From lcamtuf@dione.ids.pl Tue Dec 12 17:29:52 2000 Date: Tue, 12 Dec 2000 23:53:10 +0100 (CET) From: Michal Zalewski To: Lance Spitzner Cc: INCIDENTS@SECURITYFOCUS.COM Subject: Re: Scan of the Month - Two Exploits On Mon, 11 Dec 2000, Lance Spitzner wrote: > This month's Scan is unique. Several scans and two exploits were ran > against a Linux honeypot in the same morning. The challenge to the > security community is to review the captured signatures and answer any > of the following six questions based on the snort signatures. Hi Lance :) Here we go... Hope I wouldn't make other people upset answering these questions? > ### QUESTION 1: Can you name the FTP scanning tool? Hard to say, this port is used way too frequently by backdoors, scanners and pretty innocent applications. I couldn't find any published code that causes such packet patterns. One question unanswered. > ### QUESTION 2: What does this FTP exploit achieve? Does it open a port, > create a shell, add a user account? Venglin's exploit, AFAIK, executes local shell using already opened ftp control connection. PASSword is used to store shellcode, while the main attack is performed using format string vulnerability, which causes return-into-password bug ;P That was pretty cute trick. In venglin's ftp exploit, which wasn't successful, you are not able to find out how it is supposed to work, and which vulnerability is exploited. The main attack code wasn't reached (login failed). For mere mortals, at least at first sight, this looks like PASS buffer overflow attempt, but, after realising it isn't (no ret addr, for example ;), you can't guess what should happen, because the most important command (SITE EXEC ) wasn't issued... > ### QUESTION 3: Is the FTP attack successful? Not. He was not able to login using anonymous account, for some reason, thus haven't exploited SITE EXEC format string vulnerability yet. > ### QUESTION 4: What RPC service is exploited? Urm, rpc.statd - http://www.pulhas.org/xploitsdb/mUNIXes/statd3.html > ### QUESTION 5: Where in the exploit code below does he bind a shell > to port 39168? See exploit source :) It is generic shellcode. > ### QUESTION 6: What two accounts are created, and what are the UID's? user:5000 (with password) sendmail:10865 (w/o password) + inetd.conf entry with rootshell