Full Disclosure mailing list archives
Re: basic exploit coding on solaris sparc
From: Meder Kydyraliev <meder () areopag net>
Date: Thu, 21 Oct 2004 16:02:22 +0600
check out this one: http://66.230.171.10/papers/UNF-sparc-overflow.txt On Wed, Oct 20, 2004 at 11:16:42PM -0600, Fabio wrote:
Hi. I am trying to learn Solaris Sparc assembly and how exploits works on this architecture. I have a setuid root binary that has the following bug: #include <sys/stat.h> #include <stdio.h> #include <string.h> #include <stdlib.h> main(int argc,char *argv[]) { char buffer[40]; char buffarg[20]; char *mailpath; strcpy(buffer,"/var/mail/"); if (argc == 2) { strcpy(buffarg,argv[1]); mailpath=strcat(buffer,buffarg); printf("\nRemoving: %s\n",mailpath); if(!unlink(mailpath)) { printf("Mailbox: %s delete\n\n", mailpath); } } } I found this shellcode (120 bytes long) http://shellcode.org/Shellcode/Solaris/solaris-sparc-shellcode.html the behavoir is the following: nietzsche% ./b `perl -e 'print "A" x 1000'` Segmentation fault (core dumped) nietzsche% ./b `perl -e 'print "A" x 24'` Segmentation fault (core dumped) The less value without core dump is 23. I am interested in code a exploit that execute a root shell, on 'smashing the stack' article they refer to Linux and x86, so I cant see information about sparc and register windowing. Anyone can help me to reproduce a exploit for the sample provided? Thanks in advance. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- basic exploit coding on solaris sparc Fabio (Oct 20)
- Re: basic exploit coding on solaris sparc Dunceor . (Oct 21)
- Re: basic exploit coding on solaris sparc Meder Kydyraliev (Oct 21)