[LUGOS] wget

Primož Gabrijelčič primoz at gabrijelcic.org
Tue Feb 10 11:59:11 CET 2004 

Zanimiv je tudi rezultat $ strings <x (spodaj, precej okrajšano). Videti je
da gre za nek glibc/pthreads exploit. Lahko pa se tudi motim, se mi ni dalo
gledat več kot deset sekund.

Pozdrav,
    Gp

    WinGpT: Always store beer in a dark place. Your stomach.
OpenBSD SI: http://obsd.17slon.org, http://obsd.17slon.org/list

/lib/ld-linux.so.2
__gmon_start__
libc.so.6
geteuid
getpid
memcpy
execl
perror
readlink
system
socket
alarm
fprintf
kill
__deregister_frame_info
initgroups
setgid
signal
fork
ptrace
stderr
__errno_location
exit
_IO_stdin_used
__libc_start_main
setuid
__register_frame_info
__xstat
GLIBC_2.0
/proc/self/exe
[-] Unable to read /proc/self/exe
[-] Unable to write shellcode
[+] Signal caught
[-] Unable to read registers
[+] Shellcode placed at 0x%08lx
[+] Now wait for suid shell...
[-] Unable to detach from victim
[-] Fatal error
[-] Unable to attach
[+] Attached to %d
[-] Unable to setup syscall trace
[+] Waiting for signal
[-] Unable to stat myself
root
/bin/sh
[-] Unable to spawn shell
[-] Unable to fork
GET /~telcom69/gov.php HTTP/1.0
ppp0
eth0
h/bin
snortdos
tory
/lib/ld-linux.so.2
init.c
/usr/src/packages/BUILD/glibc-2.2.2/csu/
gcc2_compiled.
int:t(0,1)=r(0,1);0020000000000;0017777777777;
char:t(0,2)=r(0,2);0;127;
long int:t(0,3)=r(0,1);0020000000000;0017777777777;
unsigned int:t(0,4)=r(0,1);0000000000000;0037777777777;
long unsigned int:t(0,5)=r(0,1);0000000000000;0037777777777;
long long int:t(0,6)=r(0,1);01000000000000000000000;0777777777777777777777;
long long unsigned int:t(0,7)=r(0,1);0000000000000;01777777777777777777777;
short int:t(0,8)=r(0,8);-32768;32767;
short unsigned int:t(0,9)=r(0,9);0;65535;
signed char:t(0,10)=r(0,10);-128;127;
unsigned char:t(0,11)=r(0,11);0;255;
float:t(0,12)=r(0,1);4;0;
double:t(0,13)=r(0,1);8;0;
long double:t(0,14)=r(0,1);12;0;
complex int:t(0,15)=s8real:(0,1),0,32;imag:(0,1),32,32;;
complex float:t(0,16)=r(0,16);4;0;
complex double:t(0,17)=r(0,17);8;0;
complex long double:t(0,18)=r(0,18);12;0;
void:t(0,19)=(0,19)
../include/libc-symbols.h
/usr/src/packages/BUILD/glibc-2.2.2/cc/config.h
../sysdeps/gnu/_G_config.h
../sysdeps/unix/sysv/linux/bits/types.h
../include/features.h
../include/sys/cdefs.h
../misc/sys/cdefs.h
/usr/lib/gcc-lib/i486-suse-linux/2.95.3/include/stddef.h
size_t:t(8,1)=(0,4)
__u_char:t(4,1)=(0,11)
__u_short:t(4,2)=(0,9)
__u_int:t(4,3)=(0,4)
__u_long:t(4,4)=(0,5)
__u_quad_t:t(4,5)=(0,7)
__quad_t:t(4,6)=(0,6)
__int8_t:t(4,7)=(0,10)
__uint8_t:t(4,8)=(0,11)
__int16_t:t(4,9)=(0,8)
__uint16_t:t(4,10)=(0,9)
__int32_t:t(4,11)=(0,1)
__uint32_t:t(4,12)=(0,4)
__int64_t:t(4,13)=(0,6)
__uint64_t:t(4,14)=(0,7)
__qaddr_t:t(4,15)=(4,16)=*(4,6)
__dev_t:t(4,17)=(4,5)
__uid_t:t(4,18)=(4,3)
__gid_t:t(4,19)=(4,3)
__ino_t:t(4,20)=(4,4)
__mode_t:t(4,21)=(4,3)
