Race Condition SHMACE ShmUh’SMISION – pt. 16
WELL WELL WELL. I’m getting the shell.. but what’s this!?! As user .. “DAEMON!??!” UID of 1 ??? I thought to myself WTF.. So I tried touching a file.. this is the code I’m using to do that: So I …
Category: Uncategorized
Race Condition Determination – Pt. 15
It appears to be a blind race!?!? :[ But it is NOT so. There is a way to determine where my cool cat program IS in the race!! By adding the overflow entry as a USER_PROCESS entry, it can be …
Possible Circumvention — Pt. 14
In t_delete /* make op the root of the tree */ if (PARENT(op)) t_splay(op); make the parent point to another entry before in the heap… this is a entry/shellcode starter.. entry/shellcode (pp) starter format: SIZE(PP) is the first 8 bytes …
Analysis Utilities — Pt. 13
Yes, The TREE Structure in the TREE UTMPX Entry must start on WORD-aligned boundary (8-byte aligned 32 bits), (16-byte aligned address on 64-bit) To understand the 32/64 TREE structure in raw form: Demontrated difference between ALIGN on 32-bit vs. 64-bit …
3 Things today — Pt. 12
1 thing: Compiling 64-bit GDB 2 : Analyzing how the heap could be brute-forced in this exploit. 3: Discovering that the address returned by malloc is consistent across runs, on different machines!! With different UTMPX file sizes!! AWESOME!! The stack …
Being Awesome Pt. 11
No this is really a comparison of Stack space between Solaris 10 and Solaris 8.. at least the machines in question.. Solaris 10 box: without one-million argV[1]: 0xffbfe000 0xffbfffff 0x2000 0 -s–rwx with it: 0xffb0a000 0xffbfffff 0xf6000 0 -s–rwx Solaris …
Raw dissection of malloc – Pt. 10
Sorry this section and possibly others are not ordered properly.. It is raw research slate. Here is why ut_line parsing is important.. The test has lots of requirements to satisfy.. must be in /dev/ directory.. we have to be able …
Hacking a temporary “W(1)” — pt. 9
In order to do this exploit properly, 2 UTMPX entries will need to be used. 1 is the “last” one in the table and it must be pre-destined before takeoff. In other words, must be setup before calling “W.” It …
DTrace — Pt. 6
This thing is incredible. I’m learning from the book “DTrace Dynamic Tracing in Oracle® Solaris, Mac OS X, and FreeBSD” by Brendan Gregg Jim Mauro It’s a good book so far. I’m in Ch. 1 30,000 trace points.. Here are …
Solaris 10 .. Part 5
Welcome to the 5th series in a research effort to divulge the kernel execution vulnerability to gain root privileges via an undisclosed vector in a vulnerable NameFS kernel module, present in Solaris 8, 9, & 10. I was originally only …