[LUGOS] wget

Borut Kurnik borut.kurnik at add.si
Tue Feb 10 14:24:04 CET 2004 

http://www.securiteam.com/exploits/5CP0Q0U9FY.html

Na 1076410751, 2004-02-10 ob 11:59, je Primož Gabrijelčič napisal(a):
> Zanimiv je tudi rezultat $ strings <x (spodaj, precej okrajšano). Videti je
> da gre za nek glibc/pthreads exploit. Lahko pa se tudi motim, se mi ni dalo
> gledat več kot deset sekund.
> 
> Pozdrav,
>     Gp
> 
>     WinGpT: Always store beer in a dark place. Your stomach.
> OpenBSD SI: http://obsd.17slon.org, http://obsd.17slon.org/list
> 
> /lib/ld-linux.so.2
> __gmon_start__
> libc.so.6
> geteuid
> getpid
> memcpy
> execl
> perror
> readlink
> system
> socket
> alarm
> fprintf
> kill
> __deregister_frame_info
> initgroups
> setgid
> signal
> fork
> ptrace
> stderr
> __errno_location
> exit
> _IO_stdin_used
> __libc_start_main
> setuid
> __register_frame_info
> __xstat
> GLIBC_2.0
> /proc/self/exe
> [-] Unable to read /proc/self/exe
> [-] Unable to write shellcode
> [+] Signal caught
> [-] Unable to read registers
> [+] Shellcode placed at 0x%08lx
> [+] Now wait for suid shell...
> [-] Unable to detach from victim
> [-] Fatal error
> [-] Unable to attach
> [+] Attached to %d
> [-] Unable to setup syscall trace
> [+] Waiting for signal
> [-] Unable to stat myself
> root
> /bin/sh
> [-] Unable to spawn shell
> [-] Unable to fork
> GET /~telcom69/gov.php HTTP/1.0
> ppp0
> eth0
> h/bin
> snortdos
> tory
> /lib/ld-linux.so.2
> init.c
> /usr/src/packages/BUILD/glibc-2.2.2/csu/
> gcc2_compiled.
> int:t(0,1)=r(0,1);0020000000000;0017777777777;
> char:t(0,2)=r(0,2);0;127;
> long int:t(0,3)=r(0,1);0020000000000;0017777777777;
> unsigned int:t(0,4)=r(0,1);0000000000000;0037777777777;
> long unsigned int:t(0,5)=r(0,1);0000000000000;0037777777777;
> long long int:t(0,6)=r(0,1);01000000000000000000000;0777777777777777777777;
> long long unsigned int:t(0,7)=r(0,1);0000000000000;01777777777777777777777;
> short int:t(0,8)=r(0,8);-32768;32767;
> short unsigned int:t(0,9)=r(0,9);0;65535;
> signed char:t(0,10)=r(0,10);-128;127;
> unsigned char:t(0,11)=r(0,11);0;255;
> float:t(0,12)=r(0,1);4;0;
> double:t(0,13)=r(0,1);8;0;
> long double:t(0,14)=r(0,1);12;0;
> complex int:t(0,15)=s8real:(0,1),0,32;imag:(0,1),32,32;;
> complex float:t(0,16)=r(0,16);4;0;
> complex double:t(0,17)=r(0,17);8;0;
> complex long double:t(0,18)=r(0,18);12;0;
> void:t(0,19)=(0,19)
> ../include/libc-symbols.h
> /usr/src/packages/BUILD/glibc-2.2.2/cc/config.h
