[Full-Disclosure] basic exploit coding on solaris sparc

From: Fabio (fabio_at_crearium.com)
Date: 10/21/04

  • Next message: Dunceor .: "Re: [Full-Disclosure] basic exploit coding on solaris sparc"
    To: Full-Disclosure <full-disclosure@lists.netsys.com>
    Date: Wed, 20 Oct 2004 23:16:42 -0600
    
    

    Hi.

    I am trying to learn Solaris Sparc assembly and how exploits works on
    this architecture. I have a setuid root binary that has the following bug:

    #include <sys/stat.h>
    #include <stdio.h>
    #include <string.h>
    #include <stdlib.h>

    main(int argc,char *argv[])
    {
    char buffer[40];
    char buffarg[20];
    char *mailpath;
           strcpy(buffer,"/var/mail/");
           if (argc == 2)
           {
                   strcpy(buffarg,argv[1]);
                   mailpath=strcat(buffer,buffarg);
                   printf("\nRemoving: %s\n",mailpath);
                   if(!unlink(mailpath))
                   {
                           printf("Mailbox: %s delete\n\n", mailpath);

                   }
             }
    }

    I found this shellcode (120 bytes long)

    http://shellcode.org/Shellcode/Solaris/solaris-sparc-shellcode.html

    the behavoir is the following:

    nietzsche% ./b `perl -e 'print "A" x 1000'`
    Segmentation fault (core dumped)
    nietzsche% ./b `perl -e 'print "A" x 24'`
    Segmentation fault (core dumped)

    The less value without core dump is 23.

    I am interested in code a exploit that execute a root shell, on
    'smashing the stack' article they refer to Linux and x86, so I cant see
    information about sparc and register windowing.

    Anyone can help me to reproduce a exploit for the sample provided?

    Thanks in advance.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Dunceor .: "Re: [Full-Disclosure] basic exploit coding on solaris sparc"

    Relevant Pages

    • Re: Bug analysis
      ... char *ReadTextFile ... The writer of this code is an experienced C programmer. ... has this bug, that is a classical bug with zero terminated strings, ... in the implementation of the string library in lcc-win you ...
      (comp.lang.c)
    • Re: Malcolms new book - Chapter 1 review
      ... If you still can't find the bug, post the code here, and we'll find ... I added and deleted some white space characters. ... char *readline ... buff = malloc; ...
      (comp.lang.c)
    • Re: Bug analysis
      ... char *ReadTextFile ... has this bug, that is a classical bug with zero terminated strings, ... programmer has less bug surface. ... in the implementation of the string library in lcc-win you ...
      (comp.lang.c)
    • Re: Having Problem with a String....Please help....
      ... its got a bug that occurs. ... I do not have a whole lot of experience with BSTR ... void MyEncrypt(BSTR key, char * value,int sizeofValue, CStringA ... You see it is a Unicode app but I do not see any Unicode in it. ...
      (microsoft.public.vc.mfc)
    • Re: 2.6.28-rc6-git1 -- BUG: unable to handle kernel paging request at ffff8800be8b00
      ... I looked at the oops and I'm pretty sure SLUB is not at ... const char *kallsyms_lookup(unsigned long addr, ... BUG: unable to handle kernel paging request at ffff8800be8b0019 ... the value of KSYM_NAME_LEN is 128 so the offset matches as well ...
      (Linux-Kernel)