А-а-а, пришельцы !!

Posted: 2017-04-22 in IT, Security
Метки:

Пришельцы из NSA, Equation Group и Shadow Brokers немного недосмотрели за своим инструментарием, и их боевое червие слегка разошлось по интернетам.

Удобно качать с гитхаба : раз и двас. Особенно доставляют дампы учеток баз данных и сетевые конфиги циско-файерволов из инфраструктуры SWIFT.

Из-за этого хакеры всех мастей устроили весёлую межсетевую вакханалию. В особой опасности фанаты старых систем — виндовс-2003-сервер, солярисы, старые фряхи, старые почтовые сервера. Если у вас есть что-то из этого по версиям:

Exploits

EARLYSHOVEL RedHat 7.0 — 7.1 Sendmail 8.11.x exploit
EBBISLAND (EBBSHAVE) root RCE via RPC XDR overflow in Solaris 6, 7, 8, 9 & 10 (possibly newer) both SPARC and x86.
ECHOWRECKER remote Samba 3.0.x Linux exploit.
EASYBEE appears to be an MDaemon email server vulnerability
EASYFUN EasyFun 2.2.0 Exploit for WDaemon / IIS MDaemon/WorldClient pre 9.5.6
EASYPI is an IBM Lotus Notes exploit that gets detected as Stuxnet
EWOKFRENZY is an exploit for IBM Lotus Domino 6.5.4 & 7.0.2
EXPLODINGCAN is an IIS 6.0 exploit that creates a remote backdoor
ETERNALROMANCE is a SMB1 exploit over TCP port 445 which targets XP, 2003, Vista, 7, Windows 8, 2008, 2008 R2, and gives SYSTEM privileges (MS17-010)
EDUCATEDSCHOLAR is a SMB exploit (MS09-050)
EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003 (MS10-061)
EMPHASISMINE is a remote IMAP exploit for IBM Lotus Domino 6.6.4 to 8.5.2
ENGLISHMANSDENTIST sets Outlook Exchange WebAccess rules to trigger executable code on the client’s side to send an email to other users
EPICHERO 0-day exploit (RCE) for Avaya Call Server
ERRATICGOPHER is a SMBv1 exploit targeting Windows XP and Server 2003
ETERNALSYNERGY is a SMBv3 remote code execution flaw for Windows 8 and Server 2012 SP0 (MS17-010)
ETERNALBLUE is a SMBv2 exploit for Windows 7 SP1 (MS17-010)
ETERNALCHAMPION is a SMBv1 exploit
ESKIMOROLL is a Kerberos exploit targeting 2000, 2003, 2008 and 2008 R2 domain controllers
ESTEEMAUDIT is an RDP exploit and backdoor for Windows Server 2003
ECLIPSEDWING is an RCE exploit for the Server service in Windows Server 2008 and later (MS08-067)
ETRE is an exploit for IMail 8.10 to 8.22
ETCETERABLUE is an exploit for IMail 7.04 to 8.05
FUZZBUNCH is an exploit framework, similar to MetaSploit
ODDJOB is an implant builder and C&C server that can deliver exploits for Windows 2000 and later, also not detected by any AV vendors
EXPIREDPAYCHECK IIS6 exploit
EAGERLEVER NBT/SMB exploit for Windows NT4.0, 2000, XP SP1 & SP2, 2003 SP1 & Base Release
EASYFUN WordClient / IIS6.0 exploit
ESSAYKEYNOTE
EVADEFRED

Utilities

PASSFREELY utility which «Bypasses authentication for Oracle servers»
SMBTOUCH check if the target is vulnerable to samba exploits like ETERNALSYNERGY, ETERNALBLUE, ETERNALROMANCE
ERRATICGOPHERTOUCH Check if the target is running some RPC
IISTOUCH check if the running IIS version is vulnerable
RPCOUTCH get info about windows via RPC
DOPU used to connect to machines exploited by ETERNALCHAMPIONS

Remote Code Execution
Solaris

CATFLAP Solaris 7/8/9 (SPARC and Intel) RCE (for a LOT of versions)
EASYSTREET/CMSEX and cmsd Solaris rpc.cmsd remote root
EBBISLAND/ELVISCICADA/snmpXdmid and frown: CVE-2001-0236, Solaris 2.6-2.9 — snmpXdmid Buffer Overflow
sneer: mibissa (Sun snmpd) RCE, with DWARF symbols 😀
dtspcdx_sparc dtspcd RCE for SunOS 5. -5.8. what a useless exploit
TOOLTALK DEC, IRIX, or Sol2.6 or earlier Tooltalk buffer overflow RCE
VIOLENTSPIRIT RCE for ttsession daemon in CDE on Solaris 2.6-2.9 on SPARC and x86
EBBISLAND RCE Solaris 2.6 -> 2.10 Inject shellcode in vulnerable rpc service

