Security Incidents mailing list archives

Re: Linux Kernel Exploits / ABFrag

From: h2g.sec.list () zipmail com br
Date: Mon, 21 Oct 2002 21:20:33 -0200

Curt,
to unwrap burneye binaries you need know the binary password... to unwrap
you can use UNFburninhell made by [ByteRage] (thanks to him).
ABfrag is FAKE, so, you don't need audit that binary.
Regards...
Nilton Gomes


-- Mensagem original --

In-Reply-To: <20021018184346.B44C5425C () sitemail everyone net>

I smell Burneye !! ..... what do you guys think ?


If you download the ABfrag file from
http://www.linuxsecurity.com/articles/intrusion_detection_article-
5933.html, and view or run strings on the file, you will see the burneye

signature in the file header:

TEEE burneye - TESO ELF Encryption Engine

I'm wondering if there is any way to determine the burneye options used

by


analyzing the encrypted file? I doubt it, but does anyone have any
experience with this?

Looks like we need to get brute forcing that password (could be nearly

impossible), or perhaps find a good reverse engineer. I recall reading

material by Dave Dittrich about trying to reverse engineer the x2 SSH
exploit that had been protected with burneye. I also came across an
article somewhere, perhaps on the teso website, that talked about the
sorry state of the "white hat" reverse engineers. Personally, I could not

reverse engineer myself out of a wet paper bag.

I'm very curious to learn more about this exploit, and would enjoy seeing

the IDS activity discussed in the first message in this thread. Do we have

enough to make a snort signature? Did you get an image of the systems
memory at the time of the exploit? Perhaps there is a snowballs chance

in


hell that the password used to run the executable could be recovered.


Curt Wilson
Netw3 Security
www.netw3.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com




------------------------------------------
Use o melhor sistema de busca da Internet
Radar UOL - http://www.radaruol.com.br




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Current thread:

Linux Kernel Exploits / ABFrag daniel . roberts (Oct 16)
- Re: Linux Kernel Exploits / ABFrag eax (Oct 17)
- Re: Linux Kernel Exploits / ABFrag dr john halewood (Oct 17)
- <Possible follow-ups>
- Re: Linux Kernel Exploits / ABFrag Christopher Wagner (Oct 17)
- Re: Linux Kernel Exploits / ABFrag Ali Saifullah Khan (Oct 18)
  - Re: Linux Kernel Exploits / ABFrag Benjamin Krueger (Oct 18)
- Re: Linux Kernel Exploits / ABFrag Curt Wilson (Oct 21)
  - Re: Linux Kernel Exploits / ABFrag h2g . sec . list (Oct 21)
  - Re: Linux Kernel Exploits / ABFrag Erik Sperling Johansen (Oct 21)