lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.33.0302040907120.283-100000@abacus.xcorps.net>
From: jonathan at xcorps.net (Jonathan Rickman)
Subject: re: Global HIGH Security Risk

-----BEGIN PGP SIGNED MESSAGE-----

On Tue, 4 Feb 2003, ^Shadown^ wrote:

> Dear Folks,
>
> 	Thanks for your answers helpping me on how to post this information without getting in trouble.
> 	And to the ones that treat me as if I were stupid, all I have to say is that it was just simple. I don't know why it's not been documented, I've googled hard but couldn't find any thing about it.
> 	I've set up a server behind a fw (ipchains) without gcc, with a vulnerable daemon, the fw was set up just to allow the server to go through out by the binded daemon port only.
> 	What I did first was just to code an exploit for the vulnerable daemon and added a simple command sequence to write down to the server an uuencoded file using vi editor, then uudecode it and un-tar.gz and that way could upload binary files (which could be tools, sniffers, local exploits, etc). That way I could upload binary to execute on the remote server. But I've wanted to download files too (text and binaries) so I've coded a sniffer which listens for a specific ID-secuence to start/stop dumping to a file. And coded a tool to send the ID-secuence and the file to the sniffer. All this worked right.
> 	Then I removed all the programas that could be used as an text editor (joe, vim, cat, ed, etc), uudecode/uuencode, and compressing file tools.
> 	And I began to develop a technique which may be apply in any exploit code.
> 	It could be done many ways. Every coder is gonna do it it's own way, but I did it mine.
> 	I've coded an exploit with few options -f file_to_upload -s spawn_shell.
> 	The exploit sends diferent encrypted shellcodes depending the options.
> 	A shellcode sends and writes down to /tmp the file which firstly was fragmented by the exploit to be inserted into the multi shellcode sequence.(-f)
> 	The other is a standard shellcode.
> 	As simple as this, so you can upload and download any file type, and executed on the remote server.
> 	I think this explains the idea.
> 	I wish to post the PoC, but don't wanna get in trouble.
> 	Cheers,
> 		^Shadown^


Again, I'm not trying to play the antagonist here, just asking a question.
If what you're saying is, you placed a vulnerable service behind a packet
filter that allowed inbound connections to the vulnerable service...well,
duh. Of course you can run the exploit.

I'm a bit confused by this statement

"allow the server to go through out by the binded daemon port only"

Are you saying that it's set up the way I described in the paragraph
above?

Once again, I'm not being critical...just trying to get through the
language barrier.

- --
Jonathan Rickman
X Corps Security
http://www.xcorps.net


-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQEVAwUBPj/KjTTwrX0N9QH/AQGpqwf8DXpf+G/uGWIHQwITaiajAMk4y4XTt7+j
jYto+KCNBexdyHKSiEz6BblH2sEOKcJHqreqTDxdMKL+KzkIt34SlFujza4OcS4b
dFmq46PgHDrpEfaskjrKJnwwtwji8bJkU4N1stxei7f5WwyLMYXIZbhTJ6jl4Y9N
YROfUDDw0WlgZ/5Qg9TAIwm26sKf5HDCr/9lTI6ZVp398omZOLtLXoLz7pNf24Er
TL1/MdwX9cJ5LSzkmOm9PP51elRrNZfsPVwllLVJPnGkP5d/TuvnqYpjFeBSC3rs
yPAeAejSO/Gr7YirkA+2TdLTew0xbA6LfBZNVWQsy/o5ewDtfZSZzg==
=6jvh
-----END PGP SIGNATURE-----



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