Full Disclosure mailing list archives
Re: (no subject)
From: ATD <simon () snosoft com>
Date: 05 Feb 2003 15:08:27 -0500
Hrm, When I read this I see the key phrase "for the vulnerable daemon". If a firewall is forwarding traffic from the internet to an internal system, to a vulnerable daemon on that system, then file transfers are the least of your worries. On Tue, 2003-02-04 at 11:41, bugtraq () 780inc com wrote:
So, really you didnt find a way to bypass every firewall you found a way to upload/download files on a remote system. I have seen something like this before. alt Date: Tue, 4 Feb 2003 01:58:44 -0300 From: ^Shadown^ <shadown () bariloche com ar> To: full-disclosure () lists netsys com Subject: [Full-disclosure] re: Global HIGH Security Risk Dear Folks, I've set up a server behind a fw (ipchains) without gcc, with a vulnerable daemon, the fw was set up just to allow the server to go through out by the binded daemon port only. What I did first was just to code an exploit for the vulnerable daemon and added a simple command sequence to write down to the server an uuencoded file using vi editor, then uudecode it and un-tar.gz and that way could upload binary files (which could be tools, sniffers, local exploits, etc). That way I could upload binary to execute on the remote server. But I've wanted to download files too (text and binaries) so I've coded a sniffer which listens for a specific ID-secuence to start/stop dumping to a file. And coded a tool to send the ID- secuence and the file to the sniffer. All this worked right. Then I removed all the programas that could be used as an text editor (joe, vim, cat, ed, etc), uudecode/uuencode, and compressing file tools. And I began to develop a technique which may be apply in any exploit code. It could be done many ways. Every coder is gonna do it it's own way, but I did it mine. I've coded an exploit with few options -f file_to_upload -s spawn_shell. The exploit sends diferent encrypted shellcodes depending the options. A shellcode sends and writes down to /tmp the file which firstly was fragmented by the exploit to be inserted into the multi shellcode sequence.(-f) The other is a standard shellcode. As simple as this, so you can upload and download any file type, and executed on the remote server. I think this explains the idea. I wish to post the PoC, but don't wanna get in trouble. Cheers, ^Shadown^ my pgp key: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGPfreeware 5.0i for non-commercial use mQGiBDewdE4RBADwVP96nauXxbvLNENeZYrvDVF+L59UygAFN5GyUOlMWKLOCJYX ETlwkSHdhJ4yK+QXHdT7fVIxFSbUbPA2W1qRg070XGFXZUyd8KzIHRpYXxTfQ4Z9 T8Gy3Ah/Q3ug7ka1mSv+u0s2TLc/zzpn2avlqHDMe9LnNhb/dQuOyxhqHwCg/1PR wkqWQ6VhvOVr/2WLRHAtQk0D/i0FyzXs4kXudugwi3Wa19yXR3NeJrNTRBYH4Ewe 1G8OCLSKA2i03h0coU9pnvrqSdmXaH3YveZcFyq8BLLPZR0t8CZOLoim2wn8HuSC rfRR+dLdyGic6Yzkz9xlXIpY8lkW0DFfv2dwgRmU3Uw7vFWYc+cKhhNRQXvIOPBE b+2LA/0bY6axVCqrgBcIxBdsShQQTCb46koc5/h7p4WuOZJsouhfa/TH2Ao2v5Kg zYipelHJt3NG2cX+tVWrlCLI++GMrTDdhfpQnzphXmrY8TdDZdLJnoIo4dZNL4XP nxC5J7s6d+gpiT3JU8Z/v7jXxDLAY9OHm58sfLNjA72uJR49NLQkXlNoYWRvd25e IDxTaGFkb3duQGJhcmlsb2NoZS5jb20uYXI+iQBOBBARAgAOBQI3sHROBAsDAgEC GQEACgkQYbpiyBSkmBV5uACg5vp2HtkVBLb/DZ1vfNor4zkydPYAnAp3713OS/yQ uVKqOQEt+KR0uwUKuQINBDewdE4QCAD2Qle3CH8IF3KiutapQvMF6PlTETlPtvFu uUs4INoBp1ajFOmPQFXz0AfGy0OplK33TGSGSfgMg71l6RfUodNQ+PVZX9x2Uk89 PY3bzpnhV5JZzf24rnRPxfx2vIPFRzBhznzJZv8V+bv9kV7HAarTW56NoKVyOtQa 8L9GAFgr5fSI/VhOSdvNILSd5JEHNmszbDgNRR0PfIizHHxbLY7288kjwEPwpVsY jY67VYy4XTjTNP18F1dDox0YbN4zISy1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6 ypUM2Zafq9AKUJsCRtMIPWakXUGfnHy9iUsiGSa6q6Jew1XpMgs7AAICB/9ZMU/n 2QMvtMWRp+o3N8hJXRMzfBWK/Uuq3+ena8VGrHXyoA/9QTNbTCaJTaEUSqtjRBYn SOJlb9cfvlV5uwNFJYLv4ZHDXGv0TwNZbMjYCL4dWZOY/yaKFg0Ut48iOcyL0bPj Grn8BrA0odpQXqAhJb7kNlR9iAcQiHzjvbTrF2XwXPknvyhXU5fwl+5LUbaZqNhE FAA1sFktniOXgYshPqIGtZfQXdHdKl2Zd/K2cnuIAffFKDiHtlfvH4kLs9h5SlSt cZfXodl+TxcEoELI9dke+HmUuJYqVCRN03znfIIUnDVlc5CyZYMlF/bwGAXwcVei +1qLyWnJOadmoa6miQBGBBgRAgAGBQI3sHROAAoJEGG6YsgUpJgV/LYAnjQ7sSin FSdirJmF4F/DCd/8GisYAKCFkOPu67W5Tug8ixlRKFwBIyEdzg== =i8Hu -----END PGP PUBLIC KEY BLOCK----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
-- ATD <simon () snosoft com> Secure Network Operations, Inc.
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- (no subject) bugtraq (Feb 04)
- Re: (no subject) ATD (Feb 05)
- <Possible follow-ups>
- (no subject) futureshoks (Feb 10)