> ../sysdeps/gnu/_G_config.h
> ../sysdeps/unix/sysv/linux/bits/types.h
> ../include/features.h
> ../include/sys/cdefs.h
> ../misc/sys/cdefs.h
> /usr/lib/gcc-lib/i486-suse-linux/2.95.3/include/stddef.h
> size_t:t(8,1)=(0,4)
> __u_char:t(4,1)=(0,11)
> __u_short:t(4,2)=(0,9)
> __u_int:t(4,3)=(0,4)
> __u_long:t(4,4)=(0,5)
> __u_quad_t:t(4,5)=(0,7)
> __quad_t:t(4,6)=(0,6)
> __int8_t:t(4,7)=(0,10)
> __uint8_t:t(4,8)=(0,11)
> __int16_t:t(4,9)=(0,8)
> __uint16_t:t(4,10)=(0,9)
> __int32_t:t(4,11)=(0,1)
> __uint32_t:t(4,12)=(0,4)
> __int64_t:t(4,13)=(0,6)
> __uint64_t:t(4,14)=(0,7)
> __qaddr_t:t(4,15)=(4,16)=*(4,6)
> __dev_t:t(4,17)=(4,5)
> __uid_t:t(4,18)=(4,3)
> __gid_t:t(4,19)=(4,3)
> __ino_t:t(4,20)=(4,4)
> __mode_t:t(4,21)=(4,3)
> __nlink_t:t(4,22)=(4,3)
> __off_t:t(4,23)=(0,3)
> __loff_t:t(4,24)=(4,6)
> __pid_t:t(4,25)=(0,1)
> __ssize_t:t(4,26)=(0,1)
> __rlim_t:t(4,27)=(4,4)
> __rlim64_t:t(4,28)=(4,5)
> __id_t:t(4,29)=(4,3)
> __fsid_t:t(4,30)=(4,31)=s8__val:(4,32)=ar(0,1);0;1;(0,1),0,64;;
> __daddr_t:t(4,33)=(0,1)
> __caddr_t:t(4,34)=(4,35)=*(0,2)
> __time_t:t(4,36)=(0,3)
> __useconds_t:t(4,37)=(0,4)
> __suseconds_t:t(4,38)=(0,3)
> __swblk_t:t(4,39)=(0,3)
> __clock_t:t(4,40)=(0,3)
> __clockid_t:t(4,41)=(0,1)
> __timer_t:t(4,42)=(0,1)
> __key_t:t(4,43)=(0,1)
> __ipc_pid_t:t(4,44)=(0,9)
> __blksize_t:t(4,45)=(0,3)
> __blkcnt_t:t(4,46)=(0,3)
> __blkcnt64_t:t(4,47)=(4,6)
> __fsblkcnt_t:t(4,48)=(4,4)
> __fsblkcnt64_t:t(4,49)=(4,5)
> __fsfilcnt_t:t(4,50)=(4,4)
> __fsfilcnt64_t:t(4,51)=(4,5)
> __ino64_t:t(4,52)=(4,5)
> __off64_t:t(4,53)=(4,24)
> __t_scalar_t:t(4,54)=(0,3)
> __t_uscalar_t:t(4,55)=(0,5)
> __intptr_t:t(4,56)=(0,1)
> __socklen_t:t(4,57)=(0,4)
> ../linuxthreads/sysdeps/pthread/bits/pthreadtypes.h
> ../sysdeps/unix/sysv/linux/bits/sched.h
> __sched_param:T(10,1)=s4__sched_priority:(0,1),0,32;;
> _pthread_fastlock:T(9,1)=s8__status:(0,3),0,32;__spinlock:(0,1),32,32;;
> _pthread_descr:t(9,2)=(9,3)=*(9,4)=xs_pthread_descr_struct:
> __pthread_attr_s:T(9,5)=s36__detachstate:(0,1),0,32;__schedpolicy:(0,1),32,3
> 2;__schedparam:(10,1),64,32;__inheritsched:(0,1),96,32;__scope:(0,1),128,32;
> __guardsize:(8,1),160,32;__stackaddr_set:(0,1),192,32;__stackaddr:(9,6)=*(0,
> 19),224,32;__stacksize:(8,1),256,32;;
> pthread_attr_t:t(9,7)=(9,5)
> pthread_cond_t:t(9,8)=(9,9)=s12__c_lock:(9,1),0,64;__c_waiting:(9,2),64,32;;
> pthread_condattr_t:t(9,10)=(9,11)=s4__dummy:(0,1),0,32;;
> pthread_key_t:t(9,12)=(0,4)
