lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <200502200707.51508.sflist@digitaloffense.net>
Date: Sun, 20 Feb 2005 07:07:51 -0600
From: H D Moore <sflist@...italoffense.net>
To: bugtraq@...urityfocus.com
Subject: Re: Knox Arkeia remote root/system exploit


The metasploit project has released two exploits for this flaw:
 http://metasploit.com/projects/Framework/exploits.html#arkeia_type77_win32
 http://metasploit.com/projects/Framework/exploits.html#arkeia_type77_macos

The win32 exploit has targets for every version of Arkeia between 4.2 and 
5.3.3. The macos exploit should work across a large range of versions 
with no modifications.  Both of these exploits have the capability to 
dump the remote system information and Arkeia version[1].

This bug looks difficult or even impossible to exploit on the Solaris 
64bit platform; the main() function calls exit()[2] before the final 
return to the overwritten stack pointer. It may be possible to use one of 
the local variable overwrites to an advantage, but at first glance it 
seems unlikely.

-HD

1. There are worse problems here than stack overflows...
2. It actually calls doexit() which in turn calls exit()

On Friday 18 February 2005 10:29, John Doe wrote:
> /*
> * Knox Arkeia Server Backup
> * arkeiad local/remote root exploit
> * Targets for Redhat 7.2/8.0, Win2k SP2/SP3/SP4, WinXP SP1, Win 2003 EE
> * Works up to current version 5.3.x
> [ snip ]
> */


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