ex_inc.c exploits a bounds checking error in /usr/jp/bin/mh/inc which was distributed with the mh-6.8.3 package. Local root compromise.
64f2aa455cd466403bc433552e384ce9c8e0ca9b98c3b17c61c9298a5606d3ea
ex_bbc.c exploits a bounds checking error in /usr/jp/bin/mh/bbc which was distributed with the mh-6.8.3 package. Local root compromise.
473ed7b2b606ac73b513d39a31d17c1a0273bb06e15e9331e35c648649c833b8
kcms_configure has a overflow bug with "-P" option and it has been reported(107339-01). But this program has another hole. This hole has not been not reported, and the paches are not published at this time. kcms_configure overflows if long string is specified in NETPATH environment, and it is exploitable. I have included an exploit for Solaris7 intel edition to obtain root privilege.
ea0a516a062e19771e9d6d970e1a6bd9a1fc9ee7ecf921fcb1848a66309b1ef1
The vulnerability in kcms_configure also exists in Solaris 2.6 and 2.7 sparc edition. Exploit included.
ddad8f87f48eb849bc4bf6f56910e4be16715ce9dec57022ab5c00f69f2c1712
The mailer programs (mailtool and dtmail) and mail message print filter (dtmailpr) which are installed on Solaris7 have exploitable buffer overflow bugs. These programs are sgid (mail group) programs, local user can obtain mail group. The mail files are generated with 660 permission, so any user can read/write other user's mail files. I coded the exploits to get mail gid(egid=6). There are for Intel Solaris7. There are same kind of problems on Sparc Solaris7 and Solaris2.6 (Intel,Sparc).
e92d0a93449cedf9a5f2e97de3948d9c6e4f86ade92541e2bae6d0f02e99dcf4
Admintool local root exploit for Solaris2.6/7 Sparc machines.
b69c9cefb259fec08d07e73ec2112aafb9dd38c3c3df8295a4ee405733e2666d
Local root exploit code for buffer overflow in canuum for Japanese Linux.
fd52577360eeaf28add4cfb979dda4918874e018bf645981ba365c5ede4420e4
Exploit code for Solaris 2.6, 2.7 (sparc) libc/LC_MESSAGES buffer overflow that results in root compromise.
d3475dfd6a18d0ea0ebae341315790632e0506dde74ffd73896455098c786437
Local root exploit for buffer overflow condition in sdtcm_convert, for Solaris Sparc machines.
a0d7c588f719baff069310b8f91c793cc31be84e8863b2e4edbb769adf0abb05
Local root exploit for buffer overflow condition in sdtcm_convert, for Solaris x86 machines.
1764caeacfb6acc3fbe32be85482da92a8fdec180449b4136f92d8edfbfc3228
Local root exploit code for buffer overflow in uum for Japanese Linux.
6883ef84c1d928fa1e9805d6ee8cd081c57968245eace2e2072ea8083a28edcc