Re: BIND Exploits

[h2g.sec.list () zipmail com br]

Hi folks,
exist some fake stuff related to bind8 in scene. No real stuff confirmed
yet.

See above (it is a edit vesion of bind8.2.3-slack.c exploit):
* Unreleased 0date:09.11.02 fsck -f 0x01,0x0b
* Discovered and exploited by Solar Eclipse
* Remote Exploit for for bind.8.x
* usage: ./exp -t[type] -s[shellcode] -t[offset] h[hostname]
* example: ./exp -t 1 remotehost

bind8.2.3-slack.c HEADER:
/*
* Copyright (c) 2001 - Security.is
*
*
* Discovered and exploited by portal and tf8 of security chan, April 2001

* Remote Exploit for Slackware 7.x, for bind.8.2.3-REL
* usage: ./exp -t[type] -s[shellcode] -t[offset] -h[hostname]
* example: ./exp -t 1 remotehost

Regards...
Nilton Gomes
Bompreço System Administrator
H2G-Labs Security Services

-- Mensagem original --

> I take it everyone has seen the latest advisory from ISC?
>
> Anyone got a idea exactly where the problem is, or got an exploit?
>
> ISC do say that an exploit isn't available, but it's been a few hours
> since then :-)
>
>
> Dom
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> Dom De Vitto                                       Tel. 07855 805 271
> http://www.devitto.com                         mailto:dom () devitto com
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>
>
>
>
> -----Original Message-----
> From: Fyodor [mailto:fyodor () insecure org]
> Sent: Monday, November 04, 2002 6:08 PM
> To: Frank Knobbe
> Cc: Michael Katz; vuln-dev () securityfocus com; d_fence () gmx net
> Subject: Re: Firewall bypassing tool
>
>
> On Sun, Nov 03, 2002 at 05:02:49PM -0600, Frank Knobbe wrote:
> > On Fri, 2002-11-01 at 13:38, Michael Katz wrote:
> > > At 11/1/2002 03:28 AM, d_fence wrote:
> > >
> > > One of the options for scanning is -sF, which will send SYN-FIN
> > > packets.  You can also use -sA, which will send SYN-ACK packets.
> >
> > I was about to post the same, but thought I validate first. To me it

> > seemed that nmap sends a packet with the FIN flag set. I did not see

> > the SYN flag set in addition to FIN, so nmap is not an answer to his

> > question.
>
> Nmap has an undocumented --scanflags option which allows you to specify
> arbitrary flags using the flag names or a number.  Thus a SYN-FIN scan
> can be done as follows:
>
> felix~#nmap -sS --scanflags SYNFIN -O db
>
> Starting nmap V. 3.10ALPHA3 ( www.insecure.org/nmap/ ) Interesting ports
> on db.yuma.net (192.168.0.4): (The 1601 ports scanned but not shown
> below are in state: closed)
> Port       State       Service
> 22/tcp     open        ssh
> 111/tcp    open        sunrpc
> 1024/tcp   open        kdm
> Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20 Uptime 58.471
> days (since Fri Sep  6 23:45:12 2002)
>
> Nmap run completed -- 1 IP address (1 host up) scanned in 10.651 seconds
>
> Note that "-sS" causes this scan to use "SYN Scan" semantics (eg
> treating SYN|ACK responses as open ports).  For FIN scan semantics
> (dropped packets signify open ports, RST for closed ones) just specify
> "-sF" instead.
>
> Cheers,
> Fyodor



------------------------------------------
Use o melhor sistema de busca da Internet
Radar UOL - http://www.radaruol.com.br