Re: Older SPARC return-into-libc exploits

From: Fyodor (fygrave@gmail.com)
Date: Mon Aug 13 2007 - 05:36:44 EDT

• Next message: richard@bluesec.net: "RE: Fwd: External Pentests Obsolete?"
• Previous message: xx yy: "Network mapping"
• In reply to: heigick: "Older SPARC return-into-libc exploits"
• Next in thread: Marco Ivaldi: "Re: Older SPARC return-into-libc exploits"
• Reply: Marco Ivaldi: "Re: Older SPARC return-into-libc exploits"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

the code might do some manipulation with the data in %i0 after the
first, and before the second return, i.e. before you hit the segfault.
you can disassemble the routine and see if you can alter the execution
flow by supplying different values, which would be restored into
registers after the first return. Usually there's alot of stuff to
play around at this point. In some cases you can can control the
memory addresses where routine would write stuff, so you can also
trigger the code execution by overwriting, for example some pointers
in the GOT table.

On 8/13/07, heigick <heigick@gmail.com> wrote:
> Hi all,
>
> I'm currently attempting privilege escalation on a compromised client
> Solaris 7 machine. Not being very fluent with the SPARC ABI, I'm starting
> with the basics, for example the POC code there:
> http://seclists.org/bugtraq/1999/Mar/0004.html
> (the machine in question has noexec_user_stack set)
>
> However, even the basic exploit for 'hole' dumps core -- using the (almost ;-) exact
> same code and looking at the register state gives the following for i and l :
>
> l0 0xdeadbe10
> l1 0xdeadbe11
> l2 0xdeadbe12
> l3 0xdeadbe13
> l4 0xdeadbe14
> l5 0xdeadbe15
> l6 0xdeadbe16
> l7 0xdeadbe17
>
> i0 0xff2b6b54
> i1 0xdeadbe11
> i2 0xdeadbe12
> i3 0xdeadbe13
> i4 0xdeadbe14
> i5 0xdeadbe15
>
> which seems totally OK, except for %i0, which is not the value I
> expected: I always get the same address (0xff2bb6b54), regardless of
> the address written into the input buffer. As this is supposed to be
> the pointer fed to system(), this is not a good thing.
>
> Any ideas on why this value is overwritten when every other register seems fine ?
>
> Thanks
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>

-- 
http://o0o.nu
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: richard@bluesec.net: "RE: Fwd: External Pentests Obsolete?"
• Previous message: xx yy: "Network mapping"
• In reply to: heigick: "Older SPARC return-into-libc exploits"
• Next in thread: Marco Ivaldi: "Re: Older SPARC return-into-libc exploits"
• Reply: Marco Ivaldi: "Re: Older SPARC return-into-libc exploits"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:01 EDT