-----BEGIN PGP SIGNED MESSAGE----- On Mon, 5 Oct 1998 routeat_private wrote: >| Date: Mon, 5 Oct 1998 11:25:07 -0700 (PDT) >| From: routeat_private >| To: jkwilli2at_private >| Cc: bugtaqat_private >| Subject: Re: rpc.ttdbserver remote overflow exploit >| >| >| Regarding the recent post of the remote rpc.ttdbserver overflow.. >| >| While posting other people's unpublished code is bad enough, at least >| make an effort to find out who wrote it. Ken, apparently, did not. >| Ken also missed the fact that the author's name is in the comments at >| the top: >| >| /* >| TCP/100083 >| rpc.ttdbserver remote overflow, apk >| Solaris (tested on SS5 and Ultra 2.5.1) >| Irix (tested on r5k and r10k O2 6.3), >| HP-UX ( tested on 700s 10.20) >| >| >| Credit where credit is due. >| >| Hello, Although this EXPLOIT code has not been published in the usual forums, it has been circulating in the underground scene for over 2 months now. I think that everyone will agree that credit for any code, even if the code is designed and/or used primarily for malicious purposes, should of course be given to the coder. I DID in fact try to find out who the author was, and of course examined both the code and the headers closely. With regards to the author's name being in the code, I assume that you are referring to "apk". A search of "apk" at AltaVista turned up 33,980 results. A search at DejaNews turned up 2,100 results. A search of the Bugtraq archives turned up one result from a user of the apk.net ISP. Is "apk" the author, or is it some strange acronym? Your opinion that sending "other people's unpublished code is bad" is, in my opinion, a very dangerous attitude to take when such code is and has been used to compromise the security of remote systems. "Bugtraq is a full-disclosure UNIX security mailing list." I am NOT in the business of hoarding "0-day exploit code" to myself and any "hacker friends" who wish to use it to exploit remote systems. Why should such exploit be distributed to every script kiddy who wants to destroy remote systems and not to the network administrators who are trying keep their systems secure? With that said, here are the compile flags necessary to compile the exploit. I'm sick of deleting all the email I have received today telling me that this code does not compile. On Solaris 2.51, I compiled in the following manner: gcc -DSOLARIS -lsocket -lnsl -o rpc.ttdbserver rpc.ttdbserver.c Now, hopefully the recent spate of ttdbserver-related attacks will diminish substantially, since the code used for the exploit has been disclosed in the apropriate forum. Full-disclosure UNIX Security. Regards, - -- Ken Williams Packet Storm Security http://www.Genocide2600.com/~tattooman/index.shtml E.H.A.P. Corporation http://www.ehap.org/ ehapat_private infoat_private NCSU Comp Sci Dept http://www.csc.ncsu.edu/ jkwilli2at_private PGP DSS/DH/RSA Keys http://www4.ncsu.edu/~jkwilli2/pgpkey/ -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQEVAwUBNhki2pDw1ZsNz1IXAQEBJQgAwAWGqcvULadI5dJcc19Sh3u70E2zBqgB Tz1PIW3jYuTs4E4JlppdhI8DbomIsthw4qoHMeGA4g8T5lQU6SWeR5l8RwHEz5+D rx2cXu5bk2KFV5H6wioOlVx+TWdJabi3L9KJoRURs/pV9jBRq3mKXhlKapgIf9GU hwNYYEkk46Txr97Epm5XFkjoJJPmPJxLIQQjq2MJ4r+nlkM9oEPG0fVJs50s+lyT U5K3S523Yau5N4cgTCEsC4VG/BLkZRNlBfPFc7oWzzAcXBkQ0174Cwwlytv/YJs1 UWvUUslrEZ56wFKrIwkpb+PBiq9CwZ1B+EXP6ZuCbPCZQ8+mt+VgOg== =V1Y9 -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:18:42 PDT