Shadow
EASYSTREET (rpc.cmsd): remote Ruth for Solaris, one of the published exploits
In August 2016 The group of hackers The Shadow Brokers laid out the first batch of exploits that belong to the Equation Group, a well-known hacker group that was most likely to have made a hand in creating known cyber weapons, including Stuxnet, Flame, Duqu, Regin, EquationLaser, etc. By all accounts, This highly qualified group is associated with the NSA (their activities are studied in detail by hackers from the )
The second part of the set of exploits stolen from the Equation Group was hacked by the hackers for auction. But over the past time they have not been able to collect a significant amount of money for their bitcoin-wallet. Therefore, they have now decided to publish all the other ex-petitions in open access (links under the cut).
In a published statement, members of the band The Shadow Brokers expressed extreme dissatisfaction with the policy of Donald Trump, for whom they voted and supported. According to hackers, he does not justify the expectations of his electorate. The Shadow Brokers group answered those who connect their activities with Russia. They said it was not so. But they believe that Americans have more in common with Russians than with Chinese, globalists and socialists. Therefore, the principle is here that the enemy of your enemy is your friend.
In their statement, hackers also published a password for the encrypted file eqgrp-auction-file.tar.xz.gpg which was Put up for auction in August 2016. This code CrDj ". (; Va.*NdlnzB9M?@K2) #> deB7mN
Safety Specialist x0rz believes that some interest can be exploit to break into a purpose in the domain .gov.ru (stoicsurgeon_ctrl__v__1.5.13.5_x86-freebsd-5.3-sassyninja-mail.aprf.gov.ru, although we could not find it among the files, and the link to it in the repository does not work either), and the list Passwords by default from /Linux/etc/.oprc.
Of course, this is not all that is interesting in the archive, which is now open to everyone.There are tools for remote code execution for Solaris, NetScape Se Rver, FTP servers (RHEL 7.3 + / Linux, CVE-2011-4130 and probably CVE-2001-0550) .Other exploits can be cited as:
- ESMARKCONANT For phpBB (<2.0.11),
- ELIDESKEW for SquirrelMail 1.4.0-1.4.7,
- ELITEHAMMER for RedFlag Webmail 4,
- ENVISIONCOLLISION for phpBB,
- EPICHERO for Avaya Media Server,
- EARLYSHOVEL for RHL7 using sendmail,
- ECHOWRECKER / sambal for samba 2.2 and 3.0.2a-3.0.12-5 (with DWARF symbols), for FreeBSD, OpenBSD 3.1, OpenBSD 3.2 and Linux. Probably using the vulnerability CVE-2003-0201. There is a version for Solaris.
- ELECTRICSLIDE (heap overflow) in Squid, probably for Chinese purposes,
- EMBERSNOUT for httpd-2.0.40-21 in Red Hat 9.0,
- ENGAGENAUGHTY / apache-ssl-linux for Apache2 mod-ssl (2008), SSLv2,
- ENTERSEED for Postfix 2.0.8-2.1.5,
- ERRGENTLE / xp-exim-3-remote-linux root for Exim, probably using CVE-2001-0690, Exim 3.22-3.35,
- EXPOSITTRAG for pcnfsd 2.x,
- KWIKEMART (km binary) for SSH1 padding crc32, (https://packetstormsecurity.com/files/24347/ssh1.crc32.txt.html ),
- slugger : remote execution of code in various printers, probably using the vulnerability CVE-1999-0078,
- statdx for Redhat Linux 6.0 / 6.1 / 6.2 rpc.statd,
- telex : The exploit for Telnetd, probably in RHEL, possibly through the vulnerability CVE-1999-0192,
- toffeehammer for the cgiecho module in cgimail, the exploit for fprintf,
- VS-VIOLET for Solaris 2.6 – 2.9, something related to XDMCP,
- SKIMCOUNTRY for copying of logs of a mobile phone,
- EMPTYBOWL RCE for MailCenter Gateway (mcgate) – the application that comes with the Asia Info Message Center mail server.
Plus backdoors and shells for HP-UX, Linux, SunOS, FreeBSD, JunOS, an implant for AIX 5.1-5.2, privilege tools, including evolvingstrategy, probably for Kaspersky Anti-Virus (/sbin/keepup2date).
The specialists are still studying the exhibits, but it seems that many of them are intended for outdated systems. Edward Snowden expressed the opinion that the amount of published data is sufficient for the NSA to determine the source of the leak.
References to the archive with encrypted files (published on August 13, 2016):
magnet:? xt = urn: btih: 40a5f1514514fb67943f137f7fde0a7b5e991f76 & tr = http: //diftracker.i2p/announce.php
https://mega.nz/#!zEAU1AQL!oWJ63n-D6lCuCQ4AY0Cv_405hX8kn7MEsa1iLH5UjKU
https://app.box .com / s / amgkpu1d9ttijyeyw2m4lso3egb4sola
https://www.dropbox.com/s/g8kvfl4xtj2vr24/EQGRP-Auction-Files.zip
https://ln.sync.com/dl/5bd1916d0#eet5ufvg-tjijei4j -vtadjk6b-imyg2qkd
https://yadi.sk/d/QY6smCgTtoNz6
to decrypt password eqgrp-free-file.tar.xz.gpg (published August 13, 2016):
theequationgroup
The password to decrypt eqgrp-auction-file.tar.xz.gpg (Published on April 8, 2017):
CrDj "(; Va.*NdlnzB9M?@K2) #> deB7mN
To decrypt the archive on Windows, The tool gpg2 from the package Gpg4win is required.
Mirror (with decrypted files)
dfiles.ru/files/8ojjgfdze
Contents of the archive eqgrp -auction-file.tar.xz.gpg on Github (published April 8, 2017):
github.com/x0rz/EQGRP
(The owner of the repository x0rz says that some Binaries may be absent, because they were deleted by the antivirus)
