[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20041021100222.GA1635@beastie.guard-info.com>
From: meder at areopag.net (Meder Kydyraliev)
Subject: basic exploit coding on solaris sparc
check out this one: http://66.230.171.10/papers/UNF-sparc-overflow.txt
On Wed, Oct 20, 2004 at 11:16:42PM -0600, Fabio wrote:
> Hi.
>
> I am trying to learn Solaris Sparc assembly and how exploits works on
> this architecture. I have a setuid root binary that has the following bug:
>
> #include <sys/stat.h>
> #include <stdio.h>
> #include <string.h>
> #include <stdlib.h>
>
> main(int argc,char *argv[])
> {
> char buffer[40];
> char buffarg[20];
> char *mailpath;
> strcpy(buffer,"/var/mail/");
> if (argc == 2)
> {
> strcpy(buffarg,argv[1]);
> mailpath=strcat(buffer,buffarg);
> printf("\nRemoving: %s\n",mailpath);
> if(!unlink(mailpath))
> {
> printf("Mailbox: %s delete\n\n", mailpath);
>
> }
> }
> }
>
> I found this shellcode (120 bytes long)
>
> http://shellcode.org/Shellcode/Solaris/solaris-sparc-shellcode.html
>
> the behavoir is the following:
>
> nietzsche% ./b `perl -e 'print "A" x 1000'`
> Segmentation fault (core dumped)
> nietzsche% ./b `perl -e 'print "A" x 24'`
> Segmentation fault (core dumped)
>
> The less value without core dump is 23.
>
> I am interested in code a exploit that execute a root shell, on
> 'smashing the stack' article they refer to Linux and x86, so I cant see
> information about sparc and register windowing.
>
> Anyone can help me to reproduce a exploit for the sample provided?
>
> Thanks in advance.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists