Re: jizzy.c -- sendmail remote exploit (POSSIBLE TROJAN)

From: Barry Margolin (barmar@genuity.net)
Date: 05/21/02 

From: Barry Margolin <barmar@genuity.net>
Date: Tue, 21 May 2002 18:58:28 GMT

In article <ace4p0$1jt$1@dinkel.civ.utwente.nl>,
Henri Karrenbeld <henrikar@arago.utwente.nl> wrote:
>Barry Margolin <barmar@genuity.net> writes:
>>I don't know what *that* shellcode does, but the typical thing for a buffer
>>overflow exploit to do is execl("/bin/sh", "sh", (char*)0), i.e. start a
>>shell. That's what's usually in the shellcode.
>
>I knew that ;-) Of course, for a trojan that's not very useful. There'd just be
>another shell running as the user running the program.

It connects to an SMTP server and sends the shellcode, doesn't it? The
buffer overflow is intended to get the server to execute the shell code,
and since sendmail runs as root you end up with a root shell using the
network connection as its stdin/stdout/stderr.

That's why I don't think it's a trojan at all. Or am I misremembering the
code in the original post? 

-- 
Barry Margolin, barmar@genuity.net
Genuity, Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

Quantcast