Just in case you missed it: The Shadow Brokers has published a rant and the password for their tool dump.
https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
Password for c&p is:
CrDj"(;Va.*NdlnzB9M?@K2)#>deB7mN
Files, for those needing them, at:
(thanks to @kript3ia for reminding me)
For someone definitely active in the 90s this Equation Group dump is exactly as described by @osxreverser: a trip down memory lane.
There's exploits for Apache running on Linux for DEC Alpha, Netscape Enterprise Server, RedHat 5.x and stuff that you probably haven't heard except in "greybeard's storytime".
If you wander over to the birdsite @osxreverser is posting headers of all the interesting exploits he finds.
There is also an OpenSSH one (KWIKEMART): https://twitter.com/osxreverser/status/850678952138067969
# KWIKEMART
###################################3
# SSH-1.5-1.2.27
# SSH-1.5-OpenSSH-1.2.3
# SSH-1.99-OpenSSH_2.1.1
# SSH-1.99-OpenSSH_2.2.0
So, KWIKEMART, in /bin/km (not found source yet) has pearls such as the following in its strings:
echo CHRIS CHRIS
No Crash, might have worked
Reply from remote: %s
CHRIS
No Chris not found and since we can't live without her .. searching on
error on read, continuing
It looks suspiciously like we might have to RE them all to find out if the holes are all patched...
Oh, this is interesting (but expected):
#######################################
### ELITEHAMMER
#######################################
### Runs against RedFlag Webmail 4 (software install)
### Gives you user nobody, not root;
### Need a local to get root (EVENTSTART or ELASTICBANJO?)
### Webmail port is usually 80 or 443
For ref: Red Flag Linux is a, now defunct, Chinese distribution (see https://en.wikipedia.org/wiki/Red_Flag_Linux)
Another adorable "from the past" entry, interesting choice of name (CICADA, see https://en.wikipedia.org/wiki/Cicada_3301 and engage your conspiracy theories):
#########################################################
# ELVISCICADA
#########################################################
### only up to ealry Sol2.9; Sol2.10 not vulnerable
### snmpXdmid (/usr/lib/dmi/dmispd) daemon program (RPC program 300598 version 1)
Unsurprisingly "NOCLIENT" seems to be the C2 side of "NOPEN"
@cynicalsecurity https://mastodon.social/media/Ey30sAT5BM0u8uP7YaU
On a somewhat related note: NSA seems to absolutely love hugeass main()'s.
@cynicalsecurity icalsecurity
OTOH, I recall making the inference reading the Snowden dump that Xkeyscore had a significant design constraint of limited bandwidth to return results from some sites; given what we're seeing here with SICKLESTER and references to parsing IMSIs, I kinda wonder if the reason for that is that not all XKS sites know they are XKS sites
Some of these strings. Can't say NSA folks lack a sense of humour.
"It looks like we are in a bad state, Elvis has left the building"
@cynicalsecurity https://mastodon.social/media/wQbYgZv8mNsuWa9pqQw
@thegrugq yes, I was only documenting for those who had not followed the drama from day zero.
I have to say this dump is almost certainly telco-related and also gives several locations (as also mentioned by @esizkur on the birdsite).
The reference to a Pakistani telco is interesting given the approximate time window for this kit, it also looks almost certainly like an advanced staging system.
The SCADA stuff I want to check a little more...
This one is pure "History Channel" material:
############################################
# EXPOSITTRAG
############################################
# exploit pcnfsd version 2.x (fails on v.1 or 3+)
I cannot imagine many people in 2017 even remember pcnfsd: I used to run it so it brings back those pangs of infinite pain associated with something which should never have been born in IT.
...and what would life be without a little Samba?
###################### ECHOWRECKER #####################
# samba server vulnerability
# Samba 3.0.2a-9AX and Samba 3.0.5 are currently vulnerable
# Samba 2.x on Redhat 7.3, 8.0, and 9.0 are vulnerable
Ah, this one I have in my private stash from a friend, but without the codename :D
###################### ELECTRICSLIDE #####################
# Heap Overflow in squid 2.5.STABLE1-2 redhat 9.0
-scan 3128 TARGET_IP
Definitely remember this one being used.
Now for a little something for those oft-forgotten admins using Exim (hey, I have been a Sendmail user since the heady days of "real" BSD so I am allowed to be cynical):
###################### ERRGENTLE ##########################
# exploits vulnerability Exim 3.22 thru Exim 3.35 Mail Transfer Agent
# brute force
"History Channel" again, this one combines an ancient daemon with operating systems of a different era:
############################################
# TOOLTALK -DEC, IRIX, or Sol2.6 or earlier
############################################
-scan rpc TARGET_IP
# look for 100083 1 tcp 30889 ttdbserverd
We are talking CDE here (http://www.kb.cert.org/vuls/id/387387). You know KDE? No, CDE...
