Yes Todd, I believe you are. The JPEG exploit found in the wild was a simple connect back which downloaded trojan/irc-bot files (including a dropper, netcat for Windows, and a batch file to run it all) as mentioned on Easynews. Compiling the available script and adding in your own code is all it takes. As close to Plug-n-Play as you can get with a new exploit if you ask me.
-- Peace. ~G On Mon, 27 Sep 2004 16:33:04 -0500, Todd Towles <[EMAIL PROTECTED]> wrote: > Isn't there a tool that will create the jpeg for it..and you can input > the URL you want the JPEG to download. > > The JPEG will grab dropper script or whatever you want it too. No need > to revisit. Am I correct in thinking this? > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Castigliola, Angelo > Sent: Monday, September 27, 2004 3:30 PM > To: morning_wood; [EMAIL PROTECTED] > Subject: RE: [Full-Disclosure] MS04-028 Jpeg EXPLOIT with Reverse and > Bind shell ... > > Eh, It would not be that hard to write up something that could revisit > all of the computers that hit the web server to infect them with > something after the initial jpg exploit was ran. It would truly be a one > of a kind worm. Reason enough in itself to motivate someone to write it. > > As far as Media hype. I'm all for it. It keeps the IT job market strong. > > Angelo Castigliola III > Operations Technical Analyst I > UnumProvident IT Services > 207.575.3820 > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > morning_wood > Sent: Saturday, September 25, 2004 2:06 PM > To: [EMAIL PROTECTED] > Subject: Re: [Full-Disclosure] MS04-028 Jpeg EXPLOIT with Reverse and > Bind shell ... > > umm, no > all this has thats different is correct headers for bind or remote shell > option. and ability to set ports and return ip in the code, instead of > needing to use your own shellcode ( or metasploits ) note: there is no > new exploit code or vector > > ------------------- / snip /----------------- new. > char header1[] = > "\xFF\xD8\xFF\xE0\x00\x10\x4A\x46\x49\x46\x00\x01\x02\x00\x00\x64" > "\x00\x64\x00\x00\xFF\xEC\x00\x11\x44\x75\x63\x6B\x79\x00\x01\x00" > "\x04\x00\x00\x00\x0A\x00\x00\xFF\xEE\x00\x0E\x41\x64\x6F\x62\x65" > "\x00\x64\xC0\x00\x00\x00\x01\xFF\xFE\x00\x01\x00\x14\x10\x10\x19" > "\x12\x19\x27\x17\x17\x27\x32\xEB\x0F\x26\x32\xDC\xB1\xE7\x70\x26" > "\x2E\x3E\x35\x35\x35\x35\x35\x3E"; > ------------------- / snip /----------------- old. > ------------------- / snip /----------------- char header1[]= > "\xFF\xD8\xFF\xE0\x00\x10\x4A\x46\x49\x46\x00\x01\x02\x00\x00\x64" > "\x00\x64\x00\x00\xFF\xEC\x00\x11\x44\x75\x63\x6B\x79\x00\x01\x00" > "\x04\x00\x00\x00\x0A\x00\x00\xFF\xEE\x00\x0E\x41\x64\x6F\x62\x65" > "\x00\x64\xC0\x00\x00\x00\x01\xFF\xFE\x00\x01\x00\x14\x10\x10\x19" > "\x12\x19\x27\x17\x17\x27\x32\xEB\x0F\x26\x32\xDC\xB1\xE7\x70\x26" > "\x2E\x3E\x35\x35\x35\x35\x35\x3E"; > ------------------- / snip /----------------- > > take your media hype and die kthnx, > m.wood > > > the last step before the worm > > > > http://www.k-otik.com/exploits/09252004.JpegOfDeath.c.php _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
