Full Disclosure mailing list archives
Re: MS04-028 Jpeg EXPLOIT with Reverse and Bind shell ...
From: GuidoZ <uberguidoz () gmail com>
Date: Tue, 28 Sep 2004 18:34:53 -0700
Yes Todd, I believe you are. The JPEG exploit found in the wild was a simple connect back which downloaded trojan/irc-bot files (including a dropper, netcat for Windows, and a batch file to run it all) as mentioned on Easynews. Compiling the available script and adding in your own code is all it takes. As close to Plug-n-Play as you can get with a new exploit if you ask me. -- Peace. ~G On Mon, 27 Sep 2004 16:33:04 -0500, Todd Towles <toddtowles () brookshires com> wrote:
Isn't there a tool that will create the jpeg for it..and you can input the URL you want the JPEG to download. The JPEG will grab dropper script or whatever you want it too. No need to revisit. Am I correct in thinking this? -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Castigliola, Angelo Sent: Monday, September 27, 2004 3:30 PM To: morning_wood; full-disclosure () lists netsys com Subject: RE: [Full-disclosure] MS04-028 Jpeg EXPLOIT with Reverse and Bind shell ... Eh, It would not be that hard to write up something that could revisit all of the computers that hit the web server to infect them with something after the initial jpg exploit was ran. It would truly be a one of a kind worm. Reason enough in itself to motivate someone to write it. As far as Media hype. I'm all for it. It keeps the IT job market strong. Angelo Castigliola III Operations Technical Analyst I UnumProvident IT Services 207.575.3820 -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of morning_wood Sent: Saturday, September 25, 2004 2:06 PM To: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] MS04-028 Jpeg EXPLOIT with Reverse and Bind shell ... umm, no all this has thats different is correct headers for bind or remote shell option. and ability to set ports and return ip in the code, instead of needing to use your own shellcode ( or metasploits ) note: there is no new exploit code or vector ------------------- / snip /----------------- new. char header1[] = "\xFF\xD8\xFF\xE0\x00\x10\x4A\x46\x49\x46\x00\x01\x02\x00\x00\x64" "\x00\x64\x00\x00\xFF\xEC\x00\x11\x44\x75\x63\x6B\x79\x00\x01\x00" "\x04\x00\x00\x00\x0A\x00\x00\xFF\xEE\x00\x0E\x41\x64\x6F\x62\x65" "\x00\x64\xC0\x00\x00\x00\x01\xFF\xFE\x00\x01\x00\x14\x10\x10\x19" "\x12\x19\x27\x17\x17\x27\x32\xEB\x0F\x26\x32\xDC\xB1\xE7\x70\x26" "\x2E\x3E\x35\x35\x35\x35\x35\x3E"; ------------------- / snip /----------------- old. ------------------- / snip /----------------- char header1[]= "\xFF\xD8\xFF\xE0\x00\x10\x4A\x46\x49\x46\x00\x01\x02\x00\x00\x64" "\x00\x64\x00\x00\xFF\xEC\x00\x11\x44\x75\x63\x6B\x79\x00\x01\x00" "\x04\x00\x00\x00\x0A\x00\x00\xFF\xEE\x00\x0E\x41\x64\x6F\x62\x65" "\x00\x64\xC0\x00\x00\x00\x01\xFF\xFE\x00\x01\x00\x14\x10\x10\x19" "\x12\x19\x27\x17\x17\x27\x32\xEB\x0F\x26\x32\xDC\xB1\xE7\x70\x26" "\x2E\x3E\x35\x35\x35\x35\x35\x3E"; ------------------- / snip /----------------- take your media hype and die kthnx, m.woodthe last step before the worm http://www.k-otik.com/exploits/09252004.JpegOfDeath.c.php
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- MS04-028 Jpeg EXPLOIT with Reverse and Bind shell ... ElviS .de (Sep 25)
- Re: MS04-028 Jpeg EXPLOIT with Reverse and Bind shell ... Ali Campbell (Sep 25)
- RE: MS04-028 Jpeg EXPLOIT with Reverse and Bind shell ... raza (Sep 25)
- Re: MS04-028 Jpeg EXPLOIT with Reverse and Bind shell ... Filbert (Sep 25)
- Re: MS04-028 Jpeg EXPLOIT - msn i.t (Sep 26)
- RE: MS04-028 Jpeg EXPLOIT with Reverse and Bind shell ... raza (Sep 25)
- Re: MS04-028 Jpeg EXPLOIT with Reverse and Bind shell ... Ali Campbell (Sep 25)
- Re: MS04-028 Jpeg EXPLOIT with Reverse and Bind shell ... morning_wood (Sep 25)
- <Possible follow-ups>
- RE: MS04-028 Jpeg EXPLOIT with Reverse and Bind shell ... Castigliola, Angelo (Sep 27)
- RE: MS04-028 Jpeg EXPLOIT with Reverse and Bind shell ... Todd Towles (Sep 27)
- Re: MS04-028 Jpeg EXPLOIT with Reverse and Bind shell ... GuidoZ (Sep 28)
- RE: MS04-028 Jpeg EXPLOIT with Reverse and Bind shell ... r00t3d (Sep 29)