Re: MS04-028 Jpeg EXPLOIT with Reverse and Bind shell ...

[GuidoZ <uberguidoz () gmail com>]

Yes Todd, I believe you are. The JPEG exploit found in the wild was a
simple connect back which downloaded trojan/irc-bot files (including a
dropper, netcat for Windows, and a batch file to run it all) as
mentioned on Easynews. Compiling the available script and adding in
your own code is all it takes. As close to Plug-n-Play as you can get
with a new exploit if you ask me.

--
Peace. ~G


On Mon, 27 Sep 2004 16:33:04 -0500, Todd Towles
<toddtowles () brookshires com> wrote:
> Isn't there a tool that will create the jpeg for it..and you can input
> the URL you want the JPEG to download.
>
> The JPEG will grab dropper script or whatever you want it too. No need
> to revisit. Am I correct in thinking this?
>
>
>
> -----Original Message-----
> From: full-disclosure-admin () lists netsys com
> [mailto:full-disclosure-admin () lists netsys com] On Behalf Of
> Castigliola, Angelo
> Sent: Monday, September 27, 2004 3:30 PM
> To: morning_wood; full-disclosure () lists netsys com
> Subject: RE: [Full-disclosure] MS04-028 Jpeg EXPLOIT with Reverse and
> Bind shell ...
>
> Eh, It would not be that hard to write up something that could revisit
> all of the computers that hit the web server to infect them with
> something after the initial jpg exploit was ran. It would truly be a one
> of a kind worm. Reason enough in itself to motivate someone to write it.
>
> As far as Media hype. I'm all for it. It keeps the IT job market strong.
>
> Angelo Castigliola III
> Operations Technical Analyst I
> UnumProvident IT Services
> 207.575.3820
>
> -----Original Message-----
> From: full-disclosure-admin () lists netsys com
> [mailto:full-disclosure-admin () lists netsys com] On Behalf Of
> morning_wood
> Sent: Saturday, September 25, 2004 2:06 PM
> To: full-disclosure () lists netsys com
> Subject: Re: [Full-disclosure] MS04-028 Jpeg EXPLOIT with Reverse and
> Bind shell ...
>
> umm, no
> all this has thats different is correct headers for bind or remote shell
> option. and ability to set ports and return ip in the code, instead of
> needing to use your own shellcode ( or metasploits ) note: there is no
> new exploit code or vector
>
> ------------------- / snip /----------------- new.
> char header1[] =
> "\xFF\xD8\xFF\xE0\x00\x10\x4A\x46\x49\x46\x00\x01\x02\x00\x00\x64"
> "\x00\x64\x00\x00\xFF\xEC\x00\x11\x44\x75\x63\x6B\x79\x00\x01\x00"
> "\x04\x00\x00\x00\x0A\x00\x00\xFF\xEE\x00\x0E\x41\x64\x6F\x62\x65"
> "\x00\x64\xC0\x00\x00\x00\x01\xFF\xFE\x00\x01\x00\x14\x10\x10\x19"
> "\x12\x19\x27\x17\x17\x27\x32\xEB\x0F\x26\x32\xDC\xB1\xE7\x70\x26"
> "\x2E\x3E\x35\x35\x35\x35\x35\x3E";
> ------------------- / snip /----------------- old.
> ------------------- / snip /----------------- char header1[]=
> "\xFF\xD8\xFF\xE0\x00\x10\x4A\x46\x49\x46\x00\x01\x02\x00\x00\x64"
> "\x00\x64\x00\x00\xFF\xEC\x00\x11\x44\x75\x63\x6B\x79\x00\x01\x00"
> "\x04\x00\x00\x00\x0A\x00\x00\xFF\xEE\x00\x0E\x41\x64\x6F\x62\x65"
> "\x00\x64\xC0\x00\x00\x00\x01\xFF\xFE\x00\x01\x00\x14\x10\x10\x19"
> "\x12\x19\x27\x17\x17\x27\x32\xEB\x0F\x26\x32\xDC\xB1\xE7\x70\x26"
> "\x2E\x3E\x35\x35\x35\x35\x35\x3E";
> ------------------- / snip /-----------------
>
> take your media hype and die kthnx,
> m.wood
>
> > the last step before the worm
> >
> > http://www.k-otik.com/exploits/09252004.JpegOfDeath.c.php

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html