__nlink_t:t(4,22)=(4,3)
__off_t:t(4,23)=(0,3)
__loff_t:t(4,24)=(4,6)
__pid_t:t(4,25)=(0,1)
__ssize_t:t(4,26)=(0,1)
__rlim_t:t(4,27)=(4,4)
__rlim64_t:t(4,28)=(4,5)
__id_t:t(4,29)=(4,3)
__fsid_t:t(4,30)=(4,31)=s8__val:(4,32)=ar(0,1);0;1;(0,1),0,64;;
__daddr_t:t(4,33)=(0,1)
__caddr_t:t(4,34)=(4,35)=*(0,2)
__time_t:t(4,36)=(0,3)
__useconds_t:t(4,37)=(0,4)
__suseconds_t:t(4,38)=(0,3)
__swblk_t:t(4,39)=(0,3)
__clock_t:t(4,40)=(0,3)
__clockid_t:t(4,41)=(0,1)
__timer_t:t(4,42)=(0,1)
__key_t:t(4,43)=(0,1)
__ipc_pid_t:t(4,44)=(0,9)
__blksize_t:t(4,45)=(0,3)
__blkcnt_t:t(4,46)=(0,3)
__blkcnt64_t:t(4,47)=(4,6)
__fsblkcnt_t:t(4,48)=(4,4)
__fsblkcnt64_t:t(4,49)=(4,5)
__fsfilcnt_t:t(4,50)=(4,4)
__fsfilcnt64_t:t(4,51)=(4,5)
__ino64_t:t(4,52)=(4,5)
__off64_t:t(4,53)=(4,24)
__t_scalar_t:t(4,54)=(0,3)
__t_uscalar_t:t(4,55)=(0,5)
__intptr_t:t(4,56)=(0,1)
__socklen_t:t(4,57)=(0,4)
../linuxthreads/sysdeps/pthread/bits/pthreadtypes.h
../sysdeps/unix/sysv/linux/bits/sched.h
__sched_param:T(10,1)=s4__sched_priority:(0,1),0,32;;
_pthread_fastlock:T(9,1)=s8__status:(0,3),0,32;__spinlock:(0,1),32,32;;
_pthread_descr:t(9,2)=(9,3)=*(9,4)=xs_pthread_descr_struct:
__pthread_attr_s:T(9,5)=s36__detachstate:(0,1),0,32;__schedpolicy:(0,1),32,3
2;__schedparam:(10,1),64,32;__inheritsched:(0,1),96,32;__scope:(0,1),128,32;
__guardsize:(8,1),160,32;__stackaddr_set:(0,1),192,32;__stackaddr:(9,6)=*(0,
19),224,32;__stacksize:(8,1),256,32;;
pthread_attr_t:t(9,7)=(9,5)
pthread_cond_t:t(9,8)=(9,9)=s12__c_lock:(9,1),0,64;__c_waiting:(9,2),64,32;;
pthread_condattr_t:t(9,10)=(9,11)=s4__dummy:(0,1),0,32;;
pthread_key_t:t(9,12)=(0,4)
pthread_mutex_t:t(9,13)=(9,14)=s24__m_reserved:(0,1),0,32;__m_count:(0,1),32
,32;__m_owner:(9,2),64,32;__m_kind:(0,1),96,32;__m_lock:(9,1),128,64;;
pthread_mutexattr_t:t(9,15)=(9,16)=s4__mutexkind:(0,1),0,32;;
pthread_once_t:t(9,17)=(0,1)
_pthread_rwlock_t:T(9,18)=s32__rw_lock:(9,1),0,64;__rw_readers:(0,1),64,32;_
_rw_writer:(9,2),96,32;__rw_read_waiting:(9,2),128,32;__rw_write_waiting:(9,
2),160,32;__rw_kind:(0,1),192,32;__rw_pshared:(0,1),224,32;;
pthread_rwlock_t:t(9,19)=(9,18)
pthread_rwlockattr_t:t(9,20)=(9,21)=s8__lockkind:(0,1),0,32;__pshared:(0,1),
32,32;;
pthread_spinlock_t:t(9,22)=(0,1)
pthread_barrier_t:t(9,23)=(9,24)=s20__ba_lock:(9,1),0,64;__ba_required:(0,1)
,64,32;__ba_present:(0,1),96,32;__ba_waiting:(9,2),128,32;;
pthread_barrierattr_t:t(9,25)=(9,26)=s4__pshared:(0,1),0,32;;
pthread_t:t(9,27)=(0,5)
wchar_t:t(11,1)=(0,3)
wint_t:t(11,2)=(0,4)
../include/wchar.h
../wcsmbs/wchar.h
../sysdeps/unix/sysv/linux/i386/bits/wchar.h
__mbstate_t:t(13,1)=(13,2)=s8__count:(0,1),0,32;__value:(13,3)=u4__wch:(11,2
),0,32;__wchb:(13,4)=ar(0,1);0;3;(0,2),0,32;;,32,32;;
_G_fpos_t:t(3,1)=(3,2)=s12__pos:(4,23),0,32;__state:(13,1),32,64;;
_G_fpos64_t:t(3,3)=(3,4)=s16__pos:(4,53),0,64;__state:(13,1),64,64;;
../include/gconv.h
../iconv/gconv.h
 
