|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
bugtraq_at_780inc.com
Date: Tue Feb 04 2003 - 10:41:03 CST
So, really you didnt find a way to bypass every firewall you found a way to
upload/download files on a remote system. I have seen something like this
before.
alt
Date: Tue, 4 Feb 2003 01:58:44 -0300
From: ^Shadown^ <shadown
bariloche.com.ar>
To: full-disclosurelists.netsys.com
Subject: [Full-Disclosure] re: Global HIGH Security Risk
Dear Folks,
I've set up a server behind a fw (ipchains) without gcc, with a
vulnerable daemon,
the fw was set up just to allow the server to go through out by the
binded daemon
port only.
What I did first was just to code an exploit for the vulnerable
daemon and added a
simple command sequence to write down to the server an uuencoded
file using vi
editor, then uudecode it and un-tar.gz and that way could upload
binary files
(which could be tools, sniffers, local exploits, etc). That way I
could upload
binary to execute on the remote server. But I've wanted to download
files too (text
and binaries) so I've coded a sniffer which listens for a specific
ID-secuence to
start/stop dumping to a file. And coded a tool to send the ID-
secuence and the file
to the sniffer. All this worked right.
Then I removed all the programas that could be used as an text
editor (joe, vim,
cat, ed, etc), uudecode/uuencode, and compressing file tools.
And I began to develop a technique which may be apply in any
exploit code.
It could be done many ways. Every coder is gonna do it it's own
way, but I did it
mine.
I've coded an exploit with few options -f file_to_upload -s
spawn_shell.
The exploit sends diferent encrypted shellcodes depending the
options.
A shellcode sends and writes down to /tmp the file which firstly
was fragmented by
the exploit to be inserted into the multi shellcode sequence.(-f)
The other is a standard shellcode.
As simple as this, so you can upload and download any file type,
and executed on
the remote server.
I think this explains the idea.
I wish to post the PoC, but don't wanna get in trouble.
Cheers,
^Shadown^
my pgp key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGPfreeware 5.0i for non-commercial use
mQGiBDewdE4RBADwVP96nauXxbvLNENeZYrvDVF+L59UygAFN5GyUOlMWKLOCJYX
ETlwkSHdhJ4yK+QXHdT7fVIxFSbUbPA2W1qRg070XGFXZUyd8KzIHRpYXxTfQ4Z9
T8Gy3Ah/Q3ug7ka1mSv+u0s2TLc/zzpn2avlqHDMe9LnNhb/dQuOyxhqHwCg/1PR
wkqWQ6VhvOVr/2WLRHAtQk0D/i0FyzXs4kXudugwi3Wa19yXR3NeJrNTRBYH4Ewe
1G8OCLSKA2i03h0coU9pnvrqSdmXaH3YveZcFyq8BLLPZR0t8CZOLoim2wn8HuSC
rfRR+dLdyGic6Yzkz9xlXIpY8lkW0DFfv2dwgRmU3Uw7vFWYc+cKhhNRQXvIOPBE
b+2LA/0bY6axVCqrgBcIxBdsShQQTCb46koc5/h7p4WuOZJsouhfa/TH2Ao2v5Kg
zYipelHJt3NG2cX+tVWrlCLI++GMrTDdhfpQnzphXmrY8TdDZdLJnoIo4dZNL4XP
nxC5J7s6d+gpiT3JU8Z/v7jXxDLAY9OHm58sfLNjA72uJR49NLQkXlNoYWRvd25e
IDxTaGFkb3duQGJhcmlsb2NoZS5jb20uYXI+iQBOBBARAgAOBQI3sHROBAsDAgEC
GQEACgkQYbpiyBSkmBV5uACg5vp2HtkVBLb/DZ1vfNor4zkydPYAnAp3713OS/yQ
uVKqOQEt+KR0uwUKuQINBDewdE4QCAD2Qle3CH8IF3KiutapQvMF6PlTETlPtvFu
uUs4INoBp1ajFOmPQFXz0AfGy0OplK33TGSGSfgMg71l6RfUodNQ+PVZX9x2Uk89
PY3bzpnhV5JZzf24rnRPxfx2vIPFRzBhznzJZv8V+bv9kV7HAarTW56NoKVyOtQa
8L9GAFgr5fSI/VhOSdvNILSd5JEHNmszbDgNRR0PfIizHHxbLY7288kjwEPwpVsY
jY67VYy4XTjTNP18F1dDox0YbN4zISy1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6
ypUM2Zafq9AKUJsCRtMIPWakXUGfnHy9iUsiGSa6q6Jew1XpMgs7AAICB/9ZMU/n
2QMvtMWRp+o3N8hJXRMzfBWK/Uuq3+ena8VGrHXyoA/9QTNbTCaJTaEUSqtjRBYn
SOJlb9cfvlV5uwNFJYLv4ZHDXGv0TwNZbMjYCL4dWZOY/yaKFg0Ut48iOcyL0bPj
Grn8BrA0odpQXqAhJb7kNlR9iAcQiHzjvbTrF2XwXPknvyhXU5fwl+5LUbaZqNhE
FAA1sFktniOXgYshPqIGtZfQXdHdKl2Zd/K2cnuIAffFKDiHtlfvH4kLs9h5SlSt
cZfXodl+TxcEoELI9dke+HmUuJYqVCRN03znfIIUnDVlc5CyZYMlF/bwGAXwcVei
+1qLyWnJOadmoa6miQBGBBgRAgAGBQI3sHROAAoJEGG6YsgUpJgV/LYAnjQ7sSin
FSdirJmF4F/DCd/8GisYAKCFkOPu67W5Tug8ixlRKFwBIyEdzg==
=i8Hu
-----END PGP PUBLIC KEY BLOCK-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]