Equation Group Cyber Weapons (Shadow Brokers)
#1
Equation Group Cyber Weapons (Shadow Brokers)

Just sharing an old but still interesting leak of NSA tools/malware/exploits used by the (in)famous equationgroup. See github repo below.

About "The Shadow Brokers"
Wikipedia Wrote:The Shadow Brokers is a hacker group who first appeared in the summer of 2016. They published several leaks containing hacking tools from the National Security Agency (NSA), including several zero-day exploits. Specifically, these exploits and vulnerabilities targeted enterprise firewalls, antivirus software, and Microsoft products. The Shadow Brokers originally attributed the leaks to the Equation Group threat actor, who have been tied to the NSA's Tailored Access Operations unit.

First leak: "Equation Group Cyber Weapons Auction - Invitation"
Wikipedia Wrote:GitHub repository containing references and instructions for obtaining and decrypting the content of a file supposedly containing tools and exploits used by the Equation Group.

EQGRP: https://github.com/x0rz/EQGRP

Contents:
Code [No Highlight]:

Content
Unknown

    JACKLADDER
    DAMPCROWD
    ELDESTMYDLE
    SUAVEEYEFUL
    WATCHER
    YELLOWSPIRIT

Misc

    DITTLELIGHT (HIDELIGHT) unhide NOPEN window to run unix oracle db scripts
    DUL shellcode packer
    egg_timer execution delayer (equivalent to at)
    ewok snmpwalk-like?
    gr Web crontab manager? wtf. NSA are webscale dude
    jackladderhelper simple port binder
    magicjack DES implementation in Perl
    PORKSERVER inetd-based server for the PORK implant
    ri equivalent to rpcinfo
    uX_local Micro X server, likely for remote management
    ITIME Change Date/Time of a last change on a file of an unix filesystem

Remote Code Execution
Solaris

    CATFLAP Solaris 7/8/9 (SPARC and Intel) RCE (for a LOT of versions)
    EASYSTREET/CMSEX and cmsd Solaris rpc.cmsd remote root
    EBBISLAND/ELVISCICADA/snmpXdmid and frown: CVE-2001-0236, Solaris 2.6-2.9 - snmpXdmid Buffer Overflow
    sneer: mibissa (Sun snmpd) RCE, with DWARF symbols :D
    dtspcdx_sparc dtspcd RCE for SunOS 5. -5.8. what a useless exploit
    TOOLTALK DEC, IRIX, or Sol2.6 or earlier Tooltalk buffer overflow RCE
    VIOLENTSPIRIT RCE for ttsession daemon in CDE on Solaris 2.6-2.9 on SPARC and x86
    EBBISLAND RCE Solaris 2.6 -> 2.10 Inject shellcode in vulnerable rpc service

Netscape Server

    xp_ns-httpd NetScape Server RCE
    nsent RCE for NetScape Enterprise server 4.1 for Solaris
    eggbasket another NetScape Enterprise RCE, this time version 3.5, likely SPARC only

FTP servers

    EE proftpd 1.2.8 RCE, for RHL 7.3+/Linux, CVE-2011-4130? another reason not to use proftpd
    wuftpd likely CVE-2001-0550

Web

    ESMARKCONANT exploits phpBB remote command execution (<2.0.11) CVE-2004-1315
    ELIDESKEW Public known vulnerablity in SquirrelMail versions 1.4.0 - 1.4.7
    ELITEHAMMER Runs against RedFlag Webmail 4, yields user nobody
    ENVISIONCOLLISION RCE for phpBB (derivative)
    EPICHERO RCE for Avaya Media Server
    COTTONAXE RCE to retrieve log and information on LiteSpeed Web Server

Misc

    calserver spooler RPC based RCE
    EARLYSHOVEL RCE RHL7 using sendmail CVE-2003-0681 CVE-2003-0694
    ECHOWRECKER/sambal: samba 2.2 and 3.0.2a - 3.0.12-5 RCE (with DWARF symbols), for FreeBSD, OpenBSD 3.1, OpenBSD 3.2 (with a non-executable stack, zomg), and Linux. Likely CVE-2003-0201. There is also a Solaris version
    ELECTRICSLIDE RCE (heap-overflow) in Squid, with a chinese-looking vector
    EMBERSNOUT a remote exploit against Red Hat 9.0's httpd-2.0.40-21
    ENGAGENAUGHTY/apache-ssl-linux Apache2 mod-ssl RCE (2008), SSLv2
    ENTERSEED Postfix RCE, for 2.0.8 - 2.1.5
    ERRGENTLE/xp-exim-3-remote-linux Exim remote root, likely CVE-2001-0690, Exim 3.22 - 3.35
    EXPOSITTRAG exploit pcnfsd version 2.x
    extinctspinash: Chili!Soft ASP stuff RCE? and Cobalt RaQ too?
    KWIKEMART (km binary) RCE for SSH1 padding crc32 thingy (https://packetstormsecurity.com/files/24...2.txt.html)
    prout (ab)use of pcnfs RPC program (version 2 only) (1999)
    slugger: various printers RCE, looks like CVE-1999-0078
    statdx Redhat Linux 6.0/6.1/6.2 rpc.statd remote root exploit (IA32)
    telex Telnetd RCE for RHL? CVE-1999-0192?
    toffeehammer RCE for cgiecho part of cgimail, exploits fprintf
    VS-VIOLET Solaris 2.6 - 2.9, something related to XDMCP
    SKIMCOUNTRY Steal mobile phone log data
    SLYHERETIC_CHECKS Check if a target is ready for SLYHERETIC (not included)
    EMPTYBOWL RCE for MailCenter Gateway (mcgate) - an application that comes with Asia Info Message Center mailserver; buffer overflow allows a string passed to popen() call to be controlled by an attacker; arbitraty cmd execute known to work only for AIMC Version 2.9.5.1
    CURSEHAPPY Parser of CDR (Call Detail Records) (siemens, alcatel, other containing isb hki lhr files) probably upgrade of ORLEANSTRIDE
    ORLEANSTRIDE Parser of CDR (Call Detail Records)

