| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1044475706.4696.146.camel@localhost.localdomain> From: simon at snosoft.com (ATD) Subject: (no subject) Hrm, When I read this I see the key phrase "for the vulnerable daemon". If a firewall is forwarding traffic from the internet to an internal system, to a vulnerable daemon on that system, then file transfers are the least of your worries. On Tue, 2003-02-04 at 11:41, bugtraq@...inc.com wrote: > So, really you didnt find a way to bypass every firewall you found a way to > upload/download files on a remote system. I have seen something like this > before. > > alt > > Date: Tue, 4 Feb 2003 01:58:44 -0300 > From: ^Shadown^ <shadown@...iloche.com.ar> > To: full-disclosure@...ts.netsys.com > Subject: [Full-Disclosure] re: Global HIGH Security Risk > > Dear Folks, > > I've set up a server behind a fw (ipchains) without gcc, with a > vulnerable daemon, > the fw was set up just to allow the server to go through out by the > binded daemon > port only. > What I did first was just to code an exploit for the vulnerable > daemon and added a > simple command sequence to write down to the server an uuencoded > file using vi > editor, then uudecode it and un-tar.gz and that way could upload > binary files > (which could be tools, sniffers, local exploits, etc). That way I > could upload > binary to execute on the remote server. But I've wanted to download > files too (text > and binaries) so I've coded a sniffer which listens for a specific > ID-secuence to > start/stop dumping to a file. And coded a tool to send the ID- > secuence and the file > to the sniffer. All this worked right. > Then I removed all the programas that could be used as an text > editor (joe, vim, > cat, ed, etc), uudecode/uuencode, and compressing file tools. > And I began to develop a technique which may be apply in any > exploit code. > It could be done many ways. Every coder is gonna do it it's own > way, but I did it > mine. > I've coded an exploit with few options -f file_to_upload -s > spawn_shell. > The exploit sends diferent encrypted shellcodes depending the > options. > A shellcode sends and writes down to /tmp the file which firstly > was fragmented by > the exploit to be inserted into the multi shellcode sequence.(-f) > The other is a standard shellcode. > As simple as this, so you can upload and download any file type, > and executed on > the remote server. > I think this explains the idea. > I wish to post the PoC, but don't wanna get in trouble. > Cheers, > ^Shadown^ > > my pgp key: > > -----BEGIN PGP PUBLIC KEY BLOCK----- > Version: PGPfreeware 5.0i for non-commercial use > > mQGiBDewdE4RBADwVP96nauXxbvLNENeZYrvDVF+L59UygAFN5GyUOlMWKLOCJYX > ETlwkSHdhJ4yK+QXHdT7fVIxFSbUbPA2W1qRg070XGFXZUyd8KzIHRpYXxTfQ4Z9 > T8Gy3Ah/Q3ug7ka1mSv+u0s2TLc/zzpn2avlqHDMe9LnNhb/dQuOyxhqHwCg/1PR > wkqWQ6VhvOVr/2WLRHAtQk0D/i0FyzXs4kXudugwi3Wa19yXR3NeJrNTRBYH4Ewe > 1G8OCLSKA2i03h0coU9pnvrqSdmXaH3YveZcFyq8BLLPZR0t8CZOLoim2wn8HuSC > rfRR+dLdyGic6Yzkz9xlXIpY8lkW0DFfv2dwgRmU3Uw7vFWYc+cKhhNRQXvIOPBE > b+2LA/0bY6axVCqrgBcIxBdsShQQTCb46koc5/h7p4WuOZJsouhfa/TH2Ao2v5Kg > zYipelHJt3NG2cX+tVWrlCLI++GMrTDdhfpQnzphXmrY8TdDZdLJnoIo4dZNL4XP > nxC5J7s6d+gpiT3JU8Z/v7jXxDLAY9OHm58sfLNjA72uJR49NLQkXlNoYWRvd25e > IDxTaGFkb3duQGJhcmlsb2NoZS5jb20uYXI+iQBOBBARAgAOBQI3sHROBAsDAgEC > GQEACgkQYbpiyBSkmBV5uACg5vp2HtkVBLb/DZ1vfNor4zkydPYAnAp3713OS/yQ > uVKqOQEt+KR0uwUKuQINBDewdE4QCAD2Qle3CH8IF3KiutapQvMF6PlTETlPtvFu > uUs4INoBp1ajFOmPQFXz0AfGy0OplK33TGSGSfgMg71l6RfUodNQ+PVZX9x2Uk89 > PY3bzpnhV5JZzf24rnRPxfx2vIPFRzBhznzJZv8V+bv9kV7HAarTW56NoKVyOtQa > 8L9GAFgr5fSI/VhOSdvNILSd5JEHNmszbDgNRR0PfIizHHxbLY7288kjwEPwpVsY > jY67VYy4XTjTNP18F1dDox0YbN4zISy1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6 > ypUM2Zafq9AKUJsCRtMIPWakXUGfnHy9iUsiGSa6q6Jew1XpMgs7AAICB/9ZMU/n > 2QMvtMWRp+o3N8hJXRMzfBWK/Uuq3+ena8VGrHXyoA/9QTNbTCaJTaEUSqtjRBYn > SOJlb9cfvlV5uwNFJYLv4ZHDXGv0TwNZbMjYCL4dWZOY/yaKFg0Ut48iOcyL0bPj > Grn8BrA0odpQXqAhJb7kNlR9iAcQiHzjvbTrF2XwXPknvyhXU5fwl+5LUbaZqNhE > FAA1sFktniOXgYshPqIGtZfQXdHdKl2Zd/K2cnuIAffFKDiHtlfvH4kLs9h5SlSt > cZfXodl+TxcEoELI9dke+HmUuJYqVCRN03znfIIUnDVlc5CyZYMlF/bwGAXwcVei > +1qLyWnJOadmoa6miQBGBBgRAgAGBQI3sHROAAoJEGG6YsgUpJgV/LYAnjQ7sSin > FSdirJmF4F/DCd/8GisYAKCFkOPu67W5Tug8ixlRKFwBIyEdzg== > =i8Hu > -----END PGP PUBLIC KEY BLOCK----- > > > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html -- ATD <simon@...soft.com> Secure Network Operations, Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030205/fc96b6e3/attachment.bin
Powered by blists - more mailing lists