This one is very local :)
################################################
### VS - VIOLET
### You need to do this exploit from a box very close (ideally on the same net)
### as the target because of the traffic it generates.
### Reference the README file in /current/bin for help on the new version
################################################
#Start Xserver on local ops machine prior to logging in
I haven't looked at it... but XDCMP ;)
We've *all* used this one...
# PTRACE/FORKPTY
### new exploit is ptrace-kmod; it's a kernel exploit, no suid needed.
### works on linux 2.2 -> 2.4, ex) RH8.0 and MDK 9.0
### might have to run it twice before it works.
### other ptraces are older and need to run against a setuid program that won't log
# find / -fstype nfs -prune -o -type f \( -perm -4000 \) -user root -ls > o
# get o
This is very intriguing:
########################################
# SAMPLEMAN / ROUTER TOUCH
########################################
Clearly hits Cisco via some sort of redirection via a tool on port 2323...
A favourite on the History Channel:
########################################
# ENGAGENAUGHTY
########################################
# Apache and SSL exploit on Linux on Dec ALpha
# ssl must be OpenSSL 0.9.6d or earlier
This is almost endearing.
Perhaps my History Channel programme should premiere with this:
# EGGBASKET
# Remote exploit against the Netscape Web Server which leverages
# a buffer overflow to obtain remote access
# Netscape Enterprise/3.6 and Netscape Enterprise/3.6 SP1
# works against AIMC Netscape servers also with right versions
Adorable foray into AIX history:
###################### EXCEEDSALON-AIX #####################
## local elevation for AIX
## does not log but check anyway
# elevation as user
mkdir /tmp/.pci
cd /tmp/.pci
# use ftshell, uudecode copy/paste, telnet/nc, or wget to put
# /current/up/xp_lquerypv-aix5.1 up as s
./s
How many of your remember Cobalt boxes (https://en.wikipedia.org/wiki/Cobalt_Qube)?
###################### ESTOPFORBADE #####################
# local root elevation against gds_inet_server under
# Cobalt Linux release 6.0
# for complexpuzzle
# on target from nopen
We've done Sendmail, we've done Exim so here's Postfix!
########################################
# Exploits a vulnerability in the Postfix mail server.
# Postfix runs on FreeBSD, Linux, Solaris, and most Unix servers.
# This exploit works for the default binary packages in SuSE 9.0-9.2, ASP Linux 9, and Debian 3.1
This one is smart and elegant: fix RPMs so you cannot tell they have been modded.
DIZZYTACHOMETER
# Most Linux distributions contain a RPM database which stores information on installed files. Thus, if a system file is
# modified, the rpm "Verify" command easily alert the sysadmin of the changed file. DIZZYTACHOMETER alters a computer's
# RPM (4.1 or higher) database in order to hide a modified file.
This one is almost not worth mentioning... I mean, phpBB? We've all used an exploit on that!
############################ ESMARKCONANT ##################################
# Exploits a vulnerability in the phpBB forum software.
# No authentication is required.
# target to be running phpBB less than version 2.0.11
Finally something sexy: kernel level implant.
# SUCTIONCHAR
# 32 or 64 bit OS - solaris sparc 8,9
# Kernel level implant - transparent, sustained, or realtime
# interception of procoess input/output vnode traffic.
# retrieve later
# filter: ssh, telnet, rlogin, rsh, password, login, csh , su
HP-UX:
# TRIGGERING HPUX INCISION via JACKLADDER and JACKLADDERHELPER
### HP-INCISION provides process and file hiding.
### HP-JACKLADDER differs from other JACKLADDERs because it requires the use
### of special source ports for triggering.
### JACKLADDERHELPER is an "instant-grat" version listening on an extra port.
### JACKLADDER will take over once the target reboots.
Just a quickie, Adam Caudill put up a GitHub for everything out of The Shadow Brokers dump:
Hey, I had to implement an almost-undocumented Microsoft RPC protocol using an unholy combination of FreeDCE and Samba for a job once - I've seen some atrocities in my time.
cynicalsecurity ->@bsd.network
Astarte
Andreⓐ
74810b012346c9a6_old
Michel 🍶🍷🍸🍹🍺🍻
the grugq
P0tat0
adonis28850
mulander
schrotthaufen
Star Haze