aeturnus

Well, it doesn't sound like you understand that either. It's a relative address from where the JMP is taking place. You could use an absolute address to save you from having to do basic arithmetic to get the address. I haven't read the intel docs in awhile, but I'm pretty certain it's fully described (probably on the same page you were reading to get the E9 thing). It would help when asking questions like this to give all of the required pieces. Jump from where, to where? Not just from here with a disassembled label. But then you also might try not being a jerk to the first guy that tries to help you even though he decided early on you had no idea what you were talking about and it was tl;dr. Or not. Good luck.

I haven't done this since thebroken had their video on it and airsnort was the de facto standard. When the replaying whitepaper was released and I coded my version of it, I went the active route and never looked back. Why would you want to wait weeks and do this passively when no one properly monitors their network anyway?

Very old. Very boring. Difficult to understand with your poor English and the typing is so passe. Watch some of the videos at irongeek.com or somewhere and try to do something better than he did. Also, from your title I thought you had actually done some sort of work on this old vulnerability rather than just having run the same script everyone's ran for since 2003. So maybe an appropriate title would be useful. Thanks.

Could you please translate this into English? I think you're asking for how to transfer files using Telnet. It's my understanding that it depends on the version of Telnet you're using. If it's simply text, just cat the file. If there's a lot of files, it'd probably be easier to just install FTP on the remote system or something.

www.offensivecomputing.net has the largest selection I've ever seen with links to other places.

From this guy's scenario it doesn't sound like he's got a lot of options. The person in power to disable or throttle the rogue user's connection won't act. When the system lets you down, sometimes you have to take matters into your own hands. Did you have a better solution for when there is an absence of a system to remove users like this and you are prevented from modifying the network layout?

I'm with mesartwell.

Ah, make sense. Thanks :)

Well, there's a lot wrong here. Without going into too many details or wanting to argue, let's just take your statements and debunk them. Given the code: You simply give him a page with a correct cookie value and its written to the file. That file is served by httpd. So "And your not going to really be able to modify the files being presented on the HTTPd" is an incorrect statement. Let's look at your first statement about the file permissions. Why do you need the setuid, sticky, setgid, and execute permissions set? It's a security risk. So that statement is wrong as well. Yes, I think I see what you meant to say about the exploitation. But you didn't, and your statements are therefore incorrect like I said. The details about how I would gain entry to such a system are beyond the scope of this argument. If you ask me really nicely I might try to help you out if you set up such a box for me to gain entry to. Really though, if you can't see any problems with the presented vulnerabilities then you should pick up a book on security. Start simple, go with the Hacking Exposed books.

I hope you weren't responding to me since your post is completely incorrect.

Yeah, I don't think I really understand what he's hoping to accomplish with this. I have some ideas about what he's hoping to accomplish, but they're really too silly to suggest.

If you just want access, what's wrong with simply reinstalling?

You set a file facing the Internet to 7777 with that code you provided? That's awesome, can I go ahead and get your IP address? Thanks :)

Is that really a problem?

Besides the tools listed above, using a simple Python script (or any language that supports sockets), you can just create a socket and have it connect to the port on the remote machine.

For your given scenario, the second hurdle is not a hurdle. Just mount a network share and let the 3rd party firmware write its output there. Further, if he's not afraid of the slow network speeds then hurdle 1 isn't really a hurdle either. I agree though, an old PC would do this job a lot better, but it'd be a fun academic exercise either way. And it might be useful if he's got a lot of malware coming in passively. Like for a honeypot situation that he just can't trust to run on a VM. For the record, he did say modem and not router though. But I doubt your modem has better processing power than your router.

I agree, in your contract you should have outlined what he can touch.

I think this is the fundamental difference between a Computer Scientist in the security field and a sysadmin who wants to play himself off as knowing something. If you want to be able to find new things and then write the tool that other people can download and use, go the Computer Science route. It'll give you a good theoretical background on a lot of topics. This will be helpful when you finally sit down to begin your security research and you're just able to understand how the things work since you've seen it before in a different context. Echoing a lot of what stringwray said: Universities teaching Computer Science are very academic and theoretical. This is a good thing, this is what you want. But you also want to have that drive to learn the practical stuff on your own. At my university, this is what is sort of expected of you as the practical stuff is easy enough for anyone to pick up, so they don't bother teaching it. There are universities with offensive and defensive network and computer security courses as well. And in these classes you'll learn lots of practical attacks against systems, but more importantly you'll learn the theory that make them work. You want the theory rather than the practical so you can apply the solutions to similar problems later. The university courses I took like this were a lot more educational and practical than any of the vendor courses I've since received (Black hat training and so forth). In contrast, it's my understanding from speaking with others in the security field and friends with this background, that the sysadmin approach will give you a very practical experience with no theory. Generally these seem to be the kinds of guys that use phrases like "think like an attacker" (which, if you follow the typical security mailing lists, you'll get the absurdity reference). Like anything though, if you work at it hard enough you'll learn it and get good with it. I'd hire a willing learner over an apathetic, experienced guy any day.

I don't think there's a good tech way to solve this problem. It seems like the problem would solve itself the first time they're busy with something, call you, walk away, and come back to see you hadn't done anything waiting on them. I mean, if they're calling you for help, can't you just tell them to wait for you to get there or to make sure their screen isn't locked when you arrive?

I think that'll work to get you an account on that machine as an Admin. What's curious to me, though, since my scripting is a bit rusty: Why do you need that cls on the 5th line if @echo off has all ready executed?

Glad you finally agree with me Sparda, that getting in between the rogue user's connection and the gateway is the way to go.

Likely not. If you just have a home router/switch (Linksys, Netgear, SoHo-style whatever) and your Dad or whoever properly configured those devices to deal with DHCP then you should be fine to reset the router. And if it does, what did you lose? He'll just reconfigure it and you'll be out nothing.

Concerned with just your own personal browsing? Just use the Windows one. Windows XP SP3 is pretty well locked down anyway.

What do you need to execute 'cmd' for? If you have physical access to the box, you likely don't need to take the approach that you're attempting to take. Look into LiveCDs like Backtrack.

Just write one in C real fast. SetWindowsHookEx ftw.