Re: Older SPARC return-into-libc exploits

[Marco Ivaldi <raptor () mediaservice net>]

Hey heigick,

On Mon, 13 Aug 2007, Fyodor wrote:

> On 8/13/07, heigick <heigick () gmail com> wrote:
> > Hi all,
> >
> > I'm currently attempting privilege escalation on a compromised client
> > Solaris 7 machine. Not being very fluent with the SPARC ABI, I'm starting
> > with the basics, for example the POC code there:
> > http://seclists.org/bugtraq/1999/Mar/0004.html
> > (the machine in question has noexec_user_stack set)
>
> the code might do some manipulation with the data in %i0 after the 
> first, and before the second return, i.e. before you hit the segfault. 
> you can disassemble the routine and see if you can alter the execution 
> flow by supplying different values, which would be restored into 
> registers after the first return. Usually there's alot of stuff to play 
> around at this point. In some cases you can can control the memory 
> addresses where routine would write stuff, so you can also trigger the 
> code execution by overwriting, for example some pointers in the GOT 
> table.

Here's a collection of exploitation examples that you may find useful:

http://www.0xdeadbeef.info/code/solaris-sparc-exploits.tgz

And here are some real-life exploits that work on Solaris 7 (SPARC):

http://www.0xdeadbeef.info/exploits/raptor_rlogin.c
http://www.0xdeadbeef.info/exploits/raptor_ldpreload.c
http://www.0xdeadbeef.info/exploits/raptor_libdthelp.c
http://www.0xdeadbeef.info/exploits/raptor_libdthelp2.c

HTH,

--
Marco Ivaldi, OPST
Chief Security Officer    Data Security Division
@ Mediaservice.net Srl    http://mediaservice.net/


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------