The Shadow Brokers - don't read if you hold clearance 

Just in case you missed it: The Shadow Brokers has published a rant and the password for their tool dump.

medium.com/@shadowbrokerss/don

Password for c&p is:

CrDj"(;Va.*NdlnzB9M?@K2)#>deB7mN

Files, for those needing them, at:

pastebin.com/hur8kVYM

(thanks to @kript3ia for reminding me)

The Shadow Brokers - don't read if you hold clearance 

For someone definitely active in the 90s this Equation Group dump is exactly as described by @osxreverser: a trip down memory lane.

There's exploits for Apache running on Linux for DEC Alpha, Netscape Enterprise Server, RedHat 5.x and stuff that you probably haven't heard except in "greybeard's storytime".

Show thread

The Shadow Brokers - don't read if you hold clearance 

If you wander over to the birdsite @osxreverser is posting headers of all the interesting exploits he finds.

There is also an OpenSSH one (KWIKEMART): twitter.com/osxreverser/status

# KWIKEMART
###################################3
# SSH-1.5-1.2.27
# SSH-1.5-OpenSSH-1.2.3
# SSH-1.99-OpenSSH_2.1.1
# SSH-1.99-OpenSSH_2.2.0

Show thread

The Shadow Brokers - don't read if you hold clearance 

So, KWIKEMART, in /bin/km (not found source yet) has pearls such as the following in its strings:

echo CHRIS CHRIS
No Crash, might have worked
Reply from remote: %s
CHRIS
No Chris not found and since we can't live without her .. searching on
error on read, continuing

It looks suspiciously like we might have to RE them all to find out if the holes are all patched...

Show thread

The Shadow Brokers - don't read if you hold clearance 

Oh, this is interesting (but expected):

#######################################
### ELITEHAMMER
#######################################
### Runs against RedFlag Webmail 4 (software install)
### Gives you user nobody, not root;
### Need a local to get root (EVENTSTART or ELASTICBANJO?)
### Webmail port is usually 80 or 443

For ref: Red Flag Linux is a, now defunct, Chinese distribution (see en.wikipedia.org/wiki/Red_Flag)

Show thread

The Shadow Brokers - don't read if you hold clearance 

Another adorable "from the past" entry, interesting choice of name (CICADA, see en.wikipedia.org/wiki/Cicada_3 and engage your conspiracy theories):

#########################################################
# ELVISCICADA
#########################################################
### only up to ealry Sol2.9; Sol2.10 not vulnerable

### snmpXdmid (/usr/lib/dmi/dmispd) daemon program (RPC program 300598 version 1)

Show thread

The Shadow Brokers - don't read if you hold clearance 

This one is pure "History Channel" material:

############################################
# EXPOSITTRAG
############################################

# exploit pcnfsd version 2.x (fails on v.1 or 3+)

I cannot imagine many people in 2017 even remember pcnfsd: I used to run it so it brings back those pangs of infinite pain associated with something which should never have been born in IT.

Show thread

The Shadow Brokers - don't read if you hold clearance 

...and what would life be without a little Samba?

###################### ECHOWRECKER #####################
# samba server vulnerability

# Samba 3.0.2a-9AX and Samba 3.0.5 are currently vulnerable
# Samba 2.x on Redhat 7.3, 8.0, and 9.0 are vulnerable

Show thread

The Shadow Brokers - don't read if you hold clearance 

Ah, this one I have in my private stash from a friend, but without the codename :D

###################### ELECTRICSLIDE #####################
# Heap Overflow in squid 2.5.STABLE1-2 redhat 9.0
-scan 3128 TARGET_IP

Definitely remember this one being used.

Show thread

The Shadow Brokers - don't read if you hold clearance 

Now for a little something for those oft-forgotten admins using Exim (hey, I have been a Sendmail user since the heady days of "real" BSD so I am allowed to be cynical):

###################### ERRGENTLE ##########################
# exploits vulnerability Exim 3.22 thru Exim 3.35 Mail Transfer Agent
# brute force

Show thread

The Shadow Brokers - don't read if you hold clearance 

"History Channel" again, this one combines an ancient daemon with operating systems of a different era:

############################################
# TOOLTALK -DEC, IRIX, or Sol2.6 or earlier
############################################

-scan rpc TARGET_IP

# look for 100083 1 tcp 30889 ttdbserverd

We are talking CDE here (kb.cert.org/vuls/id/387387). You know KDE? No, CDE...

Show thread

The Shadow Brokers - don't read if you hold clearance 

This one is very local :)

################################################
### VS - VIOLET
### You need to do this exploit from a box very close (ideally on the same net)
### as the target because of the traffic it generates.
### Reference the README file in /current/bin for help on the new version
################################################
Xserver on local ops machine prior to logging in

I haven't looked at it... but XDCMP ;)

Show thread

The Shadow Brokers - don't read if you hold clearance 

We've *all* used this one...

