+ALERT+ BACKDOOR IN MSN666 SNIFFER FOR SNIFFING MSN +ALERT+

From: gobblesat_private
Date: Thu Jun 13 2002 - 16:42:57 PDT

  • Next message: sec: "Another cgiemail bug"

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
     ++++++++ALERT++++++++ALERT++++++++ALERT++++++++ALERT++++++++
    +++++++BACKDOOR IN MSN666 MSN SNIFFER FOR SNIFFING MSN++++++++
     ++++++++ALERT++++++++ALERT++++++++ALERT++++++++ALERT++++++++
    
    
    +EMERGENCY+++
    
    This emergency GOBBLES SECURITY LABS (GSL) release for immediate
    release. Security of team bugtraq penetrator at risk@@!@! HURRY!
    
    Moderatorz, please approve this post immediately as the dozens
    of readers of your lists are probably marvelling at the function-
    ality of this program right now, since it was just released, and
    are at a high risk of having this dastardly backdoor exploited!
    
    
    +PROBLEM+++
    
    msn666 sniffer for sniffing msn is in reality malicious blackhat
    root backdoor. msn666 sniffer for sniffing msn has just been rel-
    eased on team bugtraq penetrator list:
    
    http://archives.neohapsis.com/archives/bugtraq/2002-06/0125.html
                            ALSO
    http://underground.or.kr/project/msn666/
    
    +DETAILS+++
    
    GOBBLES-scan-incoming detect following in incoming backoor packag-
    e e-mail of msn666 sniffer for sniffing msn:
    
    msn666.c:
    
    ...
    
    void
    pattern2 ( char *msg, int size )
    {
            char opmsg[16];
    
    ...
    
            sscanf ( msg, "%s", &opmsg );
    
    ...
    
    Is called like this from runpkt():
    
    ...
    
            if ( (int)htons(tcp->dest) == 1863 || ok_flg ) {
    
    ...
    
            if ( tcp->psh ) {
                    memcpy ( buf, data, sizeof(buf) );
                    pattern2( buf, htons(ip->tot_len)-40 );
    ...
    
    GOBBLES think it quite obvious this is malicicous root backdoor
    in msn666 sniffer for sniffing msn.
    
    +DISCLAIMER+++
    
    GOBBLES not going to release he exploit code. Code for this is
    sloppy and contain lot of overflows. It too embarrassing to
    publish to team bugtraq penetrator. But GOBBLES SECURITY LAB
    (GSL) members are working on new version with -m capablities.
    It utilizes libnet.
    
    
    ____________________
    < GOBBLES LOVE ROUTE >
     --------------------
      \                                  ,+*^^*+___+++_
       \                           ,*^^^^              )
        \                       _+*                     ^**+_
         \                    +^       _ _++*+_+++_,         )
                  _+^^*+_    (     ,+*^ ^          \+_        )
                 {       )  (    ,(    ,_+--+--,      ^)      ^\
                { (@)    } f   ,(  ,+-^ __*_*_  ^^\_   ^\       )
               {:;-/    (_+*-+^^^^^+*+*<_ _++_)_    )    )      /
              ( /  (    (        ,___    ^*+_+* )   <    <      \
               U _/     )    *--<  ) ^\-----++__)   )    )       )
                (      )  _(^)^^))  )  )\^^^^^))^*+/    /       /
              (      /  (_))_^)) )  )  ))^^^^^))^^^)__/     +^^
             (     ,/    (^))^))  )  ) ))^^^^^^^))^^)       _)
              *+__+*       (_))^)  ) ) ))^^^^^^))^^^^^)____*^
              \             \_)^)_)) ))^^^^^^^^^^))^^^^)
               (_             ^\__^^^^^^^^^^^^))^^^^^^^)
                 ^\___            ^\__^^^^^^))^^^^^^^^)\\
                      ^^^^^\uuu/^^\uuu/^^^^\^\^\^\^\^\^\^\
                         ___) >____) >___   ^\_\_\_\_\_\_\)
                        ^^^//\\_^^//\\_^       ^(\_\_\_\)
                          ^^^ ^^ ^^^ ^
    
    
    +PROOF OF CONCEPT+++
    
    First GOBBLES run msn666 sniffer for sniffin msn on secure test machine:
    
    # ./msn666
    
    Then GOBBLES run he GOBBLES-own-msn666.c on he Local Area Network (LAN):
    
    # ./GOBBLES-own-msn666  xxxxxxxxxxxxxxxxxxxxxxxx 192.168.0.1 192.168.0.2
    !@# GOBBLES-own-msn666 packet sent !@#
    #
    
    Then GOBBLES go to run to other terminal in much anticipation and notice
    following:
    
    # ./msn666
    Segmentation fault (core dumped)
    #
    
    Then GOBBLES get out he autographed hardcopy of Smashing the stack for the
    fun and the profit. And explore msn666 coredump and he notice following:
    
    (gdb) info reg eip
    eip            0x78787878       0x78787878
    (gdb)
    
    That mean GOBBLES now have saved team bugtraq penetrator from malicious
    remote root backdoor hole in msn666 sniffer for sniffing msn. GOBBLES
    expect he thank you e-mails at GOBBLESat_private hehehe ;PPpPPPP
    
    
    +GREETZ+++
    doug sniff, when are you going to quit being such a filthy blackhat and
    provide the rest of the fame-seeking community with information
    concerning this devestating remote bug in Epic?  Unless you were just
    fabricating that as the means of penetration to your system, when in
    fact you really don't know...
    
    Tony Monroe, cowsay is the _best_ program ever written.  For those of
    you who don't understand how to decypher the mystique of freshmeat.net,
    go to http://www.nog.net/~tony/warez/cowsay.shtml -- this is the best
    thing you'll ever get a chance to use.
    
    -----BEGIN PGP SIGNATURE-----
    Version: Hush 2.1
    Note: This signature can be verified at https://www.hushtools.com
    
    wlwEARECABwFAj0JLosVHGdvYmJsZXNAaHVzaG1haWwuY29tAAoJEBzRp5chmbAPocAA
    nRf0wJq1cChOzr2A30sWOIIOhthIAKClLtpXvEr6+H9fT+x9nOjm/iAzLw==
    =I6Rx
    -----END PGP SIGNATURE-----
    



    This archive was generated by hypermail 2b30 : Fri Jun 14 2002 - 05:14:12 PDT