Results 1 to 7 of 7

Thread: New Linux kernel expolit from ac1db1tch3z?

  1. #1
    Senior Member problemchild's Avatar
    Join Date
    Jul 2002

    New Linux kernel expolit from ac1db1tch3z?

    I found this interesting little tidbit over at linuxsecurity.com:

    From: daniel.roberts@hushmail.com To: bugtraq@securityfocus.com, vuln-dev@securityfocus.com, incidents@securityfocus.com, cert@cert.org, submissions@packetstormsecurity.org, contribute@linuxsecurity.com Subject: Linux Kernel Exploits / ABFrag

    Greetings. Today I had a rather strange experiance. At about 4:30 pm GMT my IDS began reporting strange TCP behaviour on my network segment. As I was unable to verify the cause of this behaviour I was forced to remove the Linux box that I use a border gateway and traffic monitor - at no small cost to my organization - the network is yet to be reconnected. After a reboot and preliminary analysis I found the binary ABfrag sitting in /tmp. It had only been created minutes before. Setting up a small sandbox I ran the program and was presented with the following output:


    ABfrag - Linux Kernel ( <= 2.4.20pre20 ) Remote Syncing exploit

    Found and coded by Ac1db1tch3z - t3kn10n, n0n3 and t3kn0h03.

    Unlicensed usage and/or distribution of this program carries heavy fines
    and penalties under American, British, European and International copyright
    Should you find this program on any compromised system we urge you to delete
    this binary rather than attempt distribution or analysis. Such actions would
    be both unlawful and unwise.

    invalid key

    I remembered, vaguely - I sift through a lot of security mail each day, some talk of a rumoured Linux kernel exploit circulating among members of the hacker underground. On the advice of some friends in law-enforcement I joined the EFnet channels #phrack and #darknet and tried to solicit some information regarding this alleged exploit. Most people publicly attacked me for my neivette but two individuals contacted me via private messages and informed me that the "ac1db1tch3z" were bad news, apparently a group of older (mid 20's) security guru's, and that I should delete the exploit and forget I ever knew it existed. However, somthing twigged my sense of adventure and prompted me to try and get this out to the community.
    Any help or information regarding this will be of great help.

    I have attached the binary although it appears to be encrypted and passworded. I wish any skilled programmers the best of luck in decyphering it.


    Daniel Roberts
    Head Network Manager
    Here's a link to the binary: http://linuxsecurity.com/resource_fi...tection/ABfrag

    Original article is here.
    Do what you want with the girl, but leave me alone!

  2. #2
    Deceased x acidreign x's Avatar
    Join Date
    Jul 2002
    It appears to employ a TEEE TESO Elf Encryption Engine, which can be cracked if it is level 1 or 2 i think, ill give it a shot and let you know here.
    :q :q! :wq :w :w! :wq! :quit :quit! :help help helpquit quit quithelp :quitplease :quitnow :leave :**** ^X^C ^C ^D ^Z ^Q QUITDAMMIT ^[:wq GCS,M);d@;p;c++;l++;u ++ ;e+ ;m++(---) ;s+/+ ;n- ;h* ;f+(--) ;!g ;w+(-) ;t- ;r+(-) ;y+(**)

  3. #3

  4. #4
    Deceased x acidreign x's Avatar
    Join Date
    Jul 2002
    really? WOW that is so flattering... but no, look at my registered date, i have been here since before he was banned, and look at my profile, i seriously doubt a previously banned member would be so open. hehe, by the way, that the encryption protocol is called burneye, I found multiple exploits encrypted in a similar way on packetstorm.decepticons.org, I'm guessing the sender may have gotten it second hand from someone who got it there, and they have md5s for all their exploits, unfortunately, they also got a butload of them, so i have to search thru them... see you in a few months....

    <edit>this encryption method is more prolific than I thought. the file wasn't on packetstorm to my knowlege, but is all over the place on a google search. With this kind of popularity, you'd think there'd be an easier method of cracking it. All i found was a little program called burncrack that is supposed to crack levels 1 and 2, but I don't think I know enough about it to run it adequately... I ran the supplied code thru it, and got the output attached. i hop you can make sense out of it. maybe this will help, it is all the TESO realeases pertaining to burneye encryption.
    :q :q! :wq :w :w! :wq! :quit :quit! :help help helpquit quit quithelp :quitplease :quitnow :leave :**** ^X^C ^C ^D ^Z ^Q QUITDAMMIT ^[:wq GCS,M);d@;p;c++;l++;u ++ ;e+ ;m++(---) ;s+/+ ;n- ;h* ;f+(--) ;!g ;w+(-) ;t- ;r+(-) ;y+(**)

  5. #5
    Senior Member linuxcomando's Avatar
    Join Date
    Sep 2001
    hehe almost there
    burneye signature found @ 0000100C
    burneye stub hash : 66 CC 2F 96 65 3D 4E 36 4D 37 19 20 85 8C AC 91 39 DA FD 88
    encrypted length : 16924
    encrypted start : 0x00005CAF
    encrypted dword : 0xC94A13B9
    checksum : 0x3486818D
    magic XOR block : 41 89 AA F1 1B BA 38 CD 7A 32 8D B0 ED E8 05 9C F4 98 3D 7E
    I toor\'d YOU!

  6. #6
    Senior Member
    Join Date
    Jul 2002
    What exactly is that TEEE TESO Elf Encryption Engine? I did a search on google for it but the results didn't help me. It is like the old polymorphic engines that trident and dark avenger created years ago?

  7. #7
    Junior Member
    Join Date
    Nov 2002
    This would give you more info about Binary Encryption, written by scut and grugq

    I got word that this version of the binary was fake, but the exploit is real.
    And also that ac1db1tch3z is semi active.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts