search

x0rz / EQGRP

Decrypted content of eqgrp-auction-file.tar.xz
4.09k stars 2.07k forks source link

Update README.md #38

Open chuckixia opened 7 years ago

chuckixia commented 7 years ago

I believe that the CVE attribution is incorrect upon spending way too much time trying to attribute this.

Atavic commented 7 years ago

I'm curious about this attribution.

chuckixia commented 7 years ago

so, here are your trail of breadcrumbs: earlyshovel is listed as a 'publicly known exploit' https://github.com/x0rz/EQGRP/blob/33810162273edda807363237ef7e7c5ece3e4100/Linux/etc/opscript.txt#L9305

I went and setup a redhat 7.3 machine and setup sendmail to receive remote connections Looked at pcap, compared to the pocs available for cve 2003-0694 not the same. There is no public poc I can seem to find related to 2003-0681

the source for earlyshovel mentions something called crackaddrbuflocation https://github.com/x0rz/EQGRP/blob/33810162273edda807363237ef7e7c5ece3e4100/Linux/bin/earlyshovel/asprh73.py

crackaddr is not mentioned in either of the poc's or solutions for those two CVE's, but it is mentioned in Mark Dowd's vuln, as seen here: http://www.securityfocus.com/archive/1/313757 which leads here: http://www.securityfocus.com/bid/6991/info

and finally to these pocs:

http://www.securityfocus.com/bid/6991/exploit

which if run, bear striking resemblance to the sploit in EarlyShovel.............

so there you go.

loneicewolf commented 6 months ago

so, here are your trail of breadcrumbs: earlyshovel is listed as a 'publicly known exploit'

https://github.com/x0rz/EQGRP/blob/33810162273edda807363237ef7e7c5ece3e4100/Linux/etc/opscript.txt#L9305

I went and setup a redhat 7.3 machine and setup sendmail to receive remote connections Looked at pcap, compared to the pocs available for cve 2003-0694 not the same. There is no public poc I can seem to find related to 2003-0681

the source for earlyshovel mentions something called crackaddrbuflocation https://github.com/x0rz/EQGRP/blob/33810162273edda807363237ef7e7c5ece3e4100/Linux/bin/earlyshovel/asprh73.py

crackaddr is not mentioned in either of the poc's or solutions for those two CVE's, but it is mentioned in Mark Dowd's vuln, as seen here: http://www.securityfocus.com/archive/1/313757 which leads here: http://www.securityfocus.com/bid/6991/info

and finally to these pocs:

http://www.securityfocus.com/bid/6991/exploit

which if run, bear striking resemblance to the sploit in EarlyShovel.............

so there you go.

thanks for posting this! I didn't see this at all