August 16th, 2003, 05:10 AM
raw connection upload?
Hey guys...i've been playin around with my couple computers on my lil mini network and have been also readin 'bout that w32/blaster worm goin around. What it does if u dont already know connect to a open 445 port or 139 i belive? and uploads its blaster.exe and does its registry work and so on but thats not the point, i can raw connect to my computer that i've set up without a firewall or any security...but how does that worm upload? I connect through the terminal and obviously cant type or do anything, how do i send a packet or program or whatever. I have a packet assembly and can make a packet but i mean how do u upload it? And if you think "Oh this kid just wants to hack someones computer and upload the virus or trojan to someones computer" then dont bother helping me...thats not the point here...i'm just curious as to how that works considering when u connect the terminal is pretty much frozen. Attatched is a screenshots (haha i love takin those) of the terminal with the IP so u know i'm not tryin to do something to another computer and its mine (hence the 192. IP). An explanation would be gratefull if ur willing to explain how this all works.
August 16th, 2003, 05:23 AM
2nd screenshot of frozen terminal
August 16th, 2003, 06:12 AM
The exploit begins with a buffer over run. Data is fed into the service’s buffer to the point of causing it to overflow into the next buffer then code is injected into it that opens a shell, much like a cmd prompt. Using this shell, which listens on port 4444 commands are passed to the tftp client on your machine, instructing it to connect to a given tftp server. Tftp is passive in that all instruction for the client come from the server. The server instructs the client to download the file it gives it and run it. That’s how all that stuff gets on a computer, the victim’s computer downloads it the attacker doesn’t upload it
The thing is commands aren’t given to the service listening on that port, that service is crashed by the initial over run. The instructions to open the shell are passed to a point ‘past’ the service as it were. There for attempting to communicate to the listening service on 135, 445 or whatever you’re trying to do with putty is pointless.
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”