# PTRACE/FORKPTY

### new exploit is ptrace-kmod; it's a kernel exploit, no suid needed.
### works on linux 2.2 -> 2.4, ex) RH8.0 and MDK 9.0
### might have to run it twice before it works.
### other ptraces are older and need to run against a setuid program that won't log
# find / -fstype nfs -prune -o -type f \( -perm -4000 \) -user root -ls > o
# get o

Show thread

The Shadow Brokers - don't read if you hold clearance 

This is very intriguing:

########################################
# SAMPLEMAN / ROUTER TOUCH
########################################

Clearly hits Cisco via some sort of redirection via a tool on port 2323...

Show thread

The Shadow Brokers - don't read if you hold clearance 

A favourite on the History Channel:

########################################
# ENGAGENAUGHTY
########################################
# Apache and SSL exploit on Linux on Dec ALpha
# ssl must be OpenSSL 0.9.6d or earlier

This is almost endearing.

Show thread

The Shadow Brokers - don't read if you hold clearance 

Perhaps my History Channel programme should premiere with this:

# EGGBASKET

# Remote exploit against the Netscape Web Server which leverages
# a buffer overflow to obtain remote access

# Netscape Enterprise/3.6 and Netscape Enterprise/3.6 SP1
# works against AIMC Netscape servers also with right versions

Show thread

The Shadow Brokers - don't read if you hold clearance 

Adorable foray into AIX history:

###################### EXCEEDSALON-AIX #####################
## local elevation for AIX
## does not log but check anyway
# elevation as user
mkdir /tmp/.pci
cd /tmp/.pci
# use ftshell, uudecode copy/paste, telnet/nc, or wget to put
# /current/up/xp_lquerypv-aix5.1 up as s
./s

Show thread

The Shadow Brokers - don't read if you hold clearance 

How many of your remember Cobalt boxes (en.wikipedia.org/wiki/Cobalt_Q)?

###################### ESTOPFORBADE #####################
# local root elevation against gds_inet_server under
# Cobalt Linux release 6.0
# for complexpuzzle

# on target from nopen

Show thread

The Shadow Brokers - don't read if you hold clearance 

We've done Sendmail, we've done Exim so here's Postfix!

########################################
# Exploits a vulnerability in the Postfix mail server.
# Postfix runs on FreeBSD, Linux, Solaris, and most Unix servers.
# This exploit works for the default binary packages in SuSE 9.0-9.2, ASP Linux 9, and Debian 3.1

Show thread

The Shadow Brokers - don't read if you hold clearance 

This one is smart and elegant: fix RPMs so you cannot tell they have been modded.

DIZZYTACHOMETER
# Most Linux distributions contain a RPM database which stores information on installed files. Thus, if a system file is
# modified, the rpm "Verify" command easily alert the sysadmin of the changed file. DIZZYTACHOMETER alters a computer's
# RPM (4.1 or higher) database in order to hide a modified file.

Show thread

The Shadow Brokers - don't read if you hold clearance 

This one is almost not worth mentioning... I mean, phpBB? We've all used an exploit on that!

############################ ESMARKCONANT ##################################
# Exploits a vulnerability in the phpBB forum software.
# No authentication is required.

# target to be running phpBB less than version 2.0.11

Show thread

The Shadow Brokers - don't read if you hold clearance 

Finally something sexy: kernel level implant.

# SUCTIONCHAR
# 32 or 64 bit OS - solaris sparc 8,9
# Kernel level implant - transparent, sustained, or realtime
# interception of procoess input/output vnode traffic.
# retrieve later

# filter: ssh, telnet, rlogin, rsh, password, login, csh , su

Show thread

The Shadow Brokers - don't read if you hold clearance 

HP-UX:

# TRIGGERING HPUX INCISION via JACKLADDER and JACKLADDERHELPER
### HP-INCISION provides process and file hiding.
### HP-JACKLADDER differs from other JACKLADDERs because it requires the use
### of special source ports for triggering.
### JACKLADDERHELPER is an "instant-grat" version listening on an extra port.
### JACKLADDER will take over once the target reboots.

Show thread

The Shadow Brokers - don't read if you hold clearance 

Just a quickie, Adam Caudill put up a GitHub for everything out of The Shadow Brokers dump:

github.com/adamcaudill/Equatio

Show thread

The Shadow Brokers - don't read if you hold clearance 

Love this AIX-specific implant:

# SLYHERETIC v1.0.5.0
### SLYHERETIC is a light-weight implant for AIX 5.1 and AIX 5.2 Uses Hide-in-Pl
ain-Sight techniques to provide stealth.
### SlyHeretic_Persistent: This installer injects a backdoor into a system proce
ss and persists across system reboots.
### SlyHeretic_OneShot: This installer injects a backdoor into a system process
and does not persist across system reboots.

Show thread

The Shadow Brokers - don't read if you hold clearance 

A classic Solaris RPC exploit (RPC was always a boon for exploits in the 90s):

EBBISLAND
(Exploit for Solaris 2.6, 2.7, 2.8, 2.9 and 2.10)

First ensure that the vulnerable rpc service(bootparam) is running. You must
be able to reach the target system's TCP port that the designated target RPC is listening upon.

Show thread

The Shadow Brokers - don't read if you hold clearance 

Ooh, SquirrelMail, remember that? So many ISPs ran it because it was free webmail... This one is explicitly known to be "public":

# ELIDESKEW v1.0.0.1
### Public known vulnerablity in SquirrelMail versions 1.4.0 - 1.4.7
### Patched for versions => 1.4.8
### Tested on CentOS and FreeBSD successfully
### will be apache on target; use approprate tool( if available) to elevate

Show thread

The Shadow Brokers - don't read if you hold clearance 

Sendmail...

# EARLYSHOVEL
## publicly known vulnerability
## remote exploit available for linux RH7 running sendmail
## targets:
### "ASPRH73": ASP Linux 7.3 or RedHat 7.3 running Sendmail 8.11.6
### "RH70": RedHat 7.0 running Sendmail 8.11.0
### "RH71": RedHat 7.1 running Sendmail 8.11.2
### "RH73": RedHat 7.3 running Sendmail 8.11.6
### requires valid user name ( 7.1 and 7.3)
### may also require valid domain for (7.3)

Show thread

The Shadow Brokers - don't read if you hold clearance 

History Channel: X11 now!

ENGLANDBOGY
## local exploit against Xorg for the following versions:
## Xorg X11R7 1.0.1, X11R7 1.0, X11R6 6.9
## Includes the following distributions:
## MandrakeSoft Linux 10.2, Ubuntu 5.0.4, SuSE Linux 10.0,
## RedHat Fedora Core5, MandrakeSoft Linux 2006.0
## Fails-on - Xorg X11R7 1.0.2 and greater and less than Xorg X11R6 6.9.
### Requirements - Target needs to have the Xorg binary as SETUID root.

Show thread

The Shadow Brokers - don't read if you hold clearance 

Oracle on HP-UX (INCISION is mentioned):

# DITTLELIGHT (HIDELIGHT)
### To run the unix oracle db scripts, you must do them outside of an INCISION process
### therefore, you can use DITTLELIGHT (HIDELITE) to unhide your nopen window
### You must run HIDELIGHT on a process with a parent PID of "1" so
### do a callback to your redirector and run hidelite on the callback window

Show thread

The Shadow Brokers - don't read if you hold clearance 

Public Service Announcement: the chances of you becoming rich & famous with the vulnerabilities in the Shadow Brokers dump are close to zero.

Come for the vulns, stay for the fascinating historical perspective and the chance to have an insight into TAO.

Believe me, I had nowhere near the organisation & planning that are in this dump in 1986-1996, not even close and I got my first root in 1985.

Show thread

The Shadow Brokers - don't read if you hold clearance 

Goodness, the drama on the birdsite over The Shadow Brokers is unbelievable. This is closer to screaming teenagers because Justin Bieber farted than proper analysis.

Of course, there might be something of interest like a long-missed local kernel exploit but most of the stuff isn't even used any more!

I have decided to name it like a History Channel episode to try and clarify the matter: "Mummies of TAO".

Show thread

The Shadow Brokers - don't read if you hold clearance 

Some further recommended reading for *analysis* of the targeting:

bin/tn.spayed
bin/tn.spayed.oldkey
bin/pyside/targets.py

The first two are all INTONATION and it is quite an eclectic mix: gov't, universities, some "hot" stuff in 1990s like ITRC (Iran Telecommunications Research Centre) but overall I'm still calling it a telco attack staging system.

Show thread

The Shadow Brokers - don't read if you hold clearance 

Looking through the code and, in particular, at the targets I am surprised that there appears to be nothing for either VMS or NSK (Tandem) both of which used to run the vast majority of telcos in the 90s.

I assume the targets, being mainly "non-aligned countries" (to use an old name), might have used cheaper technology but I am pretty confident some of those (e.g. Taiwan) would have used the "Western standard tech".

· · Web · 0 · 2 · 0

The Shadow Brokers - don't read if you hold clearance 

To give you an idea there were telcos even in poorer European countries which, thanks to monopoly status giving them a license to print money, ran their billing (and therefore call records, CDRs) on VMS or Tandem.

I was personally acquainted with the Sprint Tandem setup, the Telecom Italia one and CyTA's VMS. I am therefore rather puzzled as to why other "non-aligned countries" did not use them or were not targeted via these systems.

Show thread
Sign in to participate in the conversation
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!