Penetration Testing mailing list archives
Re: Older SPARC return-into-libc exploits
From: Marco Ivaldi <raptor () mediaservice net>
Date: Fri, 24 Aug 2007 18:01:45 +0200 (ora solare Europa occidentale)
Hey heigick, On Mon, 13 Aug 2007, Fyodor wrote:
On 8/13/07, heigick <heigick () gmail com> wrote:Hi all, I'm currently attempting privilege escalation on a compromised client Solaris 7 machine. Not being very fluent with the SPARC ABI, I'm starting with the basics, for example the POC code there: http://seclists.org/bugtraq/1999/Mar/0004.html (the machine in question has noexec_user_stack set)the code might do some manipulation with the data in %i0 after the first, and before the second return, i.e. before you hit the segfault. you can disassemble the routine and see if you can alter the execution flow by supplying different values, which would be restored into registers after the first return. Usually there's alot of stuff to play around at this point. In some cases you can can control the memory addresses where routine would write stuff, so you can also trigger the code execution by overwriting, for example some pointers in the GOT table.
Here's a collection of exploitation examples that you may find useful: http://www.0xdeadbeef.info/code/solaris-sparc-exploits.tgz And here are some real-life exploits that work on Solaris 7 (SPARC): http://www.0xdeadbeef.info/exploits/raptor_rlogin.c http://www.0xdeadbeef.info/exploits/raptor_ldpreload.c http://www.0xdeadbeef.info/exploits/raptor_libdthelp.c http://www.0xdeadbeef.info/exploits/raptor_libdthelp2.c HTH, -- Marco Ivaldi, OPST Chief Security Officer Data Security Division @ Mediaservice.net Srl http://mediaservice.net/ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Older SPARC return-into-libc exploits heigick (Aug 12)
- Re: Older SPARC return-into-libc exploits Fyodor (Aug 13)
- Re: Older SPARC return-into-libc exploits Marco Ivaldi (Aug 24)
- Re: Older SPARC return-into-libc exploits Fyodor (Aug 13)