OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: ATD (simon_at_snosoft.com)
Date: Wed Feb 05 2003 - 14:08:27 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hrm,
            When I read this I see the key phrase "for the vulnerable daemon". If a
    firewall is forwarding traffic from the internet to an internal system,
    to a vulnerable daemon on that system, then file transfers are the least
    of your worries.

    On Tue, 2003-02-04 at 11:41, bugtraq780inc.com wrote:
    > So, really you didnt find a way to bypass every firewall you found a way to
    > upload/download files on a remote system. I have seen something like this
    > before.
    >
    > alt
    >
    > Date: Tue, 4 Feb 2003 01:58:44 -0300
    > From: ^Shadown^ <shadownbariloche.com.ar>
    > To: full-disclosurelists.netsys.com
    > Subject: [Full-Disclosure] re: Global HIGH Security Risk
    >
    > Dear Folks,
    >
    > I've set up a server behind a fw (ipchains) without gcc, with a
    > vulnerable daemon,
    > the fw was set up just to allow the server to go through out by the
    > binded daemon
    > port only.
    > What I did first was just to code an exploit for the vulnerable
    > daemon and added a
    > simple command sequence to write down to the server an uuencoded
    > file using vi
    > editor, then uudecode it and un-tar.gz and that way could upload
    > binary files
    > (which could be tools, sniffers, local exploits, etc). That way I
    > could upload
    > binary to execute on the remote server. But I've wanted to download
    > files too (text
    > and binaries) so I've coded a sniffer which listens for a specific
    > ID-secuence to
    > start/stop dumping to a file. And coded a tool to send the ID-
    > secuence and the file
    > to the sniffer. All this worked right.
    > Then I removed all the programas that could be used as an text
    > editor (joe, vim,
    > cat, ed, etc), uudecode/uuencode, and compressing file tools.
    > And I began to develop a technique which may be apply in any
    > exploit code.
    > It could be done many ways. Every coder is gonna do it it's own
    > way, but I did it
    > mine.
    > I've coded an exploit with few options -f file_to_upload -s
    > spawn_shell.
    > The exploit sends diferent encrypted shellcodes depending the
    > options.
    > A shellcode sends and writes down to /tmp the file which firstly
    > was fragmented by
    > the exploit to be inserted into the multi shellcode sequence.(-f)
    > The other is a standard shellcode.
    > As simple as this, so you can upload and download any file type,
    > and executed on
    > the remote server.
    > I think this explains the idea.
    > I wish to post the PoC, but don't wanna get in trouble.
    > Cheers,
    > ^Shadown^
    >
    > my pgp key:
    >
    > -----BEGIN PGP PUBLIC KEY BLOCK-----
    > Version: PGPfreeware 5.0i for non-commercial use
    >
    > mQGiBDewdE4RBADwVP96nauXxbvLNENeZYrvDVF+L59UygAFN5GyUOlMWKLOCJYX
    > ETlwkSHdhJ4yK+QXHdT7fVIxFSbUbPA2W1qRg070XGFXZUyd8KzIHRpYXxTfQ4Z9
    > T8Gy3Ah/Q3ug7ka1mSv+u0s2TLc/zzpn2avlqHDMe9LnNhb/dQuOyxhqHwCg/1PR
    > wkqWQ6VhvOVr/2WLRHAtQk0D/i0FyzXs4kXudugwi3Wa19yXR3NeJrNTRBYH4Ewe
    > 1G8OCLSKA2i03h0coU9pnvrqSdmXaH3YveZcFyq8BLLPZR0t8CZOLoim2wn8HuSC
    > rfRR+dLdyGic6Yzkz9xlXIpY8lkW0DFfv2dwgRmU3Uw7vFWYc+cKhhNRQXvIOPBE
    > b+2LA/0bY6axVCqrgBcIxBdsShQQTCb46koc5/h7p4WuOZJsouhfa/TH2Ao2v5Kg
    > zYipelHJt3NG2cX+tVWrlCLI++GMrTDdhfpQnzphXmrY8TdDZdLJnoIo4dZNL4XP
    > nxC5J7s6d+gpiT3JU8Z/v7jXxDLAY9OHm58sfLNjA72uJR49NLQkXlNoYWRvd25e
    > IDxTaGFkb3duQGJhcmlsb2NoZS5jb20uYXI+iQBOBBARAgAOBQI3sHROBAsDAgEC
    > GQEACgkQYbpiyBSkmBV5uACg5vp2HtkVBLb/DZ1vfNor4zkydPYAnAp3713OS/yQ
    > uVKqOQEt+KR0uwUKuQINBDewdE4QCAD2Qle3CH8IF3KiutapQvMF6PlTETlPtvFu
    > uUs4INoBp1ajFOmPQFXz0AfGy0OplK33TGSGSfgMg71l6RfUodNQ+PVZX9x2Uk89
    > PY3bzpnhV5JZzf24rnRPxfx2vIPFRzBhznzJZv8V+bv9kV7HAarTW56NoKVyOtQa
    > 8L9GAFgr5fSI/VhOSdvNILSd5JEHNmszbDgNRR0PfIizHHxbLY7288kjwEPwpVsY
    > jY67VYy4XTjTNP18F1dDox0YbN4zISy1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6
    > ypUM2Zafq9AKUJsCRtMIPWakXUGfnHy9iUsiGSa6q6Jew1XpMgs7AAICB/9ZMU/n
    > 2QMvtMWRp+o3N8hJXRMzfBWK/Uuq3+ena8VGrHXyoA/9QTNbTCaJTaEUSqtjRBYn
    > SOJlb9cfvlV5uwNFJYLv4ZHDXGv0TwNZbMjYCL4dWZOY/yaKFg0Ut48iOcyL0bPj
    > Grn8BrA0odpQXqAhJb7kNlR9iAcQiHzjvbTrF2XwXPknvyhXU5fwl+5LUbaZqNhE
    > FAA1sFktniOXgYshPqIGtZfQXdHdKl2Zd/K2cnuIAffFKDiHtlfvH4kLs9h5SlSt
    > cZfXodl+TxcEoELI9dke+HmUuJYqVCRN03znfIIUnDVlc5CyZYMlF/bwGAXwcVei
    > +1qLyWnJOadmoa6miQBGBBgRAgAGBQI3sHROAAoJEGG6YsgUpJgV/LYAnjQ7sSin
    > FSdirJmF4F/DCd/8GisYAKCFkOPu67W5Tug8ixlRKFwBIyEdzg==
    > =i8Hu
    > -----END PGP PUBLIC KEY BLOCK-----
    >
    >
    >
    >
    >
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.netsys.com/full-disclosure-charter.html 

    -- 
ATD <simonsnosoft.com>
Secure Network Operations, Inc.

    -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org

    iD8DBQA+QW86f3Elv1PhzXgRAg74AJ9sVJy2XytyhSiivY8Ca7A2S8E0xACgvHB3 FIqjivubBxnaTxbGKWcuwRM= =Og/z -----END PGP SIGNATURE-----

    _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html