On Wed, Apr 04, 2001 at 06:49:01PM -0700, Crist Clark wrote:
> Przemyslaw Frasunek wrote:
> >
> > /* ntpd remote root exploit / babcia padlina ltd. <[EMAIL PROTECTED]> */
>
> Not good. Not good. Verified the exploit worked on FreeBSD 4.2-STABLE with
> the stock 4.0.99b. FreeBSD has a fix in CURRENT already.
>
> More sobering, blindly aiming the exploit code at a Sparc running xntpd 3.4y
> caused it to seg. fault and core. No time to double-check if that is actually
> exploitable at this moment. How many NTP distributions are based off of the
> vulnerable code? With the small payload, gaining access might be hard, but
> the potential for DoS looks pretty easy.
We've taken a peek at getting sparc shellcode working with this. Getting
it in below the 70 byte buffer size is tricky.
Does anybody out there have working shellcode for this that can do *anything*
to the state of the system even if it doesnt lead to full sploit? (beyond
making ntp core of course ;) )
cheers,
Matt