> pthread_mutex_t:t(9,13)=(9,14)=s24__m_reserved:(0,1),0,32;__m_count:(0,1),32
> ,32;__m_owner:(9,2),64,32;__m_kind:(0,1),96,32;__m_lock:(9,1),128,64;;
> pthread_mutexattr_t:t(9,15)=(9,16)=s4__mutexkind:(0,1),0,32;;
> pthread_once_t:t(9,17)=(0,1)
> _pthread_rwlock_t:T(9,18)=s32__rw_lock:(9,1),0,64;__rw_readers:(0,1),64,32;_
> _rw_writer:(9,2),96,32;__rw_read_waiting:(9,2),128,32;__rw_write_waiting:(9,
> 2),160,32;__rw_kind:(0,1),192,32;__rw_pshared:(0,1),224,32;;
> pthread_rwlock_t:t(9,19)=(9,18)
> pthread_rwlockattr_t:t(9,20)=(9,21)=s8__lockkind:(0,1),0,32;__pshared:(0,1),
> 32,32;;
> pthread_spinlock_t:t(9,22)=(0,1)
> pthread_barrier_t:t(9,23)=(9,24)=s20__ba_lock:(9,1),0,64;__ba_required:(0,1)
> ,64,32;__ba_present:(0,1),96,32;__ba_waiting:(9,2),128,32;;
> pthread_barrierattr_t:t(9,25)=(9,26)=s4__pshared:(0,1),0,32;;
> pthread_t:t(9,27)=(0,5)
> wchar_t:t(11,1)=(0,3)
> wint_t:t(11,2)=(0,4)
> ../include/wchar.h
> ../wcsmbs/wchar.h
> ../sysdeps/unix/sysv/linux/i386/bits/wchar.h
> __mbstate_t:t(13,1)=(13,2)=s8__count:(0,1),0,32;__value:(13,3)=u4__wch:(11,2
> ),0,32;__wchb:(13,4)=ar(0,1);0;3;(0,2),0,32;;,32,32;;
> _G_fpos_t:t(3,1)=(3,2)=s12__pos:(4,23),0,32;__state:(13,1),32,64;;
> _G_fpos64_t:t(3,3)=(3,4)=s16__pos:(4,53),0,64;__state:(13,1),64,64;;
> ../include/gconv.h
> ../iconv/gconv.h
>  
> :T(17,1)=e__GCONV_OK:0,__GCONV_NOCONV:1,__GCONV_NODB:2,__GCONV_NOMEM:3,__GCO
> NV_EMPTY_INPUT:4,__GCONV_FULL_OUTPUT:5,__GCONV_ILLEGAL_INPUT:6,__GCONV_INCOM
> PLETE_INPUT:7,__GCONV_ILLEGAL_DESCRIPTOR:8,__GCONV_INTERNAL_ERROR:9,;
>  :T(17,2)=e__GCONV_IS_LAST:1,__GCONV_IGNORE_ERRORS:2,;
> __gconv_fct:t(17,3)=(17,4)=*(17,5)=f(0,1)
> __gconv_init_fct:t(17,6)=(17,7)=*(17,8)=f(0,1)
> __gconv_end_fct:t(17,9)=(17,10)=*(17,11)=f(0,19)
> __gconv_trans_fct:t(17,12)=(17,13)=*(17,14)=f(0,1)
> __gconv_trans_context_fct:t(17,15)=(17,16)=*(17,17)=f(0,1)
> __gconv_trans_query_fct:t(17,18)=(17,19)=*(17,20)=f(0,1)
> __gconv_trans_init_fct:t(17,21)=(17,22)=*(17,23)=f(0,1)
> __gconv_trans_end_fct:t(17,24)=(17,25)=*(17,26)=f(0,19)
> __gconv_trans_data:T(17,27)=s20__trans_fct:(17,12),0,32;__trans_context_fct:
> (17,15),32,32;__trans_end_fct:(17,24),64,32;__data:(9,6),96,32;__next:(17,28
> )=*(17,27),128,32;;
> __gconv_step:T(17,29)=s56__shlib_handle:(17,30)=*(17,31)=xs__gconv_loaded_ob
> ject:,0,32;__modname:(17,32)=*(0,2),32,32;__counter:(0,1),64,32;__from_name:
> (4,35),96,32;__to_name:(4,35),128,32;__fct:(17,3),160,32;__init_fct:(17,6),1
