lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <5d84cb304102023563f7d028f@mail.gmail.com>
From: dunceor at gmail.com (Dunceor .)
Subject: basic exploit coding on solaris sparc

Here is a few texts that might help you.
http://community.core-sdi.com/~juliano/thc3-en.txt
http://community.core-sdi.com/~juliano/mudge-bof.pdf
http://community.core-sdi.com/~juliano/dlsparc.zip

Visit http://community.core-sdi.com/~juliano/ for more information of
vuln coding.

/ Dunceor

On Wed, 20 Oct 2004 23:16:42 -0600, Fabio <fabio@...arium.com> wrote:
> Hi.
> 
> I am trying to learn Solaris Sparc assembly and how exploits works on
> this architecture. I have a setuid root binary that has the following bug:
> 
> #include <sys/stat.h>
> #include <stdio.h>
> #include <string.h>
> #include <stdlib.h>
> 
> main(int argc,char *argv[])
> {
> char buffer[40];
> char buffarg[20];
> char *mailpath;
>       strcpy(buffer,"/var/mail/");
>       if (argc == 2)
>       {
>               strcpy(buffarg,argv[1]);
>               mailpath=strcat(buffer,buffarg);
>               printf("\nRemoving: %s\n",mailpath);
>               if(!unlink(mailpath))
>               {
>                       printf("Mailbox: %s  delete\n\n", mailpath);
> 
>               }
>         }
> }
> 
> I found this shellcode (120 bytes long)
> 
> http://shellcode.org/Shellcode/Solaris/solaris-sparc-shellcode.html
> 
> the behavoir is the following:
> 
> nietzsche% ./b `perl -e 'print "A" x 1000'`
> Segmentation fault (core dumped)
> nietzsche% ./b `perl -e 'print "A" x 24'`
> Segmentation fault (core dumped)
> 
> The less value without core dump is 23.
> 
> I am interested in code a exploit that execute a root shell, on
> 'smashing the stack' article they refer to Linux and x86, so I cant see
> information about sparc and register windowing.
> 
> Anyone can help me to reproduce a exploit for the sample provided?
> 
> Thanks in advance.
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