc/Solaris

Uncovering ‘W(1)’ Heap Overflow Exploit — Pt 7

Messing with programs I learned that there is a 8-byte window after the buffer, where the first 4 actually “say” something.. Don’t know what yet.. but all it takes is that first byte to be overwritten AND a subsequent call

Posted in buffer overflow, C, Sparc/Solaris

DTrace — Pt. 6

This thing is incredible. I’m learning from the book “DTrace Dynamic Tracing in Oracle┬« Solaris, Mac OS X, and FreeBSD” by Brendan Gregg Jim Mauro It’s a good book so far. I’m in Ch. 1 30,000 trace points.. Here are

Posted in Uncategorized

Solaris 10 .. Part 5

Welcome to the 5th series in a research effort to divulge the kernel execution vulnerability to gain root privileges via an undisclosed vector in a vulnerable NameFS kernel module, present in Solaris 8, 9, & 10. I was originally only

Posted in Uncategorized

Solaris 7 8 9 modload user upload kernel module

“The Shellcoder’s Handbook” comes supplied with a ready exploit against http://www.securitytracker.com/id/1008833 But, it has some problems. the kernel module compiling script is broken (needs -c flag), else it will bitch about _init and _fini being defined twice.. This script uses

Posted in Sparc/Solaris

NameFS Follow up, Sun Studio 11 — Pt. 4

I learned something cool about NameFS today.. You can mount a file descriptor to a folder and that entire folder’s contents are irretrievable. The folder becomes what I like to think as a symbolic link to the file descriptor. Isn’t

Posted in Sparc/Solaris

File Descriptors – More than Meets the Eye – Pt. 3

A search on “what is a file descriptor” : http://en.wikipedia.org/wiki/File_descriptor “In computer programming, a file descriptor (FD) is an abstract indicator for accessing a file” — the “file” keyword is clickable and it goes on to compare “files” to “documents”

Posted in C, Sparc/Solaris

Learning NameFS, MDB — Pt. II

Here is an important excerpt from Solaris Internals, present in both the old version and the new (up to Solaris 10):

Posted in C, NameFS, Sparc/Solaris

Going after an undocumented Local Privilege Escalation OS vulnerability

First thing’s first.. getting started with Solaris 8 mdb, a kernel debugging utility. a modular debugger. The vulnerability is in NameFS, according to these articles: Sun Bug Id# 6581308 https://blogs.oracle.com/sunsecurity/entry/sun_alert_237986_a_security http://dl.packetstormsecurity.net/0808-advisories/sa31356.txt http://www.securityfocus.com/bid/30513/discuss Good hint here: http://www.rapid7.com/db/vulnerabilities/sunpatch-114984

Posted in C, NameFS, Sparc/Solaris

Stay out of the logs — /var/log/auth.log

PROBLEM: the auth.log gets appended to after logging out… Oct 24 00:38:23 gateway sshd[1801]: pam_unix(sshd:session): session closed for user root You can erase all other traces but not that… Let’s try adding a process right before logging out, and NOHUP’ing

Posted in Bash, C
Skip to toolbar