Dear Folks,
Thanks for your answers helpping me on how to post this information without
getting in trouble.
And to the ones that treat me as if I were stupid, all I have to say is that
it was just simple. I don't know why it's not been documented, I've googled hard but
couldn't find any thing about it.
I've set up a server behind a fw (ipchains) without gcc, with a vulnerable
daemon, the fw was set up just to allow the server to go through out by the binded
daemon port only.
What I did first was just to code an exploit for the vulnerable daemon and
added a simple command sequence to write down to the server an uuencoded file using vi
editor, then uudecode it and un-tar.gz and that way could upload binary files (which
could be tools, sniffers, local exploits, etc). That way I could upload binary to
execute on the remote server. But I've wanted to download files too (text and
binaries) so I've coded a sniffer which listens for a specific ID-secuence to
start/stop dumping to a file. And coded a tool to send the ID-secuence and the file to
the sniffer. All this worked right.
Then I removed all the programas that could be used as an text editor (joe,
vim, cat, ed, etc), uudecode/uuencode, and compressing file tools.
And I began to develop a technique which may be apply in any exploit code.
It could be done many ways. Every coder is gonna do it it's own way, but I did
it mine.
I've coded an exploit with few options -f file_to_upload -s spawn_shell.
The exploit sends diferent encrypted shellcodes depending the options.
A shellcode sends and writes down to /tmp the file which firstly was
fragmented by the exploit to be inserted into the multi shellcode sequence.(-f)
The other is a standard shellcode.
As simple as this, so you can upload and download any file type, and executed
on the remote server.
I think this explains the idea.
I wish to post the PoC, but don't wanna get in trouble.
Cheers,
^Shadown^
my pgp key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGPfreeware 5.0i for non-commercial use
mQGiBDewdE4RBADwVP96nauXxbvLNENeZYrvDVF+L59UygAFN5GyUOlMWKLOCJYX
ETlwkSHdhJ4yK+QXHdT7fVIxFSbUbPA2W1qRg070XGFXZUyd8KzIHRpYXxTfQ4Z9
T8Gy3Ah/Q3ug7ka1mSv+u0s2TLc/zzpn2avlqHDMe9LnNhb/dQuOyxhqHwCg/1PR
wkqWQ6VhvOVr/2WLRHAtQk0D/i0FyzXs4kXudugwi3Wa19yXR3NeJrNTRBYH4Ewe
1G8OCLSKA2i03h0coU9pnvrqSdmXaH3YveZcFyq8BLLPZR0t8CZOLoim2wn8HuSC
rfRR+dLdyGic6Yzkz9xlXIpY8lkW0DFfv2dwgRmU3Uw7vFWYc+cKhhNRQXvIOPBE
b+2LA/0bY6axVCqrgBcIxBdsShQQTCb46koc5/h7p4WuOZJsouhfa/TH2Ao2v5Kg
zYipelHJt3NG2cX+tVWrlCLI++GMrTDdhfpQnzphXmrY8TdDZdLJnoIo4dZNL4XP
nxC5J7s6d+gpiT3JU8Z/v7jXxDLAY9OHm58sfLNjA72uJR49NLQkXlNoYWRvd25e
IDxTaGFkb3duQGJhcmlsb2NoZS5jb20uYXI+iQBOBBARAgAOBQI3sHROBAsDAgEC
GQEACgkQYbpiyBSkmBV5uACg5vp2HtkVBLb/DZ1vfNor4zkydPYAnAp3713OS/yQ
uVKqOQEt+KR0uwUKuQINBDewdE4QCAD2Qle3CH8IF3KiutapQvMF6PlTETlPtvFu
uUs4INoBp1ajFOmPQFXz0AfGy0OplK33TGSGSfgMg71l6RfUodNQ+PVZX9x2Uk89
PY3bzpnhV5JZzf24rnRPxfx2vIPFRzBhznzJZv8V+bv9kV7HAarTW56NoKVyOtQa
8L9GAFgr5fSI/VhOSdvNILSd5JEHNmszbDgNRR0PfIizHHxbLY7288kjwEPwpVsY
jY67VYy4XTjTNP18F1dDox0YbN4zISy1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6
ypUM2Zafq9AKUJsCRtMIPWakXUGfnHy9iUsiGSa6q6Jew1XpMgs7AAICB/9ZMU/n
2QMvtMWRp+o3N8hJXRMzfBWK/Uuq3+ena8VGrHXyoA/9QTNbTCaJTaEUSqtjRBYn
SOJlb9cfvlV5uwNFJYLv4ZHDXGv0TwNZbMjYCL4dWZOY/yaKFg0Ut48iOcyL0bPj
Grn8BrA0odpQXqAhJb7kNlR9iAcQiHzjvbTrF2XwXPknvyhXU5fwl+5LUbaZqNhE
FAA1sFktniOXgYshPqIGtZfQXdHdKl2Zd/K2cnuIAffFKDiHtlfvH4kLs9h5SlSt
cZfXodl+TxcEoELI9dke+HmUuJYqVCRN03znfIIUnDVlc5CyZYMlF/bwGAXwcVei
+1qLyWnJOadmoa6miQBGBBgRAgAGBQI3sHROAAoJEGG6YsgUpJgV/LYAnjQ7sSin
FSdirJmF4F/DCd/8GisYAKCFkOPu67W5Tug8ixlRKFwBIyEdzg==
=i8Hu
-----END PGP PUBLIC KEY BLOCK-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