Anti-forensic

    toast: wtmps editor/manipulator/querier
    pcleans: pacctl manipulator/cleaner
    DIZZYTACHOMETER: Alters RPM database when system file is changed so that RPM (>4.1) verify doesn't complain
    DUBMOAT Manipulate utmp
    scrubhands post-op cleanup tool?
    Auditcleaner cleans up audit.log

Control
Iting HP-UX, Linux, SunOS

    FUNNELOUT: database-based web-backdoor for vbulletin
    hi UNIX bind shell
    jackpop bind shell for SPARC
    NOPEN Backdoor? A RAT or post-exploitation shell consisting of a client and a server that encrypts data using RC6 source** SunOS5.8
    SAMPLEMAN / ROUTER TOUCH Clearly hits Cisco via some sort of redirection via a tool on port 2323... (thanks to @cynicalsecurity)
    SECONDDATE Implant for Linux/FreeBSD/Solaris/JunOS
    SHENTYSDELIGHT Linux keylogger
    SIDETRACK implant used for PITCHIMPAIR
    SIFT Implant for Solaris/Linux/FreeBSD
    SLYHERETIC SLYHERETIC is a light-weight implant for AIX 5.1:-5.2 Uses Hide-in-Plain-Sight techniques to provide stealth.
    STRIFEWORLD: Network-monitoring for UNIX, needs to be launched as root. Strifeworld is a program that captures data transmitted as part of TCP connections and stores the data in a memory for analysis. Strifeworld reconstructs the actual data streams and stores each session in a file for later analysis.
    SUCTIONCHAR: 32 or 64 bit OS, solaris sparc 8,9, Kernel level implant - transparent, sustained, or realtime interception of processes input/output vnode traffic, able to intercept ssh, telnet, rlogin, rsh, password, login, csh, su, …
    STOICSURGEON Rootkit/Backdoor Linux MultiArchi
    INCISION Rootkit/Backdoor Linux Can be upgrade to StoicSurgeon(more recent version)

CnC

    Seconddate_CnC: CnC for SECONDDATE
    ELECTRICSIDE likely a big-fat-ass CnC
    NOCLIENT Seems to be the CnC for NOPEN*
    DEWDROP

Privesc
Linux

    h: linux kernel privesc, old-day compiled hatorihanzo.c, do-brk() in 2.4.22 CVE-2003-0961
    gsh: setreuid(0,0);execl("bash","/bin/bash")
    PTRACE/FORKPTY/km3: linux kernel lpe, kmod+ptrace, CVE-2003-0127, (https://mjt.nysv.org/scratch/ptrace_exploit/km3.c)
    EXACTCHANGE: NULL-deref based local-root, based on various sockets protocols, compiled in 2004, made public in 2005
    ghost:statmon/tooltalk privesc?
    elgingamble:
    ESTOPFORBADE local root gds_inet_server for, Cobalt Linux release 6.0, to be used with complexpuzzle
    ENVOYTOMATO LPE through bluetooth stack(?)
    ESTOPMOONLIT Linux LPE
    EPOXYRESIN Linux LPE

AIX

    EXCEEDSALON-AIX privesc

Others

    procsuid: setuid perl (yes, it's a real thing) privesc through unsanitized environnement variables. wtf dude
    elatedmonkey: cpanel privesc (0day) using /usr/local/cpanel/3rdparty/mailman/. Creates mailman mailing list: mailman config_list
    estesfox: logwatch privesc, old-day
    evolvingstrategy: privesc, likely for Kaspersky Anti-virus (/sbin/keepup2date is kaspersky's stuff) (what is ey_vrupdate?)
    eh OpenWebMail privesc
    escrowupgrade cachefsd for solaris 2.6 2.7 sparc
    ENGLANDBOGY local exploit against Xorg X11R7 1.0.1, X11R7 1.0, X11R6 6.9, Includes the following distributions: MandrakeSoft Linux 10.2, Ubuntu 5.0.4, SuSE Linux 10.0, RedHat Fedora Core5, MandrakeSoft Linux 2006.0. requires a setuid Xorg
    endlessdonut: Apache fastcgi privesc

Interesting stuff

    default passwords list (courtesy of x0rz)

    .gov.ru (stoicsurgeon_ctrl__v__1.5.13.5_x86-freebsd-5.3-sassyninja-mail.aprf.gov.ru) (wow!)
Reply
#2
Thanks for the share... Didn't they close down recently?
Reply
#3
(07-21-2020, 08:30 AM)rektard Wrote: Thanks for the share... Didn't they close down recently?

The equation group? Yeah probably... that leak didn't exactly do them any good.
But I'm sure NSAs TAO unit is still at their toes with other business.
Reply