:T(17,1)=e__GCONV_OK:0,__GCONV_NOCONV:1,__GCONV_NODB:2,__GCONV_NOMEM:3,__GCO
NV_EMPTY_INPUT:4,__GCONV_FULL_OUTPUT:5,__GCONV_ILLEGAL_INPUT:6,__GCONV_INCOM
PLETE_INPUT:7,__GCONV_ILLEGAL_DESCRIPTOR:8,__GCONV_INTERNAL_ERROR:9,;
 :T(17,2)=e__GCONV_IS_LAST:1,__GCONV_IGNORE_ERRORS:2,;
__gconv_fct:t(17,3)=(17,4)=*(17,5)=f(0,1)
__gconv_init_fct:t(17,6)=(17,7)=*(17,8)=f(0,1)
__gconv_end_fct:t(17,9)=(17,10)=*(17,11)=f(0,19)
__gconv_trans_fct:t(17,12)=(17,13)=*(17,14)=f(0,1)
__gconv_trans_context_fct:t(17,15)=(17,16)=*(17,17)=f(0,1)
__gconv_trans_query_fct:t(17,18)=(17,19)=*(17,20)=f(0,1)
__gconv_trans_init_fct:t(17,21)=(17,22)=*(17,23)=f(0,1)
__gconv_trans_end_fct:t(17,24)=(17,25)=*(17,26)=f(0,19)
__gconv_trans_data:T(17,27)=s20__trans_fct:(17,12),0,32;__trans_context_fct:
(17,15),32,32;__trans_end_fct:(17,24),64,32;__data:(9,6),96,32;__next:(17,28
)=*(17,27),128,32;;
__gconv_step:T(17,29)=s56__shlib_handle:(17,30)=*(17,31)=xs__gconv_loaded_ob
ject:,0,32;__modname:(17,32)=*(0,2),32,32;__counter:(0,1),64,32;__from_name:
(4,35),96,32;__to_name:(4,35),128,32;__fct:(17,3),160,32;__init_fct:(17,6),1
92,32;__end_fct:(17,9),224,32;__min_needed_from:(0,1),256,32;__max_needed_fr
om:(0,1),288,32;__min_needed_to:(0,1),320,32;__max_needed_to:(0,1),352,32;__
stateful:(0,1),384,32;__data:(9,6),416,32;;
__gconv_step_data:T(17,33)=s36__outbuf:(17,34)=*(0,11),0,32;__outbufend:(17,
34),32,32;__flags:(0,1),64,32;__invocation_counter:(0,1),96,32;__internal_us
e:(0,1),128,32;__statep:(17,35)=*(13,1),160,32;__state:(13,1),192,64;__trans
:(17,28),256,32;;
__gconv_info:T(17,36)=s8__nsteps:(8,1),0,32;__steps:(17,37)=*(17,29),32,32;_
_data:(17,38)=ar(0,1);0;-1;(17,33),64,0;;
