Full Disclosure mailing list archives
Re: basic exploit coding on solaris sparc
From: "Dunceor ." <dunceor () gmail com>
Date: Thu, 21 Oct 2004 08:56:55 +0200
Here is a few texts that might help you. http://community.core-sdi.com/~juliano/thc3-en.txt http://community.core-sdi.com/~juliano/mudge-bof.pdf http://community.core-sdi.com/~juliano/dlsparc.zip Visit http://community.core-sdi.com/~juliano/ for more information of vuln coding. / Dunceor On Wed, 20 Oct 2004 23:16:42 -0600, Fabio <fabio () crearium com> wrote:
Hi.
I am trying to learn Solaris Sparc assembly and how exploits works on
this architecture. I have a setuid root binary that has the following bug:
#include <sys/stat.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
main(int argc,char *argv[])
{
char buffer[40];
char buffarg[20];
char *mailpath;
strcpy(buffer,"/var/mail/");
if (argc == 2)
{
strcpy(buffarg,argv[1]);
mailpath=strcat(buffer,buffarg);
printf("\nRemoving: %s\n",mailpath);
if(!unlink(mailpath))
{
printf("Mailbox: %s delete\n\n", mailpath);
}
}
}
I found this shellcode (120 bytes long)
http://shellcode.org/Shellcode/Solaris/solaris-sparc-shellcode.html
the behavoir is the following:
nietzsche% ./b `perl -e 'print "A" x 1000'`
Segmentation fault (core dumped)
nietzsche% ./b `perl -e 'print "A" x 24'`
Segmentation fault (core dumped)
The less value without core dump is 23.
I am interested in code a exploit that execute a root shell, on
'smashing the stack' article they refer to Linux and x86, so I cant see
information about sparc and register windowing.
Anyone can help me to reproduce a exploit for the sample provided?
Thanks in advance.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- basic exploit coding on solaris sparc Fabio (Oct 20)
- Re: basic exploit coding on solaris sparc Dunceor . (Oct 21)
- Re: basic exploit coding on solaris sparc Meder Kydyraliev (Oct 21)