Just do a standard symlink to /tmp/socks5.pid and connect() to port 1080.
Trevor Schroeder <tschroed@CHEETAH.WSC.EDU>
obtain access of the owner of the socks daemon (probably nobody or daemon).
Systems running Socks5 beta-0.17.2 from NEC and probably earlier versions.
9 May 1997
Date: Fri, 9 May 1997 11:26:19 -0500
From: Trevor Schroeder <tschroed@CHEETAH.WSC.EDU>
Subject: Bug Serious problem in NEC SOCKS server
The following bug is present at *least* in Socks5 beta-0.17.2 from NEC. Other
versions haven't been tested, but they are most likely vulnerable as well
>From the manpage:
Identifies the filename that stores the socks5 process ID when the
port is a port other than 1080. When you use port 1080, socks5
stores the PID in /tmp/socks5.pid. When you run socks5 on a port
other than 1080, socks5 stores the PID in /tmp/socks5.(port).pid
unless you specify an alternate filename with SOCKS5_PIDFILE.
If /tmp/socks5.pid doesn't exist, it is simply a matter of linking the
password file to /tmp/socks5.pid (or whatever it's called on your system).
When socks starts up, it happily overwirtes the file's previous contents with
the PID of the new socks server.
* Use mktemp to generate a unique temp file name and redirect socks to that
* The source is available, recompile *without* PID file support
* Create /tmp/socks5.pid (as root) and make sure that ordinary users can't
"One unerring mark of the love of truth is not entertaining
any propositions with greater assurance than the proofs it
is built upon will warrant" -- John Locke, 1690
Trevor Schroeder email@example.com
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces: