cynicalsecurity ->@bsd.networkApr 8, 2017

Just in case you missed it: The Shadow Brokers has published a rant and the password for their tool dump.

https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1

Password for c&p is:

CrDj"(;Va.*NdlnzB9M?@K2)#>deB7mN

Files, for those needing them, at:

https://pastebin.com/hur8kVYM

(thanks to @kript3ia for reminding me)

Show threadcynicalsecurity ->@bsd.networkApr 8, 2017

For someone definitely active in the 90s this Equation Group dump is exactly as described by @osxreverser: a trip down memory lane.

There's exploits for Apache running on Linux for DEC Alpha, Netscape Enterprise Server, RedHat 5.x and stuff that you probably haven't heard except in "greybeard's storytime".

Show threadcynicalsecurity ->@bsd.networkApr 8, 2017

If you wander over to the birdsite @osxreverser is posting headers of all the interesting exploits he finds.

There is also an OpenSSH one (KWIKEMART): https://twitter.com/osxreverser/status/850678952138067969

# KWIKEMART
###################################3
# SSH-1.5-1.2.27
# SSH-1.5-OpenSSH-1.2.3
# SSH-1.99-OpenSSH_2.1.1
# SSH-1.99-OpenSSH_2.2.0

Show threadcynicalsecurity ->@bsd.networkApr 8, 2017

So, KWIKEMART, in /bin/km (not found source yet) has pearls such as the following in its strings:

echo CHRIS CHRIS
No Crash, might have worked
Reply from remote: %s
CHRIS
No Chris not found and since we can't live without her .. searching on
error on read, continuing

It looks suspiciously like we might have to RE them all to find out if the holes are all patched...

Show threadcynicalsecurity ->@bsd.networkApr 8, 2017

Oh, this is interesting (but expected):

#######################################
### ELITEHAMMER
#######################################
### Runs against RedFlag Webmail 4 (software install)
### Gives you user nobody, not root;
### Need a local to get root (EVENTSTART or ELASTICBANJO?)
### Webmail port is usually 80 or 443

For ref: Red Flag Linux is a, now defunct, Chinese distribution (see https://en.wikipedia.org/wiki/Red_Flag_Linux)

Show threadcynicalsecurity ->@bsd.networkApr 8, 2017

Another adorable "from the past" entry, interesting choice of name (CICADA, see https://en.wikipedia.org/wiki/Cicada_3301 and engage your conspiracy theories):

#########################################################
# ELVISCICADA
#########################################################
### only up to ealry Sol2.9; Sol2.10 not vulnerable

### snmpXdmid (/usr/lib/dmi/dmispd) daemon program (RPC program 300598 version 1)

Show threadcynicalsecurity ->@bsd.networkApr 8, 2017
A little bit of "obvious" is that they have a remote backdoor called NOPEN... I have not seen it mentioned yet but basically almost every tool's aim is to drop NOPEN.
Show threadAstarteApr 8, 2017

Unsurprisingly "NOCLIENT" seems to be the C2 side of "NOPEN"

@cynicalsecurity https://mastodon.social/media/Ey30sAT5BM0u8uP7YaU

Show threadAstarteApr 8, 2017

On a somewhat related note: NSA seems to absolutely love hugeass main()'s.

@cynicalsecurity icalsecurity

Show threadAndreⓐApr 8, 2017
@kwanre @cynicalsecurity the NSA seems to be rather heavier on the "good at breaking shit" side than the "good at building shit" one; I wonder if this has implications for the design of some of their larger tools like Xkeyscore
Show threadcynicalsecurity ->@bsd.networkApr 8, 2017
@puellavulnerata @kwanre as someone who built a commercial XKeyscore I shall refrain from commenting.
Show threadAndreⓐApr 8, 2017
@cynicalsecurity @kwanre I presume yours is better
Show threadAndreⓐApr 8, 2017

@kwanre @cynicalsecurity

OTOH, I recall making the inference reading the Snowden dump that Xkeyscore had a significant design constraint of limited bandwidth to return results from some sites; given what we're seeing here with SICKLESTER and references to parsing IMSIs, I kinda wonder if the reason for that is that not all XKS sites know they are XKS sites

Show threadcynicalsecurity ->@bsd.network
@puellavulnerata @kwanre "No comment"?
Apr 8, 2017 at 3:11pmWeb