Full Disclosure mailing list archives
basic exploit coding on solaris sparc
From: Fabio <fabio () crearium com>
Date: Wed, 20 Oct 2004 23:16:42 -0600
Hi.I am trying to learn Solaris Sparc assembly and how exploits works on this architecture. I have a setuid root binary that has the following bug:
#include <sys/stat.h> #include <stdio.h> #include <string.h> #include <stdlib.h> main(int argc,char *argv[]) { char buffer[40]; char buffarg[20]; char *mailpath; strcpy(buffer,"/var/mail/"); if (argc == 2) { strcpy(buffarg,argv[1]); mailpath=strcat(buffer,buffarg); printf("\nRemoving: %s\n",mailpath); if(!unlink(mailpath)) { printf("Mailbox: %s delete\n\n", mailpath); } } } I found this shellcode (120 bytes long) http://shellcode.org/Shellcode/Solaris/solaris-sparc-shellcode.html the behavoir is the following: nietzsche% ./b `perl -e 'print "A" x 1000'` Segmentation fault (core dumped) nietzsche% ./b `perl -e 'print "A" x 24'` Segmentation fault (core dumped) The less value without core dump is 23.I am interested in code a exploit that execute a root shell, on 'smashing the stack' article they refer to Linux and x86, so I cant see information about sparc and register windowing.
Anyone can help me to reproduce a exploit for the sample provided? Thanks in advance. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- basic exploit coding on solaris sparc Fabio (Oct 20)
- Re: basic exploit coding on solaris sparc Dunceor . (Oct 21)
- Re: basic exploit coding on solaris sparc Meder Kydyraliev (Oct 21)