Home page logo

bugtraq logo Bugtraq mailing list archives

How to compile. Full disclosure? (Was: Re: rpc.ttdbserver
From: jkwilli2 () UNITY NCSU EDU (Ken Williams)
Date: Mon, 5 Oct 1998 15:51:14 -0400


On Mon, 5 Oct 1998 route () resentment infonexus com wrote:

| Date: Mon, 5 Oct 1998 11:25:07 -0700 (PDT)
| From: route () resentment infonexus com
| To: jkwilli2 () UNITY NCSU EDU
| Cc: bugtaq () netspace org
| Subject: Re: rpc.ttdbserver remote overflow exploit
|     Regarding the recent post of the remote rpc.ttdbserver overflow..
|     While posting other people's unpublished code is bad enough, at least
|     make an effort to find out who wrote it.  Ken, apparently, did not.
|     Ken also missed the fact that the author's name is in the comments at
|     the top:
| /*
|     TCP/100083
|  rpc.ttdbserver remote overflow, apk
|  Solaris (tested on SS5 and Ultra 2.5.1)
|  Irix (tested on r5k and r10k O2 6.3),
|  HP-UX ( tested on 700s 10.20)
|     Credit where credit is due.


     Although this EXPLOIT code has not been published in the usual forums,
it has been circulating in the underground scene for over 2 months now.  I
think that everyone will agree that credit for any code, even if the code
is designed and/or used primarily for malicious purposes, should of course
be given to the coder.  I DID in fact try to find out who the author was,
and of course examined both the code and the headers closely.

     With regards to the author's name being in the code, I assume that you
are referring to "apk".  A search of "apk" at AltaVista turned up 33,980
results.  A search at DejaNews turned up 2,100 results.  A search of the
Bugtraq archives turned up one result from a user of the apk.net ISP.
Is "apk" the author, or is it some strange acronym?

     Your opinion that sending "other people's unpublished code is bad" is,
in my opinion, a very dangerous attitude to take when such code is and has
been used to compromise the security of remote systems.  "Bugtraq is a
full-disclosure UNIX security mailing list."  I am NOT in the business of
hoarding "0-day exploit code" to myself and any "hacker friends" who wish
to use it to exploit remote systems.  Why should such exploit be
distributed to every script kiddy who wants to destroy remote systems and
not to the network administrators who are trying keep their systems secure?

With that said, here are the compile flags necessary to compile the exploit.
I'm sick of deleting all the email I have received today telling me that
this code does not compile.

On Solaris 2.51, I compiled in the following manner:

gcc -DSOLARIS -lsocket -lnsl -o rpc.ttdbserver rpc.ttdbserver.c

Now, hopefully the recent spate of ttdbserver-related attacks will diminish
substantially, since the code used for the exploit has been disclosed in
the apropriate forum.

Full-disclosure UNIX Security.

- --
Ken Williams

Packet Storm Security http://www.Genocide2600.com/~tattooman/index.shtml
E.H.A.P. Corporation  http://www.ehap.org/  ehap () ehap org info () ehap org
NCSU Comp Sci Dept    http://www.csc.ncsu.edu/ jkwilli2 () adm csc ncsu edu
PGP DSS/DH/RSA Keys   http://www4.ncsu.edu/~jkwilli2/pgpkey/

Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv


  By Date           By Thread  

Current thread:
  • How to compile. Full disclosure? (Was: Re: rpc.ttdbserver Ken Williams (Oct 05)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]