Full Disclosure mailing list archives

Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!*

From: christopher neitzert <chris () neitzert com>
Date: Fri, 19 Sep 2003 01:27:12 -0400

Lars,

What you say is true.

For those of you who are interested attached is an strace of this bogus
exploit that I ran in my lab on disposable systems in captive network.

Note, on the parent PID file I edited out quite a bit of repetitive
bogus wait statements, no sense in filling your mailboxes with 400k
lines of crap.

...

Chris

On Fri, 2003-09-19 at 03:07, Lars Olsson wrote:

On Fri, 19 Sep 2003, Vitaly Osipov wrote:

This means that the original poster (gordon last) made it up himself, because he is saying :

i looked at this piece of exploit... it is binary so i'am not sure if
this is a trojan or a backdoor or a virus. but i can't see anything
strange while sniffing the exploit traffic. and i got root on serveral
of my openbsd boxes with that. the bruteforcer seems to be very good.


which is obviously not true. Btw as far as I understand, the troyan code is triggered when
the "exploit" is run with the offset specified, and not in a "bruteforcing" mode.


The trojan seems to be triggered in both cases, providing that the
"bruteforcing" terminates. I haven't test run the code but I did a very
quick reverse of the binary. It connects to the remote sshd but only
sends the key used for descrmbling the trojan code while it pretends
to search for offsets.


/Lars

-- 
Christopher Neitzert http://www.neitzert.com/~chris

Attachment: fake-exploit-strace.pid1061.EDITED.txt
Description:

Attachment: fake-exploit-strace.pid1062.txt
Description:

Attachment: fake-exploit-strace.pid1063.txt
Description:

Attachment: fake-exploit-strace.pid1064.txt
Description:

Attachment: fake-exploit-strace.pid1065.txt
Description:

Attachment: fake-exploit-strace.pid1066.txt
Description:

Attachment: fake-exploit-strace.pid1067.txt
Description:

Attachment: fake-exploit-strace.pid1068.txt
Description:

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

Re: new openssh exploit in the wild! * is FAKE AS SH@!* Vitaly Osipov (Sep 18)
- Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!* Lars Olsson (Sep 19)
  - Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!* christopher neitzert (Sep 19)
- Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!* Raymond Dijkxhoorn (Sep 19)
  - Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!* V.O. (Sep 19)
- Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!* Adam Balogh (Sep 19)
  - Re: Re: new openssh exploit in the wild! * isFAKE AS SH@!* V.O. (Sep 19)
    - Re: Re: new openssh exploit in the wild! * isFAKE AS SH@!* Adam Balogh (Sep 19)
    - RE: Re: new openssh exploit in the wild! *isFAKE AS SH@!* Chris Eagle (Sep 19)