From: heigick (heigick@gmail.com)
Date: Sun Aug 12 2007 - 12:47:18 EDT
Hi all,
I'm currently attempting privilege escalation on a compromised client
Solaris 7 machine. Not being very fluent with the SPARC ABI, I'm starting
with the basics, for example the POC code there:
http://seclists.org/bugtraq/1999/Mar/0004.html
(the machine in question has noexec_user_stack set)
However, even the basic exploit for 'hole' dumps core -- using the (almost ;-) exact
same code and looking at the register state gives the following for i and l :
l0 0xdeadbe10
l1 0xdeadbe11
l2 0xdeadbe12
l3 0xdeadbe13
l4 0xdeadbe14
l5 0xdeadbe15
l6 0xdeadbe16
l7 0xdeadbe17
i0 0xff2b6b54
i1 0xdeadbe11
i2 0xdeadbe12
i3 0xdeadbe13
i4 0xdeadbe14
i5 0xdeadbe15
which seems totally OK, except for %i0, which is not the value I
expected: I always get the same address (0xff2bb6b54), regardless of
the address written into the input buffer. As this is supposed to be
the pointer fed to system(), this is not a good thing.
Any ideas on why this value is overwritten when every other register seems fine ?
Thanks
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:00 EDT