Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Scan of the Month - Two Exploits

From: Brent Woodfield <bwoodfield () HOME COM>
Date: Thu, 14 Dec 2000 01:56:45 -0800
Actually, it is sendmail has a UID of 0 and it is used to su into once the
auto-statd script creates a list of successfully comprimised boxes and the
hacker comes back to install the backdoor.


On Mon, 11 Dec 2000, Lance Spitzner wrote:


This month's Scan is unique.  Several scans and two exploits were ran
against a Linux honeypot in the same morning.  The challenge to the
security community is to review the captured signatures and answer any
of the following six questions based on the snort signatures.


Hi Lance :) Here we go... Hope I wouldn't make other people upset
answering these questions?


### QUESTION 1:  Can you name the FTP scanning tool?


Hard to say, this port is used way too frequently by backdoors, scanners
and pretty innocent applications. I couldn't find any published code that
causes such packet patterns. One question unanswered.


### QUESTION 2:  What does this FTP exploit achieve?  Does it open a

port,

                 create a shell, add a user account?


Venglin's exploit, AFAIK, executes local shell using already opened ftp
control connection. PASSword is used to store shellcode, while the main
attack is performed using format string vulnerability, which causes
return-into-password bug ;P That was pretty cute trick.


### QUESTION 3:  Is the FTP attack successful?


Not. He was not able to login using anonymous account, for some reason,
thus haven't exploited SITE EXEC format string vulnerability yet.


### QUESTION 4:  What RPC service is exploited?


Urm, rpc.statd - http://www.pulhas.org/xploitsdb/mUNIXes/statd3.html


### QUESTION 5:  Where in the exploit code below does he bind a shell
                 to port 39168?


See exploit source :) It is generic shellcode.


### QUESTION 6:  What two accounts are created, and what are the UID's?


user:5000 (with password)
sendmail:10865 (w/o password)
+ inetd.conf entry with rootshell
Previous By Date Next
Previous By Thread Next

Current thread: