lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <41741.63.167.190.130.1044376863.squirrel@www.780inc.com>
From: bugtraq at 780inc.com (bugtraq@...inc.com)
Subject: (no subject)

So, really you didnt find a way to bypass every firewall you found a way to
upload/download files on a remote system. I have seen something like this
before.

alt

Date: Tue, 4 Feb 2003 01:58:44 -0300
From: ^Shadown^ <shadown@...iloche.com.ar>
To: full-disclosure@...ts.netsys.com
Subject: [Full-Disclosure] re: Global HIGH Security Risk

Dear Folks,

         I've set up a server behind a fw (ipchains) without gcc, with a
vulnerable daemon,
        the fw was set up just to allow the server to go through out by the
binded daemon
        port only.
        What I did first was just to code an exploit for the vulnerable
daemon and added a
        simple command sequence to write down to the server an uuencoded
file using vi
        editor, then uudecode it and un-tar.gz and that way could upload
binary files
        (which could be tools, sniffers, local exploits, etc). That way I
could upload
        binary to execute on the remote server. But I've wanted to download
files too (text
        and binaries) so I've coded a sniffer which listens for a specific
ID-secuence to
        start/stop dumping to a file. And coded a tool to send the ID-
secuence and the file
        to the sniffer. All this worked right.
        Then I removed all the programas that could be used as an text
editor (joe, vim,
        cat, ed, etc), uudecode/uuencode, and compressing file tools.
        And I began to develop a technique which may be apply in any
exploit code.
        It could be done many ways. Every coder is gonna do it it's own
way, but I did it
        mine.
        I've coded an exploit with few options -f file_to_upload -s
spawn_shell.
        The exploit sends diferent encrypted shellcodes depending the
options.
        A shellcode sends and writes down to /tmp the file which firstly
was fragmented by
        the exploit to be inserted into the multi shellcode sequence.(-f)
        The other is a standard shellcode.
        As simple as this, so you can upload and download any file type,
and executed on
        the remote server.
        I think this explains the idea.
        I wish to post the PoC, but don't wanna get in trouble.
        Cheers,
                ^Shadown^

        my pgp key:

        -----BEGIN PGP PUBLIC KEY BLOCK-----
        Version: PGPfreeware 5.0i for non-commercial use

        mQGiBDewdE4RBADwVP96nauXxbvLNENeZYrvDVF+L59UygAFN5GyUOlMWKLOCJYX
        ETlwkSHdhJ4yK+QXHdT7fVIxFSbUbPA2W1qRg070XGFXZUyd8KzIHRpYXxTfQ4Z9
        T8Gy3Ah/Q3ug7ka1mSv+u0s2TLc/zzpn2avlqHDMe9LnNhb/dQuOyxhqHwCg/1PR
        wkqWQ6VhvOVr/2WLRHAtQk0D/i0FyzXs4kXudugwi3Wa19yXR3NeJrNTRBYH4Ewe
        1G8OCLSKA2i03h0coU9pnvrqSdmXaH3YveZcFyq8BLLPZR0t8CZOLoim2wn8HuSC
        rfRR+dLdyGic6Yzkz9xlXIpY8lkW0DFfv2dwgRmU3Uw7vFWYc+cKhhNRQXvIOPBE
        b+2LA/0bY6axVCqrgBcIxBdsShQQTCb46koc5/h7p4WuOZJsouhfa/TH2Ao2v5Kg
        zYipelHJt3NG2cX+tVWrlCLI++GMrTDdhfpQnzphXmrY8TdDZdLJnoIo4dZNL4XP
        nxC5J7s6d+gpiT3JU8Z/v7jXxDLAY9OHm58sfLNjA72uJR49NLQkXlNoYWRvd25e
        IDxTaGFkb3duQGJhcmlsb2NoZS5jb20uYXI+iQBOBBARAgAOBQI3sHROBAsDAgEC
        GQEACgkQYbpiyBSkmBV5uACg5vp2HtkVBLb/DZ1vfNor4zkydPYAnAp3713OS/yQ
        uVKqOQEt+KR0uwUKuQINBDewdE4QCAD2Qle3CH8IF3KiutapQvMF6PlTETlPtvFu
        uUs4INoBp1ajFOmPQFXz0AfGy0OplK33TGSGSfgMg71l6RfUodNQ+PVZX9x2Uk89
        PY3bzpnhV5JZzf24rnRPxfx2vIPFRzBhznzJZv8V+bv9kV7HAarTW56NoKVyOtQa
        8L9GAFgr5fSI/VhOSdvNILSd5JEHNmszbDgNRR0PfIizHHxbLY7288kjwEPwpVsY
        jY67VYy4XTjTNP18F1dDox0YbN4zISy1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6
        ypUM2Zafq9AKUJsCRtMIPWakXUGfnHy9iUsiGSa6q6Jew1XpMgs7AAICB/9ZMU/n
        2QMvtMWRp+o3N8hJXRMzfBWK/Uuq3+ena8VGrHXyoA/9QTNbTCaJTaEUSqtjRBYn
        SOJlb9cfvlV5uwNFJYLv4ZHDXGv0TwNZbMjYCL4dWZOY/yaKFg0Ut48iOcyL0bPj
        Grn8BrA0odpQXqAhJb7kNlR9iAcQiHzjvbTrF2XwXPknvyhXU5fwl+5LUbaZqNhE
        FAA1sFktniOXgYshPqIGtZfQXdHdKl2Zd/K2cnuIAffFKDiHtlfvH4kLs9h5SlSt
        cZfXodl+TxcEoELI9dke+HmUuJYqVCRN03znfIIUnDVlc5CyZYMlF/bwGAXwcVei
        +1qLyWnJOadmoa6miQBGBBgRAgAGBQI3sHROAAoJEGG6YsgUpJgV/LYAnjQ7sSin
        FSdirJmF4F/DCd/8GisYAKCFkOPu67W5Tug8ixlRKFwBIyEdzg==
        =i8Hu
        -----END PGP PUBLIC KEY BLOCK-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