WELL WELL WELL. I’m getting the shell.. but what’s this!?! As user .. “DAEMON!??!” UID of 1 ??? I thought to myself WTF.. So I tried touching a file.. this is the code I’m using to do that: So I…

It appears to be a blind race!?!? :[ But it is NOT so. There is a way to determine where my cool cat program IS in the race!! By adding the overflow entry as a USER_PROCESS entry, it can be…

In t_delete /* make op the root of the tree */ if (PARENT(op)) t_splay(op); make the parent point to another entry before in the heap… this is a entry/shellcode starter.. entry/shellcode (pp) starter format: SIZE(PP) is the first 8 bytes…

Yes, The TREE Structure in the TREE UTMPX Entry must start on WORD-aligned boundary (8-byte aligned 32 bits), (16-byte aligned address on 64-bit) To understand the 32/64 TREE structure in raw form: Demontrated difference between ALIGN on 32-bit vs. 64-bit…

1 thing: Compiling 64-bit GDB 2 : Analyzing how the heap could be brute-forced in this exploit. 3: Discovering that the address returned by malloc is consistent across runs, on different machines!! With different UTMPX file sizes!! AWESOME!! The stack…

No this is really a comparison of Stack space between Solaris 10 and Solaris 8.. at least the machines in question.. Solaris 10 box: without one-million argV[1]: 0xffbfe000 0xffbfffff 0x2000 0 -s–rwx with it: 0xffb0a000 0xffbfffff 0xf6000 0 -s–rwx Solaris…

Sorry this section and possibly others are not ordered properly.. It is raw research slate. Here is why ut_line parsing is important.. The test has lots of requirements to satisfy.. must be in /dev/ directory.. we have to be able…

In order to do this exploit properly, 2 UTMPX entries will need to be used. 1 is the “last” one in the table and it must be pre-destined before takeoff. In other words, must be setup before calling “W.” It…

This thing is incredible. I’m learning from the book “DTrace Dynamic Tracing in Oracle® Solaris, Mac OS X, and FreeBSD” by Brendan Gregg Jim Mauro It’s a good book so far. I’m in Ch. 1 30,000 trace points.. Here are…

Welcome to the 5th series in a research effort to divulge the kernel execution vulnerability to gain root privileges via an undisclosed vector in a vulnerable NameFS kernel module, present in Solaris 8, 9, & 10. I was originally only…