Re: Remote count.cgi exploit mods

From: Gus (angusat_private)
Date: Sat Jul 11 1998 - 10:01:16 PDT

Next message: Ben Laurie: "Re: ncurses 4.1 security bug"

Previous message: Bug Lord: "Re: SmurfLog 1.0"
Maybe in reply to: _ _: "Remote count.cgi exploit mods"
Next in thread: Alan J Rosenthal: "Re: Remote count.cgi exploit mods"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 9 Jul 1998, _ _ wrote:
> There is a commonly known local exploit available which works on
> Count.cgi Plaguez posted the original and Gus posted a mod for linux.

Plaguez created the original *remote* linux exploit, all I did was clean
things up a bit and add some offsets for different versions. Like
everything else, we stand on the shoulders of what goes before.

The code you posted is an old version that I released to settle an
argument, I sent the full version in to rootshell after noticing that
someone had sent in the old one, you can get it from rootshell or
from http://www.intasys.com/~angus/count.cgi.l.c

> I've tried to modify the exploit further to work on a remote linux site.
> This seems to be a better way than to test our site internally.
> It compiles fine and seems to run, but  doesnt send me an Xterm.
> I have attached my hacked code.  Any ideas or suggested improvements??

WTF is this doing on bugtraq? Did you read and UNDERSTAND what is going on
in Count.cgi, and why this does or does not work? Did you even "xhost +" ?

Anyway.

If you want it for "white hat" purposes, here is a quicker way of
checking. If the version is 2.4, then it is patched for this bug. Anything
below that is vulnerable. (2.4 is the latest version)

http://www.fccc.edu/users/muquit/Count.html is the author's homepage for
the program. Download and compile it, get the file size and then compare
it to what is on your web server. On Linux it is 79800 bytes, or 71624
bytes after stripping.

If you really do want to test your systems by running an exploit over
them, and this is a recurring need, then you would be well served by
taking the time to create 'execve("/bin/sh","-c","<-- whatever -->");'
shellcode and retrofitting it to all the exploits that come out. When you
retrofit it, just add a routine overwrite the spaces you left in the
shellcode with the command line you wish to execute. It's not that hard,
(heh, it can't be if I managed it :-/) but like everyone else I'm not
gonna release it to the public.

You then have the chance to run an arbitrary command line on the host, and
your white hatted-ness will be made so much easier, since you can run
"ping -c1 icmp.logging.host.name" and just collect a list of vulnerable
machines from your syslog.

        _Gus

--
                                angusat_private
                          http://www.intasys.com/~angus/

Next message: Ben Laurie: "Re: ncurses 4.1 security bug"
Previous message: Bug Lord: "Re: SmurfLog 1.0"
Maybe in reply to: _ _: "Remote count.cgi exploit mods"
Next in thread: Alan J Rosenthal: "Re: Remote count.cgi exploit mods"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:03:17 PDT