Remote Info. Disclosure for LibC Today, I am seeking information disclosure through a global variable buffer overflow, which conveniently overflows into a long chain of data structures purely char* . I use this technique I am developing to obtain disclosure …
./pty_apply_final is my latest pty program :) uses CTRL-S to fluctuate around the stack space, starting from the middle and then alternating up and down the size of the NOPsled -16 for being safe. works on Blade72 with the following …
crucial address: right after the gets() in Acct: 0x11518 The exploit wasn’t working. The segfault was caused by another thing. Reg mess. Luckily, the only reg we need to restore to normal is %o3 must put a good value into …
So had previously showed the filling of the buffer with 0x41 but that doesn’t help us locate any offset into the buffer. this will: [[[hidden PTY code]]] That code is stripped from an old version of a userspace keylogger I …
First was to obtain the source code from blade72, /sources/apply-1.2 This wasn’t advertised, I happened to be digging around the filesystem one day and accidently stumbled upon it :) fortunately it’s pre-compiled.. I move the sources to my own box.. …
Now let’s start perfecting our exploit: STACK RANGE 0xFFBEE000 . . 0xFFBEE800 . . 0xFFBEF000 . . 0xFFBEF800 . 0xFFBF0000 The above is the typical Stack range for a 32-bit sparc app in 64-bit kernel. That’s as specific as I …
SO, back to exploiting the userland gets() function. Vulnerable Test Prog #include <stdio.h> unsigned long get_sp( void ) { __asm__("or %sp,%sp,%r1"); // %r1 may have to be %i0 in some circumstances?? weirdness.. } void copy( ){ char buf[256]; gets(buf); } …
Holy Mother of Pearl — SPARC Exploitation Excerpts! Read more »
Okies, so if you haven’t heard, I am hacking the Sun Blade 150, it’s a machine at school they still run that’s 10 years old. Pathetic. But it’s a good challenge for me to conquer and learn about operating systems …
Making Sense of Sun Blades and the UltraSPARC-IIe Read more »
I am reading the book Solaris Internals 1st edition where majority covers Solaris 7. I maintain this blog post as a place to show the differences I have found along the way. Solaris 7 data structure for an address …
Some grep things that I found handy: man grep Seriously. So yummy. Some handy things that I’m using right now. -A, -B, -C print an arbitrary number of lines After, Before, or Before/After the matched string line. Super cool. –no-filename, …