re: Global HIGH Security Risk

[^Shadown^ <shadown () bariloche com ar>]

Dear Folks,

        Thanks for your answers helpping me on how to post this information without getting in trouble.
        And to the ones that treat me as if I were stupid, all I have to say is that it was just simple. I don't know 
why it's not been documented, I've googled hard but couldn't find any thing about it.
        I've set up a server behind a fw (ipchains) without gcc, with a vulnerable daemon, the fw was set up just to 
allow the server to go through out by the binded daemon port only.
        What I did first was just to code an exploit for the vulnerable daemon and added a simple command sequence to 
write down to the server an uuencoded file using vi editor, then uudecode it and un-tar.gz and that way could upload 
binary files (which could be tools, sniffers, local exploits, etc). That way I could upload binary to execute on the 
remote server. But I've wanted to download files too (text and binaries) so I've coded a sniffer which listens for a 
specific ID-secuence to start/stop dumping to a file. And coded a tool to send the ID-secuence and the file to the 
sniffer. All this worked right.
        Then I removed all the programas that could be used as an text editor (joe, vim, cat, ed, etc), 
uudecode/uuencode, and compressing file tools.
        And I began to develop a technique which may be apply in any exploit code.
        It could be done many ways. Every coder is gonna do it it's own way, but I did it mine.
        I've coded an exploit with few options -f file_to_upload -s spawn_shell.
        The exploit sends diferent encrypted shellcodes depending the options.
        A shellcode sends and writes down to /tmp the file which firstly was fragmented by the exploit to be inserted 
into the multi shellcode sequence.(-f)
        The other is a standard shellcode.
        As simple as this, so you can upload and download any file type, and executed on the remote server.
        I think this explains the idea.
        I wish to post the PoC, but don't wanna get in trouble.
        Cheers,
                ^Shadown^
                
        my pgp key:

        -----BEGIN PGP PUBLIC KEY BLOCK-----
        Version: PGPfreeware 5.0i for non-commercial use

        mQGiBDewdE4RBADwVP96nauXxbvLNENeZYrvDVF+L59UygAFN5GyUOlMWKLOCJYX
        ETlwkSHdhJ4yK+QXHdT7fVIxFSbUbPA2W1qRg070XGFXZUyd8KzIHRpYXxTfQ4Z9
        T8Gy3Ah/Q3ug7ka1mSv+u0s2TLc/zzpn2avlqHDMe9LnNhb/dQuOyxhqHwCg/1PR
        wkqWQ6VhvOVr/2WLRHAtQk0D/i0FyzXs4kXudugwi3Wa19yXR3NeJrNTRBYH4Ewe
        1G8OCLSKA2i03h0coU9pnvrqSdmXaH3YveZcFyq8BLLPZR0t8CZOLoim2wn8HuSC
        rfRR+dLdyGic6Yzkz9xlXIpY8lkW0DFfv2dwgRmU3Uw7vFWYc+cKhhNRQXvIOPBE
        b+2LA/0bY6axVCqrgBcIxBdsShQQTCb46koc5/h7p4WuOZJsouhfa/TH2Ao2v5Kg
        zYipelHJt3NG2cX+tVWrlCLI++GMrTDdhfpQnzphXmrY8TdDZdLJnoIo4dZNL4XP
        nxC5J7s6d+gpiT3JU8Z/v7jXxDLAY9OHm58sfLNjA72uJR49NLQkXlNoYWRvd25e
        IDxTaGFkb3duQGJhcmlsb2NoZS5jb20uYXI+iQBOBBARAgAOBQI3sHROBAsDAgEC
        GQEACgkQYbpiyBSkmBV5uACg5vp2HtkVBLb/DZ1vfNor4zkydPYAnAp3713OS/yQ
        uVKqOQEt+KR0uwUKuQINBDewdE4QCAD2Qle3CH8IF3KiutapQvMF6PlTETlPtvFu
        uUs4INoBp1ajFOmPQFXz0AfGy0OplK33TGSGSfgMg71l6RfUodNQ+PVZX9x2Uk89
        PY3bzpnhV5JZzf24rnRPxfx2vIPFRzBhznzJZv8V+bv9kV7HAarTW56NoKVyOtQa
        8L9GAFgr5fSI/VhOSdvNILSd5JEHNmszbDgNRR0PfIizHHxbLY7288kjwEPwpVsY
        jY67VYy4XTjTNP18F1dDox0YbN4zISy1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6
        ypUM2Zafq9AKUJsCRtMIPWakXUGfnHy9iUsiGSa6q6Jew1XpMgs7AAICB/9ZMU/n
        2QMvtMWRp+o3N8hJXRMzfBWK/Uuq3+ena8VGrHXyoA/9QTNbTCaJTaEUSqtjRBYn
        SOJlb9cfvlV5uwNFJYLv4ZHDXGv0TwNZbMjYCL4dWZOY/yaKFg0Ut48iOcyL0bPj
        Grn8BrA0odpQXqAhJb7kNlR9iAcQiHzjvbTrF2XwXPknvyhXU5fwl+5LUbaZqNhE
        FAA1sFktniOXgYshPqIGtZfQXdHdKl2Zd/K2cnuIAffFKDiHtlfvH4kLs9h5SlSt
        cZfXodl+TxcEoELI9dke+HmUuJYqVCRN03znfIIUnDVlc5CyZYMlF/bwGAXwcVei
        +1qLyWnJOadmoa6miQBGBBgRAgAGBQI3sHROAAoJEGG6YsgUpJgV/LYAnjQ7sSin
        FSdirJmF4F/DCd/8GisYAKCFkOPu67W5Tug8ixlRKFwBIyEdzg==
        =i8Hu
        -----END PGP PUBLIC KEY BLOCK-----
        
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html