__gconv_t:t(17,39)=(17,40)=*(17,36)
_G_iconv_t:t(3,5)=(3,6)=u44__cd:(17,36),0,64;__combined:(3,7)=s44__cd:(17,36
),0,64;__data:(17,33),64,288;;,0,352;;
_G_int16_t:t(3,8)=(0,8)
_G_int32_t:t(3,9)=(0,1)
_G_uint16_t:t(3,10)=(0,9)
_G_uint32_t:t(3,11)=(0,4)
_IO_stdin_used:G(0,1)
/usr/src/packages/BUILD/glibc-2.2.2/io/
stat.c
../include/sys/stat.h
../io/sys/stat.h
../include/time.h
../time/time.h
time_t:t(13,1)=(8,36)
dev_t:t(4,1)=(8,17)
gid_t:t(4,2)=(8,19)
ino_t:t(4,3)=(8,20)
mode_t:t(4,4)=(8,21)
nlink_t:t(4,5)=(8,22)
off_t:t(4,6)=(8,23)
uid_t:t(4,7)=(8,18)
blkcnt_t:t(4,8)=(8,46)
blksize_t:t(4,9)=(8,45)
../sysdeps/unix/sysv/linux/bits/stat.h
stat:T(14,1)=s88st_dev:(8,17),0,64;__pad1:(0,9),64,16;st_ino:(8,20),96,32;st
_mode:(8,21),128,32;st_nlink:(8,22),160,32;st_uid:(8,18),192,32;st_gid:(8,19
),224,32;st_rdev:(8,17),256,64;__pad2:(0,9),320,16;st_size:(8,23),352,32;st_
blksize:(8,45),384,32;st_blocks:(8,46),416,32;st_atime:(8,36),448,32;__unuse
d1:(0,5),480,32;st_mtime:(8,36),512,32;__unused2:(0,5),544,32;st_ctime:(8,36
),576,32;__unused3:(0,5),608,32;__unused4:(0,5),640,32;__unused5:(0,5),672,3
2;;
stat64:T(14,2)=s96st_dev:(8,17),0,64;__pad1:(0,4),64,32;__st_ino:(8,20),96,3
2;st_mode:(8,21),128,32;st_nlink:(8,22),160,32;st_uid:(8,18),192,32;st_gid:(
8,19),224,32;st_rdev:(8,17),256,64;__pad2:(0,4),320,32;st_size:(8,53),352,64
;st_blksize:(8,45),416,32;st_blocks:(8,47),448,64;st_atime:(8,36),512,32;__u
nused1:(0,5),544,32;st_mtime:(8,36),576,32;__unused2:(0,5),608,32;st_ctime:(
8,36),640,32;__unused3:(0,5),672,32;st_ino:(8,52),704,64;;
__stat:F(0,1)
file:p(0,20)=*(0,2)
buf:p(0,21)=*(14,1)
file:r(0,20)
buf:r(0,21)
GCC: (GNU) 2.95.3 20010315 (SuSE)

More information about the lugos-list mailing list