[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.SGI.4.44.0208262056300.174421-100000@hexeris>
From: aliver at xexil.com (aliver@...il.com)
Subject: tradecraft and subversion
Personally, I've enjoyed the (few) posts with some actual code in
them. Anyone who reads my posts knows that I'm usually (depending on the
situation) against releasing vulnerabilities and exploit code to the
public or to vendors. I consider myself a non-criminal blackhat since I
code "toolz" but don't use them illegally. Of course my efforts are for
research purposes only, and if someone else decides to use my tools
illegally, then they are a bad bad person and I just couldn't condone that
at all, no sir, not at all, honest. I'm not a huge exploit coder, but I
have written a couple for fun, not profit. I'm more interested in tools
with a dark flavor since they aren't going to be used by jerkish vendors
to fix their products (at least, they aren't as likely to be). To my
credit I've created some private stock tools to break NFR, Dragon, and
RealSecure NIDS sensors, and also crafted some network tools to DoS FW-1
and Cisco routers. Most of those are ancient history, recently I've had a
dramatic skill increase with cryptographic algorithms and a greatly
enhanced ability with C due to coding about 20,000 lines in the last 6
months or so.
Okay, that said, I'm working on a few projects and if anyone has
feedback, code, or advice concerning them; I'd appreciate it. I'd usually
take this kind of thing to somewhere like vuln-dev, but due to the recent
corporate ownership and the loss of Blue Boar, well, screw that. Anyhow,
here goes nothing:
Project "SPAT": Server Protocol Automated Tester. Basically it's a
"blackhat honeypot". Take an instance where you've "acquired" a new SMTP
+ POP3 server. Most client applications get much less attention in code
audits than server daemons. Hence, I've found that they usually contain a
lot more vulnerabilities but few people go looking there because they
usually "trust" the server to give them valid responses (or at worst, no
response). Many time format string exploits are possible, too (think of
"server responded with BLAH BLAH BLAH" messages). Eudora comes to mind.
Anyhow, the basic concept is that "spat" sits on a given port and acts
like an SMTP, POP3, IMAP, FTP, or whatever server. When clients connect to
this server, the server attempts to exploit and own them. I've been doing
some skeleton work on some post-overflow trojans/malware, but Windows
programming disgust me so I'm not too thrilled with this part. There are a
few design problems, too. For one, I think the clients may rapidly
discover that they have having problems with the server. Therefore, it
might be prudent to only attempt to exploit the clients one out of ten
times or so. This way they blame their own application, and not the
server, and when they complain to the sysadmin they end up looking like an
idiot when it "works fine" for the sysadmin. I think that perhaps a lot of
coding can be avoided by calling the original daemon for the times when we
want things to seem "legit". I could go on a bit more, but I think anyone
with savvy will get the picture.
Project "xxtleet" (pronounced "zeetleet"):
This is an addition bolted onto xxt or my aescrypt tools which will will
use a lexigraphical pattern generator to create a more or less
steganographic message which looks like a leet-speak rant. I haven't done
much in the way of code on this one as I'm trying to plan out the best
approach. I love the reaction by whitehats when they see leetspeak. They
usually start having fits and screaming "children!" and I find it amusing
that someone could use a tool like this to post exploit code to a list
such as this to arm their brethren and piss off those with an anal
whitehat attitude in the same stroke. Anyway back on track, I was thinking
that I'd use a base128 or base512 numbering system somewhat like base64
encoding does with MIME and such. The difference would be that instead of
using a single character I'd use an entire word. Yes, this would create
much larger files than that being encrypted but such is steganography.
Anyhow, I was think I'd build tables of nouns, verbs, adjectives and
adverbs. Each table would have a corresponding number of entries (128 or
512, I haven't decided yet). Then the lexigraphic engine could use a file
full of lexical rules to generate valid sentences with the various
wordlists. Of course the word lists would be populated with leetspeak but
could really be anything. So assuming an average word length of about 7
bytes, I'm guessing that your average 13k exploit could be compressed,
down to 3k or 4k, encrypted with TEA or AES, then leetencoded() to be a
leetspeak rant of about 24k - 40k. Any ideas on the lexigraphic engine or
the encoding scheme would be appreciated.
Oh, one last thing. I think this sort of thing would probably annoy the
type of people on the list that I'm not really that fond of. So, if you
have feedback, and you don't mind, just post it straight to the list. You
can feel free to email me privately, too. Thanks.
aliver
Powered by blists - more mailing lists