Re: Scan of the Month - Two Exploits

[Michal Zalewski <lcamtuf () DIONE IDS PL>]

On Mon, 11 Dec 2000, Lance Spitzner wrote:

> This month's Scan is unique.  Several scans and two exploits were ran
> against a Linux honeypot in the same morning.  The challenge to the
> security community is to review the captured signatures and answer any
> of the following six questions based on the snort signatures.

Hi Lance :) Here we go... Hope I wouldn't make other people upset
answering these questions?

> ### QUESTION 1:  Can you name the FTP scanning tool?

Hard to say, this port is used way too frequently by backdoors, scanners
and pretty innocent applications. I couldn't find any published code that
causes such packet patterns. One question unanswered.

> ### QUESTION 2:  What does this FTP exploit achieve?  Does it open a port,
>                  create a shell, add a user account?

Venglin's exploit, AFAIK, executes local shell using already opened ftp
control connection. PASSword is used to store shellcode, while the main
attack is performed using format string vulnerability, which causes
return-into-password bug ;P That was pretty cute trick.

> ### QUESTION 3:  Is the FTP attack successful?

Not. He was not able to login using anonymous account, for some reason,
thus haven't exploited SITE EXEC format string vulnerability yet.

> ### QUESTION 4:  What RPC service is exploited?

Urm, rpc.statd - http://www.pulhas.org/xploitsdb/mUNIXes/statd3.html

> ### QUESTION 5:  Where in the exploit code below does he bind a shell
>                  to port 39168?

See exploit source :) It is generic shellcode.

> ### QUESTION 6:  What two accounts are created, and what are the UID's?

user:5000 (with password)
sendmail:10865 (w/o password)
+ inetd.conf entry with rootshell


--
_______________________________________________________
Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=--=> Did you know that clones never use mirrors? <=--=