Hey heigick,
On Mon, 13 Aug 2007, Fyodor wrote:
On 8/13/07, heigick <heigick@gmail.com> wrote:
Hi all,
I'm currently attempting privilege escalation on a compromised client
Solaris 7 machine. Not being very fluent with the SPARC ABI, I'm starting
with the basics, for example the POC code there:
http://seclists.org/bugtraq/1999/Mar/0004.html
(the machine in question has noexec_user_stack set)
the code might do some manipulation with the data in %i0 after the
first, and before the second return, i.e. before you hit the segfault.
you can disassemble the routine and see if you can alter the execution
flow by supplying different values, which would be restored into
registers after the first return. Usually there's alot of stuff to play
around at this point. In some cases you can can control the memory
addresses where routine would write stuff, so you can also trigger the
code execution by overwriting, for example some pointers in the GOT
table.
Here's a collection of exploitation examples that you may find useful:
http://www.0xdeadbeef.info/code/solaris-sparc-exploits.tgz
And here are some real-life exploits that work on Solaris 7 (SPARC):
http://www.0xdeadbeef.info/exploits/raptor_rlogin.c
http://www.0xdeadbeef.info/exploits/raptor_ldpreload.c
http://www.0xdeadbeef.info/exploits/raptor_libdthelp.c
http://www.0xdeadbeef.info/exploits/raptor_libdthelp2.c
HTH,
--
Marco Ivaldi, OPST
Chief Security Officer Data Security Division
@ Mediaservice.net Srl http://mediaservice.net/
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
