Full Disclosure mailing list archives
Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!*
From: Lars Olsson <jlo () ludd luth se>
Date: Fri, 19 Sep 2003 09:07:32 +0200 (CEST)
On Fri, 19 Sep 2003, Vitaly Osipov wrote:
This means that the original poster (gordon last) made it up himself, because he is saying :i looked at this piece of exploit... it is binary so i'am not sure if this is a trojan or a backdoor or a virus. but i can't see anything strange while sniffing the exploit traffic. and i got root on serveral of my openbsd boxes with that. the bruteforcer seems to be very good.which is obviously not true. Btw as far as I understand, the troyan code is triggered when the "exploit" is run with the offset specified, and not in a "bruteforcing" mode.
The trojan seems to be triggered in both cases, providing that the "bruteforcing" terminates. I haven't test run the code but I did a very quick reverse of the binary. It connects to the remote sshd but only sends the key used for descrmbling the trojan code while it pretends to search for offsets. /Lars
Attachment:
sshtrojan.c
Description: Reversed C source code for the fake sshexploit
Current thread:
- Re: new openssh exploit in the wild! * is FAKE AS SH@!* Vitaly Osipov (Sep 18)
- Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!* Lars Olsson (Sep 19)
- Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!* christopher neitzert (Sep 19)
- Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!* Raymond Dijkxhoorn (Sep 19)
- Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!* Adam Balogh (Sep 19)
- Re: Re: new openssh exploit in the wild! * isFAKE AS SH@!* V.O. (Sep 19)
- Re: Re: new openssh exploit in the wild! * isFAKE AS SH@!* Adam Balogh (Sep 19)
- RE: Re: new openssh exploit in the wild! *isFAKE AS SH@!* Chris Eagle (Sep 19)
- Re: Re: new openssh exploit in the wild! * isFAKE AS SH@!* V.O. (Sep 19)
- Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!* Lars Olsson (Sep 19)