How to compile. Full disclosure? (Was: Re: rpc.ttdbserver

[jkwilli2 () UNITY NCSU EDU (Ken Williams)]

-----BEGIN PGP SIGNED MESSAGE-----

On Mon, 5 Oct 1998 route () resentment infonexus com wrote:

> | Date: Mon, 5 Oct 1998 11:25:07 -0700 (PDT)
> | From: route () resentment infonexus com
> | To: jkwilli2 () UNITY NCSU EDU
> | Cc: bugtaq () netspace org
> | Subject: Re: rpc.ttdbserver remote overflow exploit
> |
> |
> |     Regarding the recent post of the remote rpc.ttdbserver overflow..
> |
> |     While posting other people's unpublished code is bad enough, at least
> |     make an effort to find out who wrote it.  Ken, apparently, did not.
> |     Ken also missed the fact that the author's name is in the comments at
> |     the top:
> |
> | /*
> |     TCP/100083
> |  rpc.ttdbserver remote overflow, apk
> |  Solaris (tested on SS5 and Ultra 2.5.1)
> |  Irix (tested on r5k and r10k O2 6.3),
> |  HP-UX ( tested on 700s 10.20)
> |
> |
> |     Credit where credit is due.
> |
> |

Hello,

     Although this EXPLOIT code has not been published in the usual forums,
it has been circulating in the underground scene for over 2 months now.  I
think that everyone will agree that credit for any code, even if the code
is designed and/or used primarily for malicious purposes, should of course
be given to the coder.  I DID in fact try to find out who the author was,
and of course examined both the code and the headers closely.

     With regards to the author's name being in the code, I assume that you
are referring to "apk".  A search of "apk" at AltaVista turned up 33,980
results.  A search at DejaNews turned up 2,100 results.  A search of the
Bugtraq archives turned up one result from a user of the apk.net ISP.
Is "apk" the author, or is it some strange acronym?

     Your opinion that sending "other people's unpublished code is bad" is,
in my opinion, a very dangerous attitude to take when such code is and has
been used to compromise the security of remote systems.  "Bugtraq is a
full-disclosure UNIX security mailing list."  I am NOT in the business of
hoarding "0-day exploit code" to myself and any "hacker friends" who wish
to use it to exploit remote systems.  Why should such exploit be
distributed to every script kiddy who wants to destroy remote systems and
not to the network administrators who are trying keep their systems secure?

With that said, here are the compile flags necessary to compile the exploit.
I'm sick of deleting all the email I have received today telling me that
this code does not compile.

On Solaris 2.51, I compiled in the following manner:

gcc -DSOLARIS -lsocket -lnsl -o rpc.ttdbserver rpc.ttdbserver.c

Now, hopefully the recent spate of ttdbserver-related attacks will diminish
substantially, since the code used for the exploit has been disclosed in
the apropriate forum.


Full-disclosure UNIX Security.

Regards,
- --
Ken Williams

Packet Storm Security http://www.Genocide2600.com/~tattooman/index.shtml
E.H.A.P. Corporation  http://www.ehap.org/  ehap () ehap org info () ehap org
NCSU Comp Sci Dept    http://www.csc.ncsu.edu/ jkwilli2 () adm csc ncsu edu
PGP DSS/DH/RSA Keys   http://www4.ncsu.edu/~jkwilli2/pgpkey/

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQEVAwUBNhki2pDw1ZsNz1IXAQEBJQgAwAWGqcvULadI5dJcc19Sh3u70E2zBqgB
Tz1PIW3jYuTs4E4JlppdhI8DbomIsthw4qoHMeGA4g8T5lQU6SWeR5l8RwHEz5+D
rx2cXu5bk2KFV5H6wioOlVx+TWdJabi3L9KJoRURs/pV9jBRq3mKXhlKapgIf9GU
hwNYYEkk46Txr97Epm5XFkjoJJPmPJxLIQQjq2MJ4r+nlkM9oEPG0fVJs50s+lyT
U5K3S523Yau5N4cgTCEsC4VG/BLkZRNlBfPFc7oWzzAcXBkQ0174Cwwlytv/YJs1
UWvUUslrEZ56wFKrIwkpb+PBiq9CwZ1B+EXP6ZuCbPCZQ8+mt+VgOg==
=V1Y9
-----END PGP SIGNATURE-----