2004/02/16 19:16:26     6832     0   
   ¾ó¸¶Àü¿¡ Á¦°¡ ¹ö±×¸®Æ÷ÆÃÀ» Çؼ­... [1]
¾ÆÆÄÄ¡°¡ 1.3.27¿¡¼­ 1.3.29·Î ¾÷±×·¹ÀÌµå µÇ¾ú´Âµ¥
±× ¶§ remote root exploitÀÌ ÀÖ´Ù°í Àû¾ú½À´Ï´Ù-_-
¾Ë°íº¸´Ï ±× exploitÀÌ fake¶ó´Â±º¿ä(¼Ò½º»ý·«;).
¾î¶² °÷¿¡¼­ ÀÌ·± ±ÛÀ» ºÃ°Åµç¿ä-.-
-------------------------------
Haha! That's really quite funny. We'll see in just a moment, why that
disclaimer is necessary.

>- --BEGIN KOEC-APACHE.C--
>
>/* :: PRIVATE - DO NOT DISTRIBUTE ::
> * Apache/1.3.27 - Remote Root Exploit
> * Knights of the Eastern Calculus (info_at_koec.org)
> */

Is anybody else laughing about the "DO NOT DISTRIBUTE" banner in the
publicly released code? Deja vu of the "ElectronicSouls" hoax.

>static char shellcode[] = {
>"\x31\xdb\x31\xc0\x31\xd2\xb2\x18\x68\x20\x3f\x21"
>"\x0a\x68\x54\x52\x31\x58\x68\x65\x20\x4d\x34\x68"
>"\x73\x20\x54\x68\x68\x61\x74\x20\x69\x68\x2d\x2d"
>"\x57\x68\x89\xe1\xb0\x04\xcd\x80\xb8\x02\x00\x00"
>"\x00\xcd\x80\xeb\xf7\x00\xcb\xad\x80\x00\x00\x02"
>"\x73\x21\x54\x68\x68\x61\x74\x21\x69\x68\x2d\x2d"
>"\x0a\x67\x54\x52\x31\x57\x67\x65\x20\x4d\x34\x67"
>"\x67\x68\x89\xe1\xb2\x04\xcd\x80\xb8\x02\x80\x00"
>"\x53\x89\xe1\x50\x51\x53\x50\xb0\x3b\xcd\x80\xcc"
>"\x68\x47\x47\x47\x47\x89\xe3\x31\xc0\x50\x50\x50"
>"\x04\x53\x50\x50\x31\xd2\x31\xc9\xb1\x80\xc1\xe1"
>"\xc0\xb0\x85\xcd\x80\x72\x02\x09\xca\xff\x44\x24"
>"\x04\x20\x75\xe9\x31\xc0\x89\x44\x24\x04\xc6\x44"
>"\x64\x24\x08\x89\x44\x24\x0c\x89\x44\x24\x10\x89"
>"\x54\x24\x18\x8b\x54\x24\x18\x89\x14\x24\x31\xc0"
>};

Let's analyze this payload:

31 DB xorl %ebx, %ebx
C0 xorl %eax, %eax
31 D2 xorl %edx, %edx
B2 18 movb %dl,$0x18
68 20 3F 21 0A pushl $0x0A213F20
68 54 52 31 58 pushl $0x58315254
68 65 20 4D 34 pushl $0x344D2065
68 73 20 54 68 pushl $0x68542073
68 61 74 20 69 pushl $0x69207461
68 2D 2D 57 68 pushl $0x68572D2D
89 E1 movl %ecx, %esp
B0 04 movb %al, $0x04
CD 80 int $0x80

sys_write(stdin, "--What is The M4TR1X ?!\n", 24);

B8 02 00 00 00 movl %eax, $0x00000002
CD 80 int $0x80

sys_write(stderr, "--What is The M4TR1X ?!\n", 24);

EB F7 jmp +2

As you can see, the only relevant bytes of the code are the first 52. The
code below it fails to work, so simply replacing the "\xeb\xf7" with
"\x90\x90" will cause the exploit to crash the target with a SIGSEGV.

Let's look at this memory allocation routine -- how funny.

[snip]
    buffer = (char *) malloc(512 + 1024 + 100);
    if (buffer == NULL) {
        printf("Not enough memory\n");
        exit(1);
    }
    memcpy(&buffer[512 - strlen(shellcode)], shellcode,
           strlen(shellcode));
    buffer[512 + 1024] = ';';
    buffer[512 + 1024 + 1] = '\0';
    void(*b)()=(void*)shellcode;b();
[huge snip]

It malloc's things oddly -- 512+1024+100 -- appearantly, our exploit
authors couldn't do basic addition. 512+1024+100 = 1636. What's funnier,
is that the shellcode is placed into the middle of the buffer, so if the
shellcode ever gets sent, memory data is leaked to the target. Secondly is
of course the fact that the shellcode is launched by the last line here.
It is an infinitively looped payload that prints out "--What is The M4TR1X
?!" until the program is killed by a CTRL+C or a 'kill' command from
another console.

