Woo-Hoo. I’m finally ready to release source code :D
Blog Archives
Uncovering ‘W(1)’ Heap Overflow Exploit — Pt 7
Messing with programs I learned that there is a 8-byte window after the buffer, where the first 4 actually “say” something.. Don’t know what yet.. but all it takes is that first byte to be overwritten AND a subsequent call…
Memory Disclosure Pt. VIII
This might be useful as some sort of binary signature in System(). /var/adm/messages is where the stack-execution notice comes up. I don’t know if the SIGPIPE error could possibly produce a message in /var/adm/messages, or some other log?? let’s see….…
Smashing the Stack+Data sections PT. VII
Remote Info. Disclosure for LibC Today, I am seeking information disclosure through a global variable buffer overflow, which conveniently overflows into a long chain of data structures purely char* . I use this technique I am developing to obtain disclosure…
Hacking Apply — Pt. VI
./pty_apply_final is my latest pty program :) uses CTRL-S to fluctuate around the stack space, starting from the middle and then alternating up and down the size of the NOPsled -16 for being safe. works on Blade72 with the following…
Hacking Apply – Pt. V
crucial address: right after the gets() in Acct: 0x11518 The exploit wasn’t working. The segfault was caused by another thing. Reg mess. Luckily, the only reg we need to restore to normal is %o3 must put a good value into…
Pearl — Hacking Apply — pt. IV
So had previously showed the filling of the buffer with 0x41 but that doesn’t help us locate any offset into the buffer. this will: [[[hidden PTY code]]] That code is stripped from an old version of a userspace keylogger I…
Pearl — Hacking Apply Pt III
First was to obtain the source code from blade72, /sources/apply-1.2 This wasn’t advertised, I happened to be digging around the filesystem one day and accidently stumbled upon it :) fortunately it’s pre-compiled.. I move the sources to my own box..…
Holy Mother of Pearl – Pt. II
Now let’s start perfecting our exploit: The above is the typical Stack range for a 32-bit sparc app in 64-bit kernel. That’s as specific as I care for.. We can create a guesser program to, based on nop-sled size, slice…
Holy Mother of Pearl — SPARC Exploitation Excerpts!
SO, back to exploiting the userland gets() function. Vulnerable Test Prog This invoke scripts helps me keep the stack offset the same whether I run the program in GDB or not.. Note: it doesn’t work that well on my Sun…
