Date: Sat, 11 Jul 1998 18:01:16 +0100
From: Gus <angus@INTASYS.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: Remote count.cgi exploit mods
On Thu, 9 Jul 1998, _ _ wrote:
> There is a commonly known local exploit available which works on
> Count.cgi Plaguez posted the original and Gus posted a mod for linux.
Plaguez created the original *remote* linux exploit, all I did was clean
things up a bit and add some offsets for different versions. Like
everything else, we stand on the shoulders of what goes before.
The code you posted is an old version that I released to settle an
argument, I sent the full version in to rootshell after noticing that
someone had sent in the old one, you can get it from rootshell or
from http://www.intasys.com/~angus/count.cgi.l.c
> I've tried to modify the exploit further to work on a remote linux site.
> This seems to be a better way than to test our site internally.
> It compiles fine and seems to run, but doesnt send me an Xterm.
> I have attached my hacked code. Any ideas or suggested improvements??
WTF is this doing on bugtraq? Did you read and UNDERSTAND what is going on
in Count.cgi, and why this does or does not work? Did you even "xhost +" ?
Anyway.
If you want it for "white hat" purposes, here is a quicker way of
checking. If the version is 2.4, then it is patched for this bug. Anything
below that is vulnerable. (2.4 is the latest version)
http://www.fccc.edu/users/muquit/Count.html is the author's homepage for
the program. Download and compile it, get the file size and then compare
it to what is on your web server. On Linux it is 79800 bytes, or 71624
bytes after stripping.
If you really do want to test your systems by running an exploit over
them, and this is a recurring need, then you would be well served by
taking the time to create 'execve("/bin/sh","-c","<-- whatever -->");'
shellcode and retrofitting it to all the exploits that come out. When you
retrofit it, just add a routine overwrite the spaces you left in the
shellcode with the command line you wish to execute. It's not that hard,
(heh, it can't be if I managed it :-/) but like everyone else I'm not
gonna release it to the public.
You then have the chance to run an arbitrary command line on the host, and
your white hatted-ness will be made so much easier, since you can run
"ping -c1 icmp.logging.host.name" and just collect a list of vulnerable
machines from your syslog.
_Gus
--
angus@intasys.com
http://www.intasys.com/~angus/
