Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Older SPARC return-into-libc exploits

From: Fyodor <fygrave () gmail com>
Date: Mon, 13 Aug 2007 17:36:44 +0800
the code might do some manipulation with the data in %i0 after the
first, and before the second return, i.e. before you hit the segfault.
you can disassemble the routine and see if you can alter the execution
flow by supplying different values, which would be restored into
registers after the first return. Usually there's alot of stuff to
play around at this point. In some cases you can can control the
memory addresses where routine would write stuff, so you can also
trigger the code execution by overwriting, for example some pointers
in the GOT table.



On 8/13/07, heigick <heigick () gmail com> wrote:

Hi all,

I'm currently attempting privilege escalation on a compromised client
Solaris 7 machine. Not being very fluent with the SPARC ABI, I'm starting
with the basics, for example the POC code there:
http://seclists.org/bugtraq/1999/Mar/0004.html
(the machine in question has noexec_user_stack set)

However, even the basic exploit for 'hole' dumps core -- using the (almost ;-) exact
same code and looking at the register state gives the following for i and l :

l0             0xdeadbe10
l1             0xdeadbe11
l2             0xdeadbe12
l3             0xdeadbe13
l4             0xdeadbe14
l5             0xdeadbe15
l6             0xdeadbe16
l7             0xdeadbe17

i0             0xff2b6b54
i1             0xdeadbe11
i2             0xdeadbe12
i3             0xdeadbe13
i4             0xdeadbe14
i5             0xdeadbe15

which seems totally OK, except for %i0, which is not the value I
expected: I always get the same address (0xff2bb6b54), regardless of
the address written into the input buffer. As this is supposed to be
the pointer fed to system(), this is not a good thing.

Any ideas on why this value is overwritten when every other register seems fine ?

Thanks

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------





-- 
http://o0o.nu

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: