This chapter covers advanced Solaris exploitation using the dynamic linker. We also cover the generation of encrypted shellcode, used for defeating -Network IDS (Intrusion Detection System) and/or IPS (Intrusion Prevention System) devices.

Dynamic linking is explained extensively in the SPARC ABI (Application Binary Interface). We advise you to go over the ABI manual, which you can find at http://www.sun.com/software/solaris/programs/abi/, for better coverage of the concepts and to learn how dynamic linking works for various architectures and systems. In this chapter, we cover only the details necessary for constructing new exploitation methods in the Solaris/SPARC environment.

Overwriting Global Offset Table (GOT) entries to gain control of execution in Linux has been demonstrated and widely used in many public and private exploits. This technique is known to be the most robust and reliable way of exploitation of Write-to-anywhere-in-memory overflow primitives (such as format string bugs, heap overflows, and so on). These vulnerabilities have all made use of the classic method of exploitation, namely overwriting the return address. The return address is stored in the thread stack and differs in various execution environments, which often leads to long brute force sessions in order to gather its location. For these reasons, altering the GOT in Linux and BSD OSes has been the best exploitation vector for various types of bug classes. Unfortunately, ...