On Thu, 9 Jul 1998, _ _ wrote: > There is a commonly known local exploit available which works on > Count.cgi Plaguez posted the original and Gus posted a mod for linux. Plaguez created the original *remote* linux exploit, all I did was clean things up a bit and add some offsets for different versions. Like everything else, we stand on the shoulders of what goes before. The code you posted is an old version that I released to settle an argument, I sent the full version in to rootshell after noticing that someone had sent in the old one, you can get it from rootshell or from http://www.intasys.com/~angus/count.cgi.l.c > I've tried to modify the exploit further to work on a remote linux site. > This seems to be a better way than to test our site internally. > It compiles fine and seems to run, but doesnt send me an Xterm. > I have attached my hacked code. Any ideas or suggested improvements?? WTF is this doing on bugtraq? Did you read and UNDERSTAND what is going on in Count.cgi, and why this does or does not work? Did you even "xhost +" ? Anyway. If you want it for "white hat" purposes, here is a quicker way of checking. If the version is 2.4, then it is patched for this bug. Anything below that is vulnerable. (2.4 is the latest version) http://www.fccc.edu/users/muquit/Count.html is the author's homepage for the program. Download and compile it, get the file size and then compare it to what is on your web server. On Linux it is 79800 bytes, or 71624 bytes after stripping. If you really do want to test your systems by running an exploit over them, and this is a recurring need, then you would be well served by taking the time to create 'execve("/bin/sh","-c","<-- whatever -->");' shellcode and retrofitting it to all the exploits that come out. When you retrofit it, just add a routine overwrite the spaces you left in the shellcode with the command line you wish to execute. It's not that hard, (heh, it can't be if I managed it :-/) but like everyone else I'm not gonna release it to the public. You then have the chance to run an arbitrary command line on the host, and your white hatted-ness will be made so much easier, since you can run "ping -c1 icmp.logging.host.name" and just collect a list of vulnerable machines from your syslog. _Gus -- angusat_private http://www.intasys.com/~angus/
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:03:17 PDT