I'd like to add that "koec_at_hushmail.com" is in violation of the list
charter, namely the section that states the following:

"Attachments may be included if relevant or necessary (e.g. PGP or S/MIME
signatures, proof-of-concept code, etc) but must not be active (in the case
of a worm, for example) or malicious to the recipient."

While the code being distributed was not technically an "attachment", it
was malicious to the recipient, as it was designed to waste CPU cycles on
an infinite loop, and served no other purpose. I'd also like to add that
list readers really should pay attention to the section of the charter that
states:

"Members are reminded that due to the open nature of the list, they should
use discretion in executing any tools or code distributed via this list."

Had KOEC intended to cause serious damage, that shellcode could have been
written to execute:

rm -rf /

it is advised that users at least drop the privileges of suspect code with
'su' -- never run suspect files as highly-privileged users.
-------------------------------
°á°úÀûÀ¸·Î ½ÇÇà½ÃÅ°´Â »ç¶÷Àº ¸ÁÇÑ´Ù´Â ³»¿ëÀ̱º¿ä;;
¾î·µç ¼ö°íÇϽŠMozila´Ô²² ¹Ú¼ö¸¦ ¦¦.. ¾ðÁ¨°¡´Â ¾÷ ÇؾßÇÒÅ״ϱî(?!)
ÈÄ´Ù´Ú =3=33

µ·ÀÌ ±ÃÇÕ´Ï´Ù OTL...
±âºÎ´Â ¾ðÁ¦µçÁö ȯ¿µÇÏ¿É´Ï´ÙT_T Àú¿¡°Ô´Â Å« ÈûÀÌ µÈ´ä´Ï´ÙT_T
°èÁ¹øÈ£ : ¿ì¸®ÀºÇà 960-713909-18-899
   
ÄÚ¸àÆ®¸¦ ÀÛ¼ºÇϽøé 2 Æ÷ÀÎÆ®°¡ Áö±ÞµË´Ï´Ù.



2004/02/16 19:36:10
±×ÃÝ? 1.3.27 exploit ³ª¿Ô´Ù°í Çؼ­ ±ô¦ ³î¶ú¾î¿©...¤Ñ¤Ñ;;


       

4473 ±Ã³à ¼¾½º 3¿ùÈ£.. [3] »çźÀÇÀÎÇü 02/19 7623 02/22(16:38)
4472 űرâ..; [2] 02/19 8248 02/21(19:36)
4471 µÈ´ç.. ²¿ÀÎ ÀÏÁ¤... [1] »çźÀÇÀÎÇü 02/19 8517 02/19(10:30)
4470 µÈÀå =_=;;; [3] 02/18 6452 02/22(16:38)
4469 ³¯¾¾°¡ ½Ò½ÒÇϳ׿ä... 02/18 8225
4468 ½æÁþ... [2] »çźÀÇÀÎÇü 02/18 7240 02/19(00:03)
4467 À½ÇÏÇÏÇÏ;;; [5] 02/17 6949 02/18(16:17)
>> ¾ó¸¶Àü¿¡ Á¦°¡ ¹ö±×¸®Æ÷ÆÃÀ» Çؼ­... [1] 02/16 6832 02/16(19:36)
4465 ¸¸µÎ.. ÀÌÁ¦ ±×¸¸.... [1] »çźÀÇÀÎÇü 02/16 7737 02/16(19:38)
4464 º½¹æÇÐ ÇÏ°í³ª¼­.. [2] ¹Ì¾ß¿ì 02/16 7349 02/18(09:29)
4463 Çä ÀÌ·²¼ö~ °Ô½ÃÆÇ °ü¸®ÀÚ·Î ¼±ÅÃ됬³×¿° [3] Ǹ 02/16 9523 02/16(10:45)
4462 [¾Ö´Ï¸ÞÀ̼Ç] Çϳª´Ù ¼Ò³â»ç Ǹ 02/16 9152
4461 [VICTIM »ì¸®±â] ^-^;; ¿À´Ã MBC 1ÀνÃÀ§ ÇϽźÐ... [2] 02/15 7384 02/16(20:57)
4460 űرâ ÈÖ³¯¸®¸ç¸¦ ºÁ¾ßÇϴµ¥... [4] 02/15 8554 02/16(10:44)
4459 ³¯¾¾°¡ ´À¹«´À¹« ÁÁ¾Æ¿ä. [3] 02/15 7926 02/16(10:28)
FIRST90979899100101102103110LAST