Bugtraq mailing list archives
Re: Knox Arkeia remote root/system exploit
From: H D Moore <sflist () digitaloffense net>
Date: Sun, 20 Feb 2005 07:07:51 -0600
The metasploit project has released two exploits for this flaw: http://metasploit.com/projects/Framework/exploits.html#arkeia_type77_win32 http://metasploit.com/projects/Framework/exploits.html#arkeia_type77_macos The win32 exploit has targets for every version of Arkeia between 4.2 and 5.3.3. The macos exploit should work across a large range of versions with no modifications. Both of these exploits have the capability to dump the remote system information and Arkeia version[1]. This bug looks difficult or even impossible to exploit on the Solaris 64bit platform; the main() function calls exit()[2] before the final return to the overwritten stack pointer. It may be possible to use one of the local variable overwrites to an advantage, but at first glance it seems unlikely. -HD 1. There are worse problems here than stack overflows... 2. It actually calls doexit() which in turn calls exit() On Friday 18 February 2005 10:29, John Doe wrote:
/* * Knox Arkeia Server Backup * arkeiad local/remote root exploit * Targets for Redhat 7.2/8.0, Win2k SP2/SP3/SP4, WinXP SP1, Win 2003 EE * Works up to current version 5.3.x [ snip ] */
Current thread:
- Knox Arkeia remote root/system exploit John Doe (Feb 19)
- Re: Knox Arkeia remote root/system exploit H D Moore (Feb 21)
- <Possible follow-ups>
- Re: Knox Arkeia remote root/system exploit Arnaud Spicht (Feb 23)