Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: basic exploit coding on solaris sparc
From: Meder Kydyraliev <meder () areopag net>
Date: Thu, 21 Oct 2004 16:02:22 +0600

check out this one: http://66.230.171.10/papers/UNF-sparc-overflow.txt

On Wed, Oct 20, 2004 at 11:16:42PM -0600, Fabio wrote:
Hi.

I am trying to learn Solaris Sparc assembly and how exploits works on 
this architecture. I have a setuid root binary that has the following bug:

#include <sys/stat.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>

main(int argc,char *argv[])
{
char buffer[40];
char buffarg[20];
char *mailpath;
      strcpy(buffer,"/var/mail/");
      if (argc == 2)
      {
              strcpy(buffarg,argv[1]);
              mailpath=strcat(buffer,buffarg);
              printf("\nRemoving: %s\n",mailpath);
              if(!unlink(mailpath))
              {
                      printf("Mailbox: %s  delete\n\n", mailpath);

              }
        }
}

I found this shellcode (120 bytes long)

http://shellcode.org/Shellcode/Solaris/solaris-sparc-shellcode.html

the behavoir is the following:

nietzsche% ./b `perl -e 'print "A" x 1000'`
Segmentation fault (core dumped)
nietzsche% ./b `perl -e 'print "A" x 24'`
Segmentation fault (core dumped)

The less value without core dump is 23.

I am interested in code a exploit that execute a root shell, on 
'smashing the stack' article they refer to Linux and x86, so I cant see 
information about sparc and register windowing.

Anyone can help me to reproduce a exploit for the sample provided?

Thanks in advance.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]