Security Incidents mailing list archives
Re: Scan of the Month - Two Exploits
From: Michal Zalewski <lcamtuf () DIONE IDS PL>
Date: Tue, 12 Dec 2000 23:53:10 +0100
On Mon, 11 Dec 2000, Lance Spitzner wrote:
This month's Scan is unique. Several scans and two exploits were ran against a Linux honeypot in the same morning. The challenge to the security community is to review the captured signatures and answer any of the following six questions based on the snort signatures.
Hi Lance :) Here we go... Hope I wouldn't make other people upset answering these questions?
### QUESTION 1: Can you name the FTP scanning tool?
Hard to say, this port is used way too frequently by backdoors, scanners and pretty innocent applications. I couldn't find any published code that causes such packet patterns. One question unanswered.
### QUESTION 2: What does this FTP exploit achieve? Does it open a port, create a shell, add a user account?
Venglin's exploit, AFAIK, executes local shell using already opened ftp control connection. PASSword is used to store shellcode, while the main attack is performed using format string vulnerability, which causes return-into-password bug ;P That was pretty cute trick.
### QUESTION 3: Is the FTP attack successful?
Not. He was not able to login using anonymous account, for some reason, thus haven't exploited SITE EXEC format string vulnerability yet.
### QUESTION 4: What RPC service is exploited?
Urm, rpc.statd - http://www.pulhas.org/xploitsdb/mUNIXes/statd3.html
### QUESTION 5: Where in the exploit code below does he bind a shell to port 39168?
See exploit source :) It is generic shellcode.
### QUESTION 6: What two accounts are created, and what are the UID's?
user:5000 (with password) sendmail:10865 (w/o password) + inetd.conf entry with rootshell -- _______________________________________________________ Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security] [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};: =--=> Did you know that clones never use mirrors? <=--=
Current thread:
- Scan of the Month - Two Exploits Lance Spitzner (Dec 13)
- Re: Scan of the Month - Two Exploits Michal Zalewski (Dec 14)
- Re: Scan of the Month - Two Exploits Brent Woodfield (Dec 15)
- Re: Scan of the Month - Two Exploits Michal Zalewski (Dec 14)