>On Thu, 24 Dec 1998, Casper Dik wrote: >> I'd love it if someone did the "SPARC excercise". (If you have an >> x86 exploit, it's not always as easy to maek a SPARC one) Well, it appears I should never have said that; it let to various ad hominem attacks. Please, I'm not a "vendor representative" it isn't "my" code and "I" am not the person to fix it. I'm just trying to help out here. I guess the irony of the remark was lost to some. (As someone else remarked, excercises left to the reader are left to the read for a single reason most of the time: the author couldn't figure it out for himself) As for the KCMS code and fixing it myself, well, I'd love to have the power to do so, but as it stands, the Sun source code is spread over several bits all under different control. Some even under external control. Not all source code is available on our intranet (hate that word). >On unpatched Solaris 2.6, sparc: > >% uname -a >SunOS oy 5.6 Generic sun4m sparc SUNW,SPARCstation-20 >% /usr/openwin/bin/kcms_configure -P `perl -e 'print "a" x 9000'` foofoo >% >That's it, no seg fault. Am i doing something wrong? No, SPARC stack frames are constructed differently. On Solaris/Intel, all you need is a return from the function that declared the overflown buffer. On SPARC, you need to return from the invoking function as well. The kcms_* program must test & exit before the overflow ends up in a register. It may still be possible to craft an overflow for kcms_configure on SPARC that is exploitable; it's likely not to be as straightforward as the one on Intel. Casper
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:26:31 PDT