Articles

Metasploit Framework Windows Tutorial
Remote Desktop Connection
Windows Processes That May Be Dangerous
How-To use NetCat a Tutorial
Common Linux Commands
Common Ports
Netcat Commands
HTTP Response Codes
War-Google Hack Terms
Wardriving
Avoiding Social Engineering and Phishing Attacks
Intrusion Detection on Linux
Linux Intrusion Detection
Penetration Testing Guide
Penetration Testing Tools
Social Engineering Fundamentals, Part I: Hacker Tactics
Social engineering (computer security)
The Psychology of Social Engineering

The Archives

General GSO
GovernmentSecurity.org News & Suggestions
In The News
Open Topic
General Security Information
Trash Can
Exploit & Vulnerability Mailing List Archives
Trial Member Forum
Product and Program Reviews GSO Tutorials
System Security
Windows Systems
Beginners Section
Linux & Unix Systems
File Downloads
Exploit Research & Discussion Trojan & Virus Errata
Networking Security / Firewall / IDS / VPN / Routers
System Hardening
E-Mail Security
Wifi Security
Trial Member Uploads
Upload discovered Trojans & Mal ware
GSO Programming Section
C , C++ , VC++
Visual Basic.NET
Perl /CGI
Java/Javascript
PHP/XML/ASP/HTML
Assembly + Other
The Cork Board
Network Security Consultant Directory
Network Security Jobs
The Archives
Encryption Information
General Network Security
Internet Anonymity
HTTP Protocol Security
Linux Security
MS IIS Information
Exploit Articles
Programming / Tool Design
GSO Software Projects
Public Downloads
Microsoft Security Questions and Papers
Help - Search - Member List - Calendar
GovernmentSecurity.org > System Security > Exploit Research & Discussion
CeR3al
Aug 6 2005, 04:36 PM
Ethereal 10.x AFP Protocol Dissector Remote Format String Exploit...

hello everyone, got some questions to this code :

url: http://www.frsirt.com/exploits/20050806.xe...al-afp-fm.c.php

1. someone tested exactly this code, is working?
2. does ethereal use a custom port itīs running under *nix mashines on?
3. allready tested at my self but got this ...

***********************************************************
[*] address : 0x08765428
[*] sc address : 0x08765468 (address+64, for method 2)
[*] pops : 0
[*] shell port : 7979
[*] spoofed : yes

[*] destination : 192.168.178.20:548
[*] source : <random>:548
[*] amount : 5

[+] sending(2x packet = .): [!] could not allocate raw socket.
***********************************************************

maybe someone can help me , or put some information about this one here,

thx biggrin.gif
gr33ts

brOmstar
Aug 6 2005, 04:55 PM
Etherreal don't bind to a port it uses a library to read all packets ..the vuln is triggered when a special crafted packet is analysed.
Mikke8
Aug 7 2005, 07:23 AM
i didn't tested it yet but i compiled it already
but in the commandslist is the -S function
-S <port> shellcode listening port.
so why is this function here if you don't need to bind a port??
CeR3al
Aug 7 2005, 10:57 AM
QUOTE(Mikke8 @ Aug 7 2005, 07:23 AM)
i didn't tested it yet but i compiled it already
but in the commandslist is the -S function
-S <port>      shellcode listening port.
so why is this function here if you don't need to bind a port??
*



Cause this is only the port for the connect back shell listen on if successfully exploited ...
plasmax
Aug 7 2005, 04:12 PM
* this exploit uses the DSI/afpovertcp(548) TCP port as a means of
* exploiting this. the port does NOT have to be open to exploit
* this as you can send spoofed packets or connect to a different
* port(explained in the next paragraph) to get the job done.
*
* ethereal may rely on the source port, if no dissector is found
* for the destination port, to decide what dissector to use on a
* packet. this means ANY destination port may be used, granted it
* has no destination port dissector. (ie. port 80 won't work, but
* port 1234 will)
CeR3al
Aug 8 2005, 02:43 PM
QUOTE(CeR3al @ Aug 7 2005, 10:57 AM)
QUOTE(Mikke8 @ Aug 7 2005, 07:23 AM)
i didn't tested it yet but i compiled it already
but in the commandslist is the -S function
-S <port>      shellcode listening port.
so why is this function here if you don't need to bind a port??
*



Cause this is only the port for the connect back shell listen on if successfully exploited ...
*




This bug sucks thats all :-) Their is nothing good out anymore the last good remote vuln
was RPC dcom 2 years ago where u could hack every 3rd windows server now there ist nothing or all private not even a good kernel exploit *bla*

cheers
brOmstar
Aug 8 2005, 04:49 PM
A bug or a vuln is never 'good', I think you are wrong here if you only want exploits for pwning foreign boxes. What you can grab here is knowledgement, enough to find own vulns, write own exploits or understand new exploit technologies.

ps: believe me that knowledgement is more powerful then any exploit can be wink.gif
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2005 Invision Power Services, Inc.