PROBLEM: the auth.log gets appended to after logging out… Oct 24 00:38:23 gateway sshd[1801]: pam_unix(sshd:session): session closed for user root You can erase all other traces but not that… Let’s try adding a process right before logging out, and NOHUP’ing…
Blog Archives
Hacking Apply – Pt. V
crucial address: right after the gets() in Acct: 0x11518 The exploit wasn’t working. The segfault was caused by another thing. Reg mess. Luckily, the only reg we need to restore to normal is %o3 must put a good value into…
Pearl — Hacking Apply Pt III
First was to obtain the source code from blade72, /sources/apply-1.2 This wasn’t advertised, I happened to be digging around the filesystem one day and accidently stumbled upon it :) fortunately it’s pre-compiled.. I move the sources to my own box..…
Holy Mother of Pearl – Pt. II
Now let’s start perfecting our exploit: The above is the typical Stack range for a 32-bit sparc app in 64-bit kernel. That’s as specific as I care for.. We can create a guesser program to, based on nop-sled size, slice…
Holy Mother of Pearl — SPARC Exploitation Excerpts!
SO, back to exploiting the userland gets() function. Vulnerable Test Prog This invoke scripts helps me keep the stack offset the same whether I run the program in GDB or not.. Note: it doesn’t work that well on my Sun…
OS X After patching shellshock, Xquartz fails + sh: line 6: `BASH_FUNC_rvm_debug%%’: not a valid identifier
After patching my /bin/bash with https://shellshocker.net/ scripts, I noticed some odd things. When I did an ssh -X, I would see this: Then X would start up after performing an X app, and I would get this in XQuartz: Then, quartz…
Finding all suid programs on Sparc machine leads to Pwnage
Find all Suid programs on disk Example Output I love it!! It led to me find this gem on the server: FMI: we notice that some binaries are different size: The added module.. What’s gecos? Turns out that this is…
Posted in Bash, Sparc/Solaris
[POC] [Shellshock] Bash SSHD PreAuth Remote Exploit
The hype around the ShellShock bash exploit is circulating everywhere. Some have proven methods of: BAD DHCP server Remote code execution in CGI scripts However, most research suggests that the SSH daemon is only susceptible to the shell shock exploit…
