Bugtraq mailing list archives
Re: Remote count.cgi exploit mods
From: angus () INTASYS COM (Gus)
Date: Sat, 11 Jul 1998 18:01:16 +0100
On Thu, 9 Jul 1998, _ _ wrote:
There is a commonly known local exploit available which works on Count.cgi Plaguez posted the original and Gus posted a mod for linux.
Plaguez created the original *remote* linux exploit, all I did was clean things up a bit and add some offsets for different versions. Like everything else, we stand on the shoulders of what goes before. The code you posted is an old version that I released to settle an argument, I sent the full version in to rootshell after noticing that someone had sent in the old one, you can get it from rootshell or from http://www.intasys.com/~angus/count.cgi.l.c
I've tried to modify the exploit further to work on a remote linux site. This seems to be a better way than to test our site internally. It compiles fine and seems to run, but doesnt send me an Xterm. I have attached my hacked code. Any ideas or suggested improvements??
WTF is this doing on bugtraq? Did you read and UNDERSTAND what is going on in Count.cgi, and why this does or does not work? Did you even "xhost +" ? Anyway. If you want it for "white hat" purposes, here is a quicker way of checking. If the version is 2.4, then it is patched for this bug. Anything below that is vulnerable. (2.4 is the latest version) http://www.fccc.edu/users/muquit/Count.html is the author's homepage for the program. Download and compile it, get the file size and then compare it to what is on your web server. On Linux it is 79800 bytes, or 71624 bytes after stripping. If you really do want to test your systems by running an exploit over them, and this is a recurring need, then you would be well served by taking the time to create 'execve("/bin/sh","-c","<-- whatever -->");' shellcode and retrofitting it to all the exploits that come out. When you retrofit it, just add a routine overwrite the spaces you left in the shellcode with the command line you wish to execute. It's not that hard, (heh, it can't be if I managed it :-/) but like everyone else I'm not gonna release it to the public. You then have the chance to run an arbitrary command line on the host, and your white hatted-ness will be made so much easier, since you can run "ping -c1 icmp.logging.host.name" and just collect a list of vulnerable machines from your syslog. _Gus -- angus () intasys com http://www.intasys.com/~angus/
Current thread:
- Re: ncurses 4.1 security bug, (continued)
- Re: ncurses 4.1 security bug David Schwartz (Jul 09)
- Re: ncurses 4.1 security bug matthew green (Jul 10)
- Re: ncurses 4.1 security bug Theo de Raadt (Jul 10)
- Re: ncurses 4.1 security bug Wietse Venema (Jul 12)
- Seattle Lab fixes security issue in SLmail Aleph One (Jul 12)
- Re: ncurses 4.1 security bug David Schwartz (Jul 09)
- sshd gives out version number Tom Dyas (Jul 09)
- Forwared to me Raymond Medeiros (Jul 08)
- Re: Forwared to me Solar Designer (Jul 09)
- Remote count.cgi exploit mods _ _ (Jul 09)
- Re: Remote count.cgi exploit mods Gus (Jul 11)
- Re: Forwared to me Raymond Medeiros (Jul 09)
- socks5 1.0r5 buffer overflow.. Zach Brown (Jul 10)
- Re: Forwared to me Toomas Soome (Jul 10)
- Re: Forwared to me Michael H. Warfield (Jul 13)
- Re: Forwared to me Raymond Medeiros (Jul 13)
- Re: Forwared to me Toomas Soome (Jul 13)
- Re: Forwared to me Michael H. Warfield (Jul 13)
- Re: Forwared to me Jason Downs (Jul 13)
- Re: Forwared to me Illuminatus Primus (Jul 13)
- Netware 4.x Attack Tool Announcement Simple Nomad (Jul 13)