Bugtraq mailing list archives
Re: +ALERT+ BACKDOOR IN MSN666 SNIFFER FOR SNIFFING MSN +ALERT+
From: "Seunghyun Seo" <s1980914 () inhavision inha ac kr>
Date: Sat, 15 Jun 2002 00:03:46 +0900
I'm writer of msn666 msn messege sniffer, there are no problems, and no backdoors in it, if you read the code and procdulre of it detail then you could notice it rightly. Check msn666-1.0.0.tar.gz and msn666-1.0.1.tar.gz at http://underground.or.kr/project/msn666/ again. previous my attaching file needs revision. Latest Update : 14 Jun, 2002 ( msn666-1.0.1.tar.gz ) MD5 : f1c0a4013dcd8afa1e9b55e68241461e i've added some of my code for 'IRO operation of MSN Messege' First Release : 13 Jun, 2002 (msn666-1.0.0.tar.gz ) MD5 : a2033be23c2c7ff47bf0c716d0613abd and above md5sum is right. thanks -- Seunghyun Seo , Inha university Group of Research for Unix Security [e-mail] seo () igrus inha ac kr, seo () underground or kr ----- Original Message ----- 보낸 사람: <gobbles () hushmail com> 받는 사람: <camis () mweb co za> 참조: <bugtraq () securityfocus com>; <vuln-dev () securityfocus com>; <bugs () securitytracker com>; <vulnwatch () vulnwatch org>; <submissions () packetstormsecurity org>; <GOBBLES () hushmail com> 보낸 날짜: 2002년 6월 14일 금요일 오전 8:42 제목: +ALERT+ BACKDOOR IN MSN666 SNIFFER FOR SNIFFING MSN +ALERT+
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ++++++++ALERT++++++++ALERT++++++++ALERT++++++++ALERT++++++++ +++++++BACKDOOR IN MSN666 MSN SNIFFER FOR SNIFFING MSN++++++++ ++++++++ALERT++++++++ALERT++++++++ALERT++++++++ALERT++++++++ +EMERGENCY+++ This emergency GOBBLES SECURITY LABS (GSL) release for immediate release. Security of team bugtraq penetrator at risk@@!@! HURRY! Moderatorz, please approve this post immediately as the dozens of readers of your lists are probably marvelling at the function- ality of this program right now, since it was just released, and are at a high risk of having this dastardly backdoor exploited! +PROBLEM+++ msn666 sniffer for sniffing msn is in reality malicious blackhat root backdoor. msn666 sniffer for sniffing msn has just been rel- eased on team bugtraq penetrator list: http://archives.neohapsis.com/archives/bugtraq/2002-06/0125.html ALSO http://underground.or.kr/project/msn666/ +DETAILS+++ GOBBLES-scan-incoming detect following in incoming backoor packag- e e-mail of msn666 sniffer for sniffing msn: msn666.c: ... void pattern2 ( char *msg, int size ) { char opmsg[16]; ... sscanf ( msg, "%s", &opmsg ); ... Is called like this from runpkt(): ... if ( (int)htons(tcp->dest) == 1863 || ok_flg ) { ... if ( tcp->psh ) { memcpy ( buf, data, sizeof(buf) ); pattern2( buf, htons(ip->tot_len)-40 ); ... GOBBLES think it quite obvious this is malicicous root backdoor in msn666 sniffer for sniffing msn. +DISCLAIMER+++ GOBBLES not going to release he exploit code. Code for this is sloppy and contain lot of overflows. It too embarrassing to publish to team bugtraq penetrator. But GOBBLES SECURITY LAB (GSL) members are working on new version with -m capablities. It utilizes libnet. ____________________ < GOBBLES LOVE ROUTE > -------------------- \ ,+*^^*+___+++_ \ ,*^^^^ ) \ _+* ^**+_ \ +^ _ _++*+_+++_, ) _+^^*+_ ( ,+*^ ^ \+_ ) { ) ( ,( ,_+--+--, ^) ^\ { (@) } f ,( ,+-^ __*_*_ ^^\_ ^\ ) {:;-/ (_+*-+^^^^^+*+*<_ _++_)_ ) ) / ( / ( ( ,___ ^*+_+* ) < < \ U _/ ) *--< ) ^\-----++__) ) ) ) ( ) _(^)^^)) ) )\^^^^^))^*+/ / / ( / (_))_^)) ) ) ))^^^^^))^^^)__/ +^^ ( ,/ (^))^)) ) ) ))^^^^^^^))^^) _) *+__+* (_))^) ) ) ))^^^^^^))^^^^^)____*^ \ \_)^)_)) ))^^^^^^^^^^))^^^^) (_ ^\__^^^^^^^^^^^^))^^^^^^^) ^\___ ^\__^^^^^^))^^^^^^^^)\\ ^^^^^\uuu/^^\uuu/^^^^\^\^\^\^\^\^\^\ ___) >____) >___ ^\_\_\_\_\_\_\) ^^^//\\_^^//\\_^ ^(\_\_\_\) ^^^ ^^ ^^^ ^ +PROOF OF CONCEPT+++ First GOBBLES run msn666 sniffer for sniffin msn on secure test machine: # ./msn666 Then GOBBLES run he GOBBLES-own-msn666.c on he Local Area Network (LAN): # ./GOBBLES-own-msn666 xxxxxxxxxxxxxxxxxxxxxxxx 192.168.0.1 192.168.0.2 !@# GOBBLES-own-msn666 packet sent !@# # Then GOBBLES go to run to other terminal in much anticipation and notice following: # ./msn666 Segmentation fault (core dumped) # Then GOBBLES get out he autographed hardcopy of Smashing the stack for the fun and the profit. And explore msn666 coredump and he notice following: (gdb) info reg eip eip 0x78787878 0x78787878 (gdb) That mean GOBBLES now have saved team bugtraq penetrator from malicious remote root backdoor hole in msn666 sniffer for sniffing msn. GOBBLES expect he thank you e-mails at GOBBLES () hushmail com hehehe ;PPpPPPP +GREETZ+++ doug sniff, when are you going to quit being such a filthy blackhat and provide the rest of the fame-seeking community with information concerning this devestating remote bug in Epic? Unless you were just fabricating that as the means of penetration to your system, when in fact you really don't know... Tony Monroe, cowsay is the _best_ program ever written. For those of you who don't understand how to decypher the mystique of freshmeat.net, go to http://www.nog.net/~tony/warez/cowsay.shtml -- this is the best thing you'll ever get a chance to use. -----BEGIN PGP SIGNATURE----- Version: Hush 2.1 Note: This signature can be verified at https://www.hushtools.com wlwEARECABwFAj0JLosVHGdvYmJsZXNAaHVzaG1haWwuY29tAAoJEBzRp5chmbAPocAA nRf0wJq1cChOzr2A30sWOIIOhthIAKClLtpXvEr6+H9fT+x9nOjm/iAzLw== =I6Rx -----END PGP SIGNATURE-----
Current thread:
- +ALERT+ BACKDOOR IN MSN666 SNIFFER FOR SNIFFING MSN +ALERT+ gobbles (Jun 14)
- Re: +ALERT+ BACKDOOR IN MSN666 SNIFFER FOR SNIFFING MSN +ALERT+ Seunghyun Seo (Jun 14)