NX-stack bypass w(1) Local Root Exploit Realization <3 - Pt. 19
Woo-Hoo. I’m finally ready to release source code :D
Category: buffer overflow
Uncovering ‘W(1)’ Heap Overflow Exploit — Pt 7
Messing with programs I learned that there is a 8-byte window after the buffer, where the first 4 actually “say” something.. Don’t know what yet.. but all it takes is that first byte to be overwritten AND a subsequent call …
Memory Disclosure Pt. VIII
This might be useful as some sort of binary signature in System(). /var/adm/messages is where the stack-execution notice comes up. I don’t know if the SIGPIPE error could possibly produce a message in /var/adm/messages, or some other log?? let’s see…. …
Smashing the Stack+Data sections PT. VII
Remote Info. Disclosure for LibC Today, I am seeking information disclosure through a global variable buffer overflow, which conveniently overflows into a long chain of data structures purely char* . I use this technique I am developing to obtain disclosure …
Hacking Apply — Pt. VI
./pty_apply_final is my latest pty program :) uses CTRL-S to fluctuate around the stack space, starting from the middle and then alternating up and down the size of the NOPsled -16 for being safe. works on Blade72 with the following …
Hacking Apply – Pt. V
crucial address: right after the gets() in Acct: 0x11518 The exploit wasn’t working. The segfault was caused by another thing. Reg mess. Luckily, the only reg we need to restore to normal is %o3 must put a good value into …
Pearl — Hacking Apply — pt. IV
So had previously showed the filling of the buffer with 0x41 but that doesn’t help us locate any offset into the buffer. this will: [[[hidden PTY code]]] That code is stripped from an old version of a userspace keylogger I …
Pearl — Hacking Apply Pt III
First was to obtain the source code from blade72, /sources/apply-1.2 This wasn’t advertised, I happened to be digging around the filesystem one day and accidently stumbled upon it :) fortunately it’s pre-compiled.. I move the sources to my own box.. …
Holy Mother of Pearl – Pt. II
Now let’s start perfecting our exploit: STACK RANGE 0xFFBEE000 . . 0xFFBEE800 . . 0xFFBEF000 . . 0xFFBEF800 . 0xFFBF0000 The above is the typical Stack range for a 32-bit sparc app in 64-bit kernel. That’s as specific as I …
Holy Mother of Pearl — SPARC Exploitation Excerpts!
SO, back to exploiting the userland gets() function. Vulnerable Test Prog #include <stdio.h> unsigned long get_sp( void ) { __asm__("or %sp,%sp,%r1"); // %r1 may have to be %i0 in some circumstances?? weirdness.. } void copy( ){ char buf[256]; gets(buf); } …
Holy Mother of Pearl — SPARC Exploitation Excerpts! Read more »