Re: Linux Kernel Exploits / ABFrag

From: h2g.sec.listat_private
Date: Mon Oct 21 2002 - 16:20:33 PDT

Next message: Erik Sperling Johansen: "Re: Linux Kernel Exploits / ABFrag"

Previous message: Jose Nazario: "Re: Hiding IP addresses in trace data"
In reply to: Curt Wilson: "Re: Linux Kernel Exploits / ABFrag"
Next in thread: Erik Sperling Johansen: "Re: Linux Kernel Exploits / ABFrag"
Next in thread: Christopher Wagner: "Re: Linux Kernel Exploits / ABFrag"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Curt,
to unwrap burneye binaries you need know the binary password... to unwrap
you can use UNFburninhell made by [ByteRage] (thanks to him).
ABfrag is FAKE, so, you don't need audit that binary.
Regards...
Nilton Gomes


-- Mensagem original --

>In-Reply-To: <20021018184346.B44C5425Cat_private>
>
>
>>I smell Burneye !! ..... what do you guys think ?
>
>If you download the ABfrag file from 
>http://www.linuxsecurity.com/articles/intrusion_detection_article-
>5933.html, and view or run strings on the file, you will see the burneye
>
>signature in the file header:
>
>TEEE burneye - TESO ELF Encryption Engine
>
>I'm wondering if there is any way to determine the burneye options used
by
>
>analyzing the encrypted file? I doubt it, but does anyone have any 
>experience with this?
>
>Looks like we need to get brute forcing that password (could be nearly

>impossible), or perhaps find a good reverse engineer. I recall reading

>material by Dave Dittrich about trying to reverse engineer the x2 SSH 
>exploit that had been protected with burneye. I also came across an 
>article somewhere, perhaps on the teso website, that talked about the 
>sorry state of the "white hat" reverse engineers. Personally, I could not
>
>reverse engineer myself out of a wet paper bag.
>
>I'm very curious to learn more about this exploit, and would enjoy seeing
>
>the IDS activity discussed in the first message in this thread. Do we have
>
>enough to make a snort signature? Did you get an image of the systems 
>memory at the time of the exploit? Perhaps there is a snowballs chance
in
>
>hell that the password used to run the executable could be recovered.
>
>
>Curt Wilson
>Netw3 Security
>www.netw3.com
>
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management 
>and tracking system please see: http://aris.securityfocus.com
>
>



------------------------------------------
Use o melhor sistema de busca da Internet
Radar UOL - http://www.radaruol.com.br




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Erik Sperling Johansen: "Re: Linux Kernel Exploits / ABFrag"
Previous message: Jose Nazario: "Re: Hiding IP addresses in trace data"
In reply to: Curt Wilson: "Re: Linux Kernel Exploits / ABFrag"
Next in thread: Erik Sperling Johansen: "Re: Linux Kernel Exploits / ABFrag"
Next in thread: Christopher Wagner: "Re: Linux Kernel Exploits / ABFrag"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Oct 21 2002 - 17:45:40 PDT