Penetration Testing mailing list archives
Older SPARC return-into-libc exploits
From: heigick <heigick () gmail com>
Date: Sun, 12 Aug 2007 18:47:18 +0200
Hi all, I'm currently attempting privilege escalation on a compromised client Solaris 7 machine. Not being very fluent with the SPARC ABI, I'm starting with the basics, for example the POC code there: http://seclists.org/bugtraq/1999/Mar/0004.html (the machine in question has noexec_user_stack set) However, even the basic exploit for 'hole' dumps core -- using the (almost ;-) exact same code and looking at the register state gives the following for i and l : l0 0xdeadbe10 l1 0xdeadbe11 l2 0xdeadbe12 l3 0xdeadbe13 l4 0xdeadbe14 l5 0xdeadbe15 l6 0xdeadbe16 l7 0xdeadbe17 i0 0xff2b6b54 i1 0xdeadbe11 i2 0xdeadbe12 i3 0xdeadbe13 i4 0xdeadbe14 i5 0xdeadbe15 which seems totally OK, except for %i0, which is not the value I expected: I always get the same address (0xff2bb6b54), regardless of the address written into the input buffer. As this is supposed to be the pointer fed to system(), this is not a good thing. Any ideas on why this value is overwritten when every other register seems fine ? Thanks ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Older SPARC return-into-libc exploits heigick (Aug 12)
- Re: Older SPARC return-into-libc exploits Fyodor (Aug 13)
- Re: Older SPARC return-into-libc exploits Marco Ivaldi (Aug 24)
- Re: Older SPARC return-into-libc exploits Fyodor (Aug 13)