Blog Archives

Stay out of the logs — /var/log/auth.log

PROBLEM: the auth.log gets appended to after logging out… Oct 24 00:38:23 gateway sshd[1801]: pam_unix(sshd:session): session closed for user root You can erase all other traces but not that… Let’s try adding a process right before logging out, and NOHUP’ing

Posted in Bash, C

Hacking Apply – Pt. V

crucial address: right after the gets() in Acct: 0x11518 The exploit wasn’t working. The segfault was caused by another thing. Reg mess. Luckily, the only reg we need to restore to normal is %o3 must put a good value into

Posted in Asm, Bash, buffer overflow, C, Sparc/Solaris, Uncategorized

Pearl — Hacking Apply Pt III

First was to obtain the source code from blade72, /sources/apply-1.2 This wasn’t advertised, I happened to be digging around the filesystem one day and accidently stumbled upon it :) fortunately it’s pre-compiled.. I move the sources to my own box..

Posted in Bash, buffer overflow, C, Sparc/Solaris

Holy Mother of Pearl – Pt. II

Now let’s start perfecting our exploit: The above is the typical Stack range for a 32-bit sparc app in 64-bit kernel. That’s as specific as I care for.. We can create a guesser program to, based on nop-sled size, slice

Posted in Bash, buffer overflow, Sparc/Solaris

Holy Mother of Pearl — SPARC Exploitation Excerpts!

SO, back to exploiting the userland gets() function. Vulnerable Test Prog This invoke scripts helps me keep the stack offset the same whether I run the program in GDB or not.. Note: it doesn’t work that well on my Sun

Posted in Bash, buffer overflow, Sparc/Solaris

OS X After patching shellshock, Xquartz fails + sh: line 6: `BASH_FUNC_rvm_debug%%’: not a valid identifier

After patching my /bin/bash with scripts, I noticed some odd things. When I did an ssh -X, I would see this: Then X would start up after performing an X app, and I would get this in XQuartz: Then, quartz

Posted in Bash, OSX

Finding all suid programs on Sparc machine leads to Pwnage

Find all Suid programs on disk Example Output I love it!! It led to me find this gem on the server: FMI: we notice that some binaries are different size: The added module.. What’s gecos? Turns out that this is

Posted in Bash, Sparc/Solaris

[POC] [Shellshock] Bash SSHD PreAuth Remote Exploit

The hype around the ShellShock bash exploit is circulating everywhere. Some have proven methods of: BAD DHCP server Remote code execution in CGI scripts However, most research suggests that the SSH daemon is only susceptible to the shell shock exploit

Tagged with: , , , , , , , , , , , , ,
Posted in Bash
Skip to toolbar