Re: Knox Arkeia remote root/system exploit

[H D Moore <sflist@xxxxxxxxxxxxxxxxxx>]

The metasploit project has released two exploits for this flaw:
 http://metasploit.com/projects/Framework/exploits.html#arkeia_type77_win32
 http://metasploit.com/projects/Framework/exploits.html#arkeia_type77_macos

The win32 exploit has targets for every version of Arkeia between 4.2 and 
5.3.3. The macos exploit should work across a large range of versions 
with no modifications.  Both of these exploits have the capability to 
dump the remote system information and Arkeia version[1].

This bug looks difficult or even impossible to exploit on the Solaris 
64bit platform; the main() function calls exit()[2] before the final 
return to the overwritten stack pointer. It may be possible to use one of 
the local variable overwrites to an advantage, but at first glance it 
seems unlikely.

-HD

1. There are worse problems here than stack overflows...
2. It actually calls doexit() which in turn calls exit()

On Friday 18 February 2005 10:29, John Doe wrote:
> /*
> * Knox Arkeia Server Backup
> * arkeiad local/remote root exploit
> * Targets for Redhat 7.2/8.0, Win2k SP2/SP3/SP4, WinXP SP1, Win 2003 EE
> * Works up to current version 5.3.x
> [ snip ]
> */