Bugtraq mailing list archives
rpc.statd remote root xploit for linux/x86 (little fix)
From: Doing <jdoing () teleline es>
Date: Wed, 2 Aug 2000 15:43:38 +0000
To compile the xploit you need the librpcsvc library: gcc statd.c -o statd -lrpcsvc Way of finding offsets for your distro/version: Launch statd and attach it with gdb: [root@localhost statd]# ./statd [root@localhost statd]# ps aux | grep st root 394 0.0 0.9 1184 576 ? S 15:27 0:00 ./statd [root@localhost statd]# gdb ./statd GNU gdb 4.18 [ cut cut cut cut ] (gdb) attach 394 Attaching to program: /zecreto/doing/xploits/daemon/rpc.statd/knfsd-1.3.2/utils/statd/./statd, process 394 [ Now put a breakpoint on the function log() ] (gdb) break log Breakpoint 1 at 0x804a10a: file log.c, line 82. (gdb) c Continuing. [ At this point run the xploit ] Breakpoint 1, log (level=2, fmt=0x804c820 "SM_MON request for hostname containing '/': %s") at log.c:82 82 va_start(ap, fmt); [ And put another breakpoint in the function syslog() ] (gdb) break syslog Breakpoint 2 at 0x400d12e6: file syslog.c, line 102. (gdb) c Continuing. Breakpoint 2, syslog (pri=2, fmt=0xbfffef38 "SM_MON request for hostname containing '/': [garbage]..) ^^^^^^^^^ This is the address of the buffer in function log. If you run the xploit with this value it should work. Doing
Current thread:
- rpc.statd remote root xploit for linux/x86 (little fix) Doing (Aug 02)