> 92,32;__end_fct:(17,9),224,32;__min_needed_from:(0,1),256,32;__max_needed_fr
> om:(0,1),288,32;__min_needed_to:(0,1),320,32;__max_needed_to:(0,1),352,32;__
> stateful:(0,1),384,32;__data:(9,6),416,32;;
> __gconv_step_data:T(17,33)=s36__outbuf:(17,34)=*(0,11),0,32;__outbufend:(17,
> 34),32,32;__flags:(0,1),64,32;__invocation_counter:(0,1),96,32;__internal_us
> e:(0,1),128,32;__statep:(17,35)=*(13,1),160,32;__state:(13,1),192,64;__trans
> :(17,28),256,32;;
> __gconv_info:T(17,36)=s8__nsteps:(8,1),0,32;__steps:(17,37)=*(17,29),32,32;_
> _data:(17,38)=ar(0,1);0;-1;(17,33),64,0;;
> __gconv_t:t(17,39)=(17,40)=*(17,36)
> _G_iconv_t:t(3,5)=(3,6)=u44__cd:(17,36),0,64;__combined:(3,7)=s44__cd:(17,36
> ),0,64;__data:(17,33),64,288;;,0,352;;
> _G_int16_t:t(3,8)=(0,8)
> _G_int32_t:t(3,9)=(0,1)
> _G_uint16_t:t(3,10)=(0,9)
> _G_uint32_t:t(3,11)=(0,4)
> _IO_stdin_used:G(0,1)
> /usr/src/packages/BUILD/glibc-2.2.2/io/
> stat.c
> ../include/sys/stat.h
> ../io/sys/stat.h
> ../include/time.h
> ../time/time.h
> time_t:t(13,1)=(8,36)
> dev_t:t(4,1)=(8,17)
> gid_t:t(4,2)=(8,19)
> ino_t:t(4,3)=(8,20)
> mode_t:t(4,4)=(8,21)
> nlink_t:t(4,5)=(8,22)
> off_t:t(4,6)=(8,23)
> uid_t:t(4,7)=(8,18)
> blkcnt_t:t(4,8)=(8,46)
> blksize_t:t(4,9)=(8,45)
> ../sysdeps/unix/sysv/linux/bits/stat.h
> stat:T(14,1)=s88st_dev:(8,17),0,64;__pad1:(0,9),64,16;st_ino:(8,20),96,32;st
> _mode:(8,21),128,32;st_nlink:(8,22),160,32;st_uid:(8,18),192,32;st_gid:(8,19
> ),224,32;st_rdev:(8,17),256,64;__pad2:(0,9),320,16;st_size:(8,23),352,32;st_
> blksize:(8,45),384,32;st_blocks:(8,46),416,32;st_atime:(8,36),448,32;__unuse
> d1:(0,5),480,32;st_mtime:(8,36),512,32;__unused2:(0,5),544,32;st_ctime:(8,36
> ),576,32;__unused3:(0,5),608,32;__unused4:(0,5),640,32;__unused5:(0,5),672,3
> 2;;
> stat64:T(14,2)=s96st_dev:(8,17),0,64;__pad1:(0,4),64,32;__st_ino:(8,20),96,3
> 2;st_mode:(8,21),128,32;st_nlink:(8,22),160,32;st_uid:(8,18),192,32;st_gid:(
> 8,19),224,32;st_rdev:(8,17),256,64;__pad2:(0,4),320,32;st_size:(8,53),352,64
> ;st_blksize:(8,45),416,32;st_blocks:(8,47),448,64;st_atime:(8,36),512,32;__u
> nused1:(0,5),544,32;st_mtime:(8,36),576,32;__unused2:(0,5),608,32;st_ctime:(
> 8,36),640,32;__unused3:(0,5),672,32;st_ino:(8,52),704,64;;
> __stat:F(0,1)
> file:p(0,20)=*(0,2)
> buf:p(0,21)=*(14,1)
> file:r(0,20)
> buf:r(0,21)
> GCC: (GNU) 2.95.3 20010315 (SuSE)
-- 
Borut Kurnik <borut.kurnik at add.si>

More information about the lugos-list mailing list