Full Disclosure mailing list archives

Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!*

From: Lars Olsson <jlo () ludd luth se>
Date: Fri, 19 Sep 2003 09:07:32 +0200 (CEST)

On Fri, 19 Sep 2003, Vitaly Osipov wrote:

This means that the original poster (gordon last) made it up himself, because he is saying :

i looked at this piece of exploit... it is binary so i'am not sure if
this is a trojan or a backdoor or a virus. but i can't see anything
strange while sniffing the exploit traffic. and i got root on serveral
of my openbsd boxes with that. the bruteforcer seems to be very good.


which is obviously not true. Btw as far as I understand, the troyan code is triggered when
the "exploit" is run with the offset specified, and not in a "bruteforcing" mode.


The trojan seems to be triggered in both cases, providing that the
"bruteforcing" terminates. I haven't test run the code but I did a very
quick reverse of the binary. It connects to the remote sshd but only
sends the key used for descrmbling the trojan code while it pretends
to search for offsets.


/Lars

Attachment: sshtrojan.c
Description: Reversed C source code for the fake sshexploit

Current thread:

Re: new openssh exploit in the wild! * is FAKE AS SH@!* Vitaly Osipov (Sep 18)
- Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!* Lars Olsson (Sep 19)
  - Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!* christopher neitzert (Sep 19)
- Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!* Raymond Dijkxhoorn (Sep 19)
  - Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!* V.O. (Sep 19)
- Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!* Adam Balogh (Sep 19)
  - Re: Re: new openssh exploit in the wild! * isFAKE AS SH@!* V.O. (Sep 19)
    - Re: Re: new openssh exploit in the wild! * isFAKE AS SH@!* Adam Balogh (Sep 19)
    - RE: Re: new openssh exploit in the wild! *isFAKE AS SH@!* Chris Eagle (Sep 19)