Netscape Server

xp_ns-httpd NetScape Server RCE
nsent RCE for NetScape Enterprise server 4.1 for Solaris
eggbasket another NetScape Enterprise RCE, this time version 3.5, likely SPARC only

FTP servers

EE proftpd 1.2.8 RCE, for RHL 7.3+/Linux, CVE-2011-4130? another reason not to use proftpd
wuftpd likely CVE-2001-0550

Web

ESMARKCONANT exploits phpBB remote command execution (<2.0.11) CVE-2004-1315
ELIDESKEW Public known vulnerablity in SquirrelMail versions 1.4.0 — 1.4.7
ELITEHAMMER Runs against RedFlag Webmail 4, yields user nobody
ENVISIONCOLLISION RCE for phpBB (derivative)
EPICHERO RCE for Avaya Media Server
COTTONAXE RCE to retrieve log and information on LiteSpeed Web Server

Misc

calserver spooler RPC based RCE
EARLYSHOVEL RCE RHL7 using sendmail CVE-2003-0681 CVE-2003-0694
ECHOWRECKER/sambal: samba 2.2 and 3.0.2a — 3.0.12-5 RCE (with DWARF symbols), for FreeBSD, OpenBSD 3.1, OpenBSD 3.2 (with a non-executable stack, zomg), and Linux. Likely CVE-2003-0201. There is also a Solaris version
ELECTRICSLIDE RCE (heap-overflow) in Squid, with a chinese-looking vector
EMBERSNOUT a remote exploit against Red Hat 9.0’s httpd-2.0.40-21
ENGAGENAUGHTY/apache-ssl-linux Apache2 mod-ssl RCE (2008), SSLv2
ENTERSEED Postfix RCE, for 2.0.8 — 2.1.5
ERRGENTLE/xp-exim-3-remote-linux Exim remote root, likely CVE-2001-0690, Exim 3.22 — 3.35
EXPOSITTRAG exploit pcnfsd version 2.x
extinctspinash: Chili!Soft ASP stuff RCE? and Cobalt RaQ too?
KWIKEMART (km binary) RCE for SSH1 padding crc32 thingy (https://packetstormsecurity.com/files/24347/ssh1.crc32.txt.html)
prout (ab)use of pcnfs RPC program (version 2 only) (1999)
slugger: various printers RCE, looks like CVE-1999-0078
statdx Redhat Linux 6.0/6.1/6.2 rpc.statd remote root exploit (IA32)
telex Telnetd RCE for RHL? CVE-1999-0192?
toffeehammer RCE for cgiecho part of cgimail, exploits fprintf
VS-VIOLET Solaris 2.6 — 2.9, something related to XDMCP
SKIMCOUNTRY Steal mobile phone log data
SLYHERETIC_CHECKS Check if a target is ready for SLYHERETIC (not included)
EMPTYBOWL RCE for MailCenter Gateway (mcgate) — an application that comes with Asia Info Message Center mailserver; buffer overflow allows a string passed to popen() call to be controlled by an attacker; arbitraty cmd execute known to work only for AIMC Version 2.9.5.1
CURSEHAPPY Parser of CDR (Call Detail Records) (siemens, alcatel, other containing isb hki lhr files) probably upgrade of ORLEANSTRIDE
ORLEANSTRIDE Parser of CDR (Call Detail Records)

— бегом патчиться / мигрировать на новые версии.

Что забавно — выложенный кем-то файл на Яндекс-диске забанили. Идиоты думают, что тупой говно-цензурой они смогут остановить волну массовых взломов утекшими хак-тулами. Дебилы, бл*, любители заталкивать зубную пасту обратно в тюбик.

А тревожиться есть все основания:
http://www.computerra.ru/116269/eg/
https://ru.insider.pro/technologies/2015-02-18/equation-group-khakery-kotorye-vzlomali-vse/

Оставайтесь, будет весело.

Реклама
- комментарии
  1. Собственно, время X настало с участием эксплоита ETERNALBLUE: https://geektimes.ru/post/289115/

  2. Amin:

    Cwerj, как же я был прав про говно-цензуру — и месяца не прошло, как Wana Decryptor классно так трахнул такой крупняк, как РЖД, МВД, Мегафуфлон, DeutscheBahn и ещё дохера фирм и фирмочек масштабами помельче.

    Вакханалия понеслась: https://aminux.wordpress.com/2017/05/14/wana-decrypt0r/