lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <b7bc1b1f04092818341d18ee74@mail.gmail.com>
From: uberguidoz at gmail.com (GuidoZ)
Subject: MS04-028 Jpeg EXPLOIT with Reverse and Bind shell ...

Yes Todd, I believe you are. The JPEG exploit found in the wild was a
simple connect back which downloaded trojan/irc-bot files (including a
dropper, netcat for Windows, and a batch file to run it all) as
mentioned on Easynews. Compiling the available script and adding in
your own code is all it takes. As close to Plug-n-Play as you can get
with a new exploit if you ask me.

--
Peace. ~G


On Mon, 27 Sep 2004 16:33:04 -0500, Todd Towles
<toddtowles@...okshires.com> wrote:
> Isn't there a tool that will create the jpeg for it..and you can input
> the URL you want the JPEG to download.
> 
> The JPEG will grab dropper script or whatever you want it too. No need
> to revisit. Am I correct in thinking this?
> 
> 
> 
> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of
> Castigliola, Angelo
> Sent: Monday, September 27, 2004 3:30 PM
> To: morning_wood; full-disclosure@...ts.netsys.com
> Subject: RE: [Full-Disclosure] MS04-028 Jpeg EXPLOIT with Reverse and
> Bind shell ...
> 
> Eh, It would not be that hard to write up something that could revisit
> all of the computers that hit the web server to infect them with
> something after the initial jpg exploit was ran. It would truly be a one
> of a kind worm. Reason enough in itself to motivate someone to write it.
> 
> As far as Media hype. I'm all for it. It keeps the IT job market strong.
> 
> Angelo Castigliola III
> Operations Technical Analyst I
> UnumProvident IT Services
> 207.575.3820
> 
> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of
> morning_wood
> Sent: Saturday, September 25, 2004 2:06 PM
> To: full-disclosure@...ts.netsys.com
> Subject: Re: [Full-Disclosure] MS04-028 Jpeg EXPLOIT with Reverse and
> Bind shell ...
> 
> umm, no
> all this has thats different is correct headers for bind or remote shell
> option. and ability to set ports and return ip in the code, instead of
> needing to use your own shellcode ( or metasploits ) note: there is no
> new exploit code or vector
> 
> ------------------- / snip /----------------- new.
> char header1[] =
> "\xFF\xD8\xFF\xE0\x00\x10\x4A\x46\x49\x46\x00\x01\x02\x00\x00\x64"
> "\x00\x64\x00\x00\xFF\xEC\x00\x11\x44\x75\x63\x6B\x79\x00\x01\x00"
> "\x04\x00\x00\x00\x0A\x00\x00\xFF\xEE\x00\x0E\x41\x64\x6F\x62\x65"
> "\x00\x64\xC0\x00\x00\x00\x01\xFF\xFE\x00\x01\x00\x14\x10\x10\x19"
> "\x12\x19\x27\x17\x17\x27\x32\xEB\x0F\x26\x32\xDC\xB1\xE7\x70\x26"
> "\x2E\x3E\x35\x35\x35\x35\x35\x3E";
> ------------------- / snip /----------------- old.
> ------------------- / snip /----------------- char header1[]=
> "\xFF\xD8\xFF\xE0\x00\x10\x4A\x46\x49\x46\x00\x01\x02\x00\x00\x64"
> "\x00\x64\x00\x00\xFF\xEC\x00\x11\x44\x75\x63\x6B\x79\x00\x01\x00"
> "\x04\x00\x00\x00\x0A\x00\x00\xFF\xEE\x00\x0E\x41\x64\x6F\x62\x65"
> "\x00\x64\xC0\x00\x00\x00\x01\xFF\xFE\x00\x01\x00\x14\x10\x10\x19"
> "\x12\x19\x27\x17\x17\x27\x32\xEB\x0F\x26\x32\xDC\xB1\xE7\x70\x26"
> "\x2E\x3E\x35\x35\x35\x35\x35\x3E";
> ------------------- / snip /-----------------
> 
> take your media hype and die kthnx,
> m.wood
> 
> > the last step before the worm
> >
> > http://www.k-otik.com/exploits/09252004.JpegOfDeath.c.php


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