Bugtraq mailing list archives

Re: Remote count.cgi exploit mods

From: angus () INTASYS COM (Gus)
Date: Sat, 11 Jul 1998 18:01:16 +0100


On Thu, 9 Jul 1998, _ _ wrote:

There is a commonly known local exploit available which works on
Count.cgi Plaguez posted the original and Gus posted a mod for linux.


Plaguez created the original *remote* linux exploit, all I did was clean
things up a bit and add some offsets for different versions. Like
everything else, we stand on the shoulders of what goes before.

The code you posted is an old version that I released to settle an
argument, I sent the full version in to rootshell after noticing that
someone had sent in the old one, you can get it from rootshell or
from http://www.intasys.com/~angus/count.cgi.l.c

I've tried to modify the exploit further to work on a remote linux site.
This seems to be a better way than to test our site internally.
It compiles fine and seems to run, but  doesnt send me an Xterm.
I have attached my hacked code.  Any ideas or suggested improvements??


WTF is this doing on bugtraq? Did you read and UNDERSTAND what is going on
in Count.cgi, and why this does or does not work? Did you even "xhost +" ?

Anyway.

If you want it for "white hat" purposes, here is a quicker way of
checking. If the version is 2.4, then it is patched for this bug. Anything
below that is vulnerable. (2.4 is the latest version)

http://www.fccc.edu/users/muquit/Count.html is the author's homepage for
the program. Download and compile it, get the file size and then compare
it to what is on your web server. On Linux it is 79800 bytes, or 71624
bytes after stripping.

If you really do want to test your systems by running an exploit over
them, and this is a recurring need, then you would be well served by
taking the time to create 'execve("/bin/sh","-c","<-- whatever -->");'
shellcode and retrofitting it to all the exploits that come out. When you
retrofit it, just add a routine overwrite the spaces you left in the
shellcode with the command line you wish to execute. It's not that hard,
(heh, it can't be if I managed it :-/) but like everyone else I'm not
gonna release it to the public.

You then have the chance to run an arbitrary command line on the host, and
your white hatted-ness will be made so much easier, since you can run
"ping -c1 icmp.logging.host.name" and just collect a list of vulnerable
machines from your syslog.


        _Gus

--
                                angus () intasys com
                          http://www.intasys.com/~angus/

Current thread:

Re: ncurses 4.1 security bug, (continued)
- - - Re: ncurses 4.1 security bug David Schwartz (Jul 09)
    - Re: ncurses 4.1 security bug matthew green (Jul 10)
    - Re: ncurses 4.1 security bug Theo de Raadt (Jul 10)
    - Re: ncurses 4.1 security bug Wietse Venema (Jul 12)
    - Seattle Lab fixes security issue in SLmail Aleph One (Jul 12)
    - Re: ncurses 4.1 security bug David Schwartz (Jul 09)
    - sshd gives out version number Tom Dyas (Jul 09)
  - Forwared to me Raymond Medeiros (Jul 08)
    - Re: Forwared to me Solar Designer (Jul 09)
    - Remote count.cgi exploit mods _ _ (Jul 09)
    - Re: Remote count.cgi exploit mods Gus (Jul 11)
    - Re: Forwared to me Raymond Medeiros (Jul 09)
    - socks5 1.0r5 buffer overflow.. Zach Brown (Jul 10)
    - Re: Forwared to me Toomas Soome (Jul 10)
    - Re: Forwared to me Michael H. Warfield (Jul 13)
    - Re: Forwared to me Raymond Medeiros (Jul 13)
    - Re: Forwared to me Toomas Soome (Jul 13)
    - Re: Forwared to me Michael H. Warfield (Jul 13)
    - Re: Forwared to me Jason Downs (Jul 13)
    - Re: Forwared to me Illuminatus Primus (Jul 13)
    - Netware 4.x Attack Tool Announcement Simple Nomad (Jul 13)

(Thread continues...)