[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CALCvwp4nb7he9A4qyy6dnjWgA89KOde1hQPQi8c3ev1cuFERvQ@mail.gmail.com>
Date: Wed, 26 Oct 2011 13:14:14 +1100
From: xD 0x41 <secn3t@...il.com>
To: Flavio do Carmo Junior <carmo.flavio@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: I know its old,
but what the heck does this do... (exposing a tool...)
Hrm, exactly what im wondering about, is that packet just 'junk' in effect
,.... or just hiding more :s
I will investiagte it.
It is strange tho, as nothing of the *normal* has detected anything malign
yet to me, but, i just started the OS i use for this stuff 20seconds ago,
and it has only read a few setors of the code sofar... yes, it is a home
lab, it is just IBM x3 3U racks, put together in a DIYs kinda rack,but works
for me :)
It is also a 'darknet' , so many of this kinda network shit seems to dribble
in from many places, atm it seems, this is the .c file theyre trying to
hide, apparently it can send a negotiation wich just trashes the SMB client,
according to this, wich i am going to see what does exactly in about
5minutes :P
i will keepyou informed as yes, usually most ddos wich uses *trash* code to
send as broadcasting packet, would encapsulate exactly this, BS, wich, this
is not.
It is some code in there, but, it is also not str8 forward yet for me, until
i have results but, it does spawn some strange sockets :s
I will see where it leads.
thx for that info about the SMB bugs, i do know of them but, just have seen
this done once properly on linux, wich is a really hardass attacking tool,
and clobbers smb server, but, this one seemingly does it diferently.
there is a winssmb-nuke tool already, i know that DOES work 100% now i did
alittle google b4 ending this post, and, this is the apprent descendant,
wich was sold.
I will look now and wait for my os to read thru it abit... and darknet to
see where it connects.
interesting one tho.
i have also found similar code, for something else called ipv6killer.c ,no
not ipv6fuck.c wich is also, actually real, but, ipv6killer.c, wich is
almost exactly this same code, but, actually seems setup for ipv6, so makes
me think about this one harder :s
i am stumped until i have a malware analysis from my box, as i dont run
things at first glance, specially ddos crap, that will certainly lead to mem
corruption :P
ok, cheers sofar, ill keep looking!
xd
On 26 October 2011 13:03, Flavio do Carmo Junior <carmo.flavio@...il.com>wrote:
> 'system(h3llcode)' ??
>
> Should be fun...
>
> On 10/26/11, xD 0x41 <secn3t@...il.com> wrote:
> > Hello List,
> > Id like people to also, like this thread asks, to pls give some opinion,
> > other than mine.. wich, i am yet to make;
> >
> > http://www.hackerthreads.org/Topic-5973
> >
> > Please look at this .c code on here, if you wish, and tell me, why
> > A. It is still in circulation, seeminlgly, on MANY MANY boxes....
> > B. people still seem to try keep it private :s
> >
> > This morning, a friend from webhostingtalk.com ,asked me to take a look.
> > I have and, i can only sofar say, once i decrypt the shellcode, ill know
> > abit more..
> > altho , i rmember this thing, and, somany people were after it, people
> were
> > paying for it, this is first time i have seen it actually disclosed tho,
> > admittedly only looked today.
> > If skiddies are using it to ddos things, I want to makesure i can expose
> it,
> > and kill the threats.
> > thankyou.
> > xd .// exposing bullshit as i ride!
> >
>
> --
> Sent from my mobile device
>
> --
> Best regards,
>
> Flávio do Carmo Júnior
> Sydney/NSW
> http://au.linkedin.com/in/carmoflavio/en
> http://0xcd80.wordpress.com
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists