From: Marco Ivaldi (raptor@mediaservice.net)
Date: Fri Aug 24 2007 - 12:01:45 EDT
Hey heigick,
On Mon, 13 Aug 2007, Fyodor wrote:
> On 8/13/07, heigick <heigick@gmail.com> wrote:
>> Hi all,
>>
>> I'm currently attempting privilege escalation on a compromised client
>> Solaris 7 machine. Not being very fluent with the SPARC ABI, I'm starting
>> with the basics, for example the POC code there:
>> http://seclists.org/bugtraq/1999/Mar/0004.html
>> (the machine in question has noexec_user_stack set)
>
> the code might do some manipulation with the data in %i0 after the
> first, and before the second return, i.e. before you hit the segfault.
> you can disassemble the routine and see if you can alter the execution
> flow by supplying different values, which would be restored into
> registers after the first return. Usually there's alot of stuff to play
> around at this point. In some cases you can can control the memory
> addresses where routine would write stuff, so you can also trigger the
> code execution by overwriting, for example some pointers in the GOT
> table.
Here's a collection of exploitation examples that you may find useful:
http://www.0xdeadbeef.info/code/solaris-sparc-exploits.tgz
And here are some real-life exploits that work on Solaris 7 (SPARC):
http://www.0xdeadbeef.info/exploits/raptor_rlogin.c
http://www.0xdeadbeef.info/exploits/raptor_ldpreload.c
http://www.0xdeadbeef.info/exploits/raptor_libdthelp.c
http://www.0xdeadbeef.info/exploits/raptor_libdthelp2.c
HTH,
-- Marco Ivaldi, OPST Chief Security Officer Data Security Division @ Mediaservice.net Srl http://mediaservice.net/ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:03 EDT