Re: sadmind hack?

[labu () RUMAH NET (Labu Labi)]

Hi all
> The exploit is difficult to get right because you have to 
> know the
> appropriate offsets for the exact version (and 
> configuration) of the victim
> system. Therefore, you often see multiple attempts in a 
> row. 

I think this cause by the sadmbrute.c. The program will 
brute force the sp for the sadmindex hack (by Cheez Whiz) to 
success. I run this against my unpatched solaris 2.6 and i 
get exactly the same messages under my /var/adm.
btw, this what you got when you run sadmbrute.
[xxx@xx code]$ sadmbrute

sadmindex sp brute forcer - by elux
usage: sadmbrute [arch] <host>

        arch:
        1 - x86 Solaris 2.6
        2 - x86 Solaris 7.0
        3 - SPARC Solaris 2.6
        4 - SPARC Solaris 7.0      

!EOT
--labu

-----Original Message-----
From: Incidents Mailing List [mailto:<A 
HREF="mailto:INCIDENTS () securityfocus com">INCIDENTS@security
focus.com</A>]On
Behalf Of Yip Chan Keong
Sent: Wednesday, April 12, 2000 11:13 PM
To: <A 
HREF="mailto:INCIDENTS () securityfocus com">INCIDENTS@security
focus.com</A>
Subject: sadmind hack?

I have gotten the following messages in my /var/adm/messages 
file on my
solaris 2.6 host. is it a sign of break in? telnet and ftp 
on my host are
limited by tcp wrappers. any idea how is the exploit made?

Apr 12 06:43:34 xxxx inetd[138]: /usr/sbin/sadmind: Bus 
Error - core dumped
Apr 12 06:43:36 xxxx inetd[138]: /usr/sbin/sadmind: 
Segmentation Fault -
core
 dumped
Apr 12 06:43:39 xxxx inetd[138]: /usr/sbin/sadmind: Bus 
Error - core dumped
Apr 12 06:43:41 xxxx inetd[138]: /usr/sbin/sadmind: 
Segmentation Fault -
core
 dumped
Apr 12 06:43:44 xxxx inetd[138]: /usr/sbin/sadmind: Hangup

many thanks and regards,
/yck