Blog Archives

NX-stack bypass w(1) Local Root Exploit Realization <3 - Pt. 19

Woo-Hoo. I’m finally ready to release source code :D

Posted in Asm, buffer overflow, C, NameFS, Sparc/Solaris

Uncovering ‘W(1)’ Heap Overflow Exploit — Pt 7

Messing with programs I learned that there is a 8-byte window after the buffer, where the first 4 actually “say” something.. Don’t know what yet.. but all it takes is that first byte to be overwritten AND a subsequent call

Posted in buffer overflow, C, Sparc/Solaris

File Descriptors – More than Meets the Eye – Pt. 3

A search on “what is a file descriptor” : “In computer programming, a file descriptor (FD) is an abstract indicator for accessing a file” — the “file” keyword is clickable and it goes on to compare “files” to “documents”

Posted in C, Sparc/Solaris

Learning NameFS, MDB — Pt. II

Here is an important excerpt from Solaris Internals, present in both the old version and the new (up to Solaris 10):

Posted in C, NameFS, Sparc/Solaris

Going after an undocumented Local Privilege Escalation OS vulnerability

First thing’s first.. getting started with Solaris 8 mdb, a kernel debugging utility. a modular debugger. The vulnerability is in NameFS, according to these articles: Sun Bug Id# 6581308 Good hint here:

Posted in C, NameFS, Sparc/Solaris

Stay out of the logs — /var/log/auth.log

PROBLEM: the auth.log gets appended to after logging out… Oct 24 00:38:23 gateway sshd[1801]: pam_unix(sshd:session): session closed for user root You can erase all other traces but not that… Let’s try adding a process right before logging out, and NOHUP’ing

Posted in Bash, C

Memory Disclosure Pt. VIII

This might be useful as some sort of binary signature in System(). /var/adm/messages is where the stack-execution notice comes up. I don’t know if the SIGPIPE error could possibly produce a message in /var/adm/messages, or some other log?? let’s see….

Posted in Asm, buffer overflow, C, Sparc/Solaris, Uncategorized

Smashing the Stack+Data sections PT. VII

Remote Info. Disclosure for LibC Today, I am seeking information disclosure through a global variable buffer overflow, which conveniently overflows into a long chain of data structures purely char* . I use this technique I am developing to obtain disclosure

Posted in Asm, buffer overflow, C, Sparc/Solaris, Uncategorized

Hacking Apply — Pt. VI

./pty_apply_final is my latest pty program :) uses CTRL-S to fluctuate around the stack space, starting from the middle and then alternating up and down the size of the NOPsled -16 for being safe. works on Blade72 with the following

Posted in Asm, buffer overflow, C, Sparc/Solaris, Uncategorized

Hacking Apply – Pt. V

crucial address: right after the gets() in Acct: 0x11518 The exploit wasn’t working. The segfault was caused by another thing. Reg mess. Luckily, the only reg we need to restore to normal is %o3 must put a good value into

Posted in Asm, Bash, buffer overflow, C, Sparc/Solaris, Uncategorized
Skip to toolbar