Solaris 8 libsldap exploit

[Noir Desir <noir () gsu linux org tr>]

Hi,

I wish to free this one since it has been made public by some
ppl. libsldap hole has been
known for long. As far as I know, sway () hack co za did actually found the
hole several months
ago and generously let me know about it. All propz goes to him. Thanks
bro.

Exploit is plain simple, tested on an Ultra10 and an Enterprise 3500 with
success.
I usually support the anti-sec movement but I got my reasons to publish
the exploit.
If you want to know why, please do mail me.

$ ./libsldap-exp
libsldap.so.1 $LDAP_OPTIONS enviroment variable buffer overflow
Exploit code: noir () gsu linux org tr
Bug discovery: sway () hack co za

Usage: ./libsldap-exp target#

target#: 0, /usr/bin/passwd Solaris8, Sparc64
target#: 1, /usr/bin/nispasswd Solaris8, Sparc64
target#: 2, /usr/bin/yppasswd Solaris8, Sparc64
target#: 3, /usr/bin/chkey Solaris8, Sparc64
target#: 4, /usr/lib/sendmail Solaris8, Sparc64
$ ./libsldap-exp 0
# id
uid=0(root) gid=0(root)
#


PS: t(L)amer sahin kicina oyle bir tekme yiyeceksinki, agzindan cikicak. 
Haberin olsun istedim : ) 

 
Greetings: sway, anathema, gov-boi, www.hack.co.za, ertan_kurt, cronos


cheers,
noir

Attachment: libsldap-exp.c
Description: