Back to Home

The Shadow Brokers released new NSA exploits

Kaspersky Anti-Virus · CIA · exploits · vulnerabilities · leak · GReAT · Equation Group · The Shadow Brokers

The Shadow Brokers released new NSA exploits


    EASYSTREET (rpc.cmsd): remote root for Solaris, one of the published exploits

    In August 2016, the group of hackers The Shadow Brokers posted the first portion of the exploits that belong to the Equation Group, a well-known hacker group that most likely had a hand in creating famous types of cyber weapons including Stuxnet, Flame, Duqu, Regin, EquationLaser and others. By all indications , this highly qualified group is associated with the NSA (their activities are studied in detail by hackers from the GReAT unit at Kaspersky Lab).

    The second part of the set of exploits stolen from Equation Group was put up for auction by hackers. But over the past time, they were so unable to collect a significant amount of money on their Bitcoin wallet. Therefore nowmade a decision to publish all other ex-posts in the public domain (links under the cut).

    In a published statement, members of The Shadow Brokers expressed extreme dissatisfaction with the policies of Donald Trump, for whom they voted and supported. According to hackers, he does not live up to the expectations of his electorate. The Shadow Brokers group gave an answer to those who connect their activities with Russia. They said that this is not so. But at the same time, they believe that the Americans have more in common with the Russians than with the Chinese, globalists and socialists. Therefore, the principle here is that the enemy of your enemy is your friend.

    In their statement, hackers also published a password for the encrypted file eqgrp-auction-file.tar.xz.gpg, which was auctioned in August 2016. This is the password CrDj"(;Va.*NdlnzB9M?@K2)#>deB7mN.

    Security specialist x0rz believes that an exploit for hacking a certain target in the .gov.ru domain (stoicsurgeon_ctrl__v__1.5.13.5_x86-freebsd-5.3-sassyninja-mail.aprf.gov.ru may be of some interest , although we could not find it among files, and the link to it in the repository also does not work ) and the list of default passwords from /Linux/etc/.oprc.

    Of course, this is not all the interesting things that can be found in the archive, which is now open to everyone. It provides tools for remote code execution for Solaris, NetScape Server, FTP servers (RHEL 7.3 + / Linux, CVE-2011-4130 and, probably, CVE-2001-0550). Other exploits include:

    • ESMARKCONANT for phpBB (<2.0.11),
    • EL gainEW for SquirrelMail 1.4.0-1.4.7,
    • ELITEHAMMER for RedFlag Webmail 4,
    • ENVISIONCOLLISION for phpBB,
    • EPICHERO for Avaya Media Server,
    • EARLYSHOVEL for RHL7 using sendmail,
    • ECHOWRECKER / sambal for samba 2.2 and 3.0.2a-3.0.12-5 (with DWARF characters), for FreeBSD, OpenBSD 3.1, OpenBSD 3.2 and Linux. Probably using vulnerability CVE-2003-0201. There is a version for Solaris.
    • ELECTRICSLIDE (heap overflow) in Squid, probably for Chinese purposes,
    • EMBERSNOUT for httpd-2.0.40-21 on Red Hat 9.0,
    • ENGAGENAUGHTY / apache-ssl-linux for Apache2 mod-ssl (2008), SSLv2,
    • ENTERSEED for Postfix 2.0.8-2.1.5,
    • ERRGENTLE / xp-exim-3-remote-linux , root for Exim, probably using CVE-2001-0690, Exim 3.22-3.35,
    • EXPOSITTRAG for pcnfsd 2.x,
    • KWIKEMART (km binary) for SSH1 padding crc32, (https://packetstormsecurity.com/files/24347/ssh1.crc32.txt.html),
    • slugger : remote code execution in various printers, probably using vulnerability CVE-1999-0078,
    • statdx for Redhat Linux 6.0 / 6.1 / 6.2 rpc.statd,
    • telex : exploit for Telnetd, probably in RHEL, possibly through vulnerability CVE-1999-0192,
    • toffeehammer for cgiecho module in cgimail, exploit for fprintf,
    • VS-VIOLET for Solaris 2.6 - 2.9, something related to XDMCP,
    • SKIMCOUNTRY for copying mobile phone logs,
    • EMPTYBOWL RCE for MailCenter Gateway (mcgate) - an application that comes bundled with the Asia Info Message Center mail server.

    Plus backdoors and shells for HP-UX, Linux, SunOS, FreeBSD, JunOS, implants for AIX 5.1-5.2, privilege escalation tools, including evolvingstrategy, probably for Kaspersky Anti-Virus (/ sbin / keepup2date).



    Experts still continue to study exploits, but it seems that many of them are designed for legacy systems. Edward Snowden suggested that the volume of published data is already sufficient for the NSA to determine the source of the leak.

    Links to the archive with encrypted files (published on August 13, 2016):
    magnet:? Xt = urn: btih: 40a5f1514514fb67943f137f7fde0a7b5e991f76 & tr = http: //diftracker.i2p/announce.php
    https://mega.nz/#!zEAU11QL D6lCuCQ4AY0Cv_405hX8kn7MEsa1iLH5UjKU
    https://app.box.com/s/amgkpu1d9ttijyeyw2m4lso3egb4sola
    https://www.dropbox.com/s/g8kvfl4xtj2vr24/EQGRP-Auction-Files.zip
    https://ln.sync.com/dl/5bd1916d0#eet5ufvg-tjijei4j-vtadjk6b-imyg2qkd
    https://yadi.sk/ d / QY6smCgTtoNz6

    Password for decryption eqgrp-free-file.tar.xz.gpg (published August 13, 2016):
    theequationgroup

    Password for decryption eqgrp-auction-file.tar.xz.gpg (published April 8, 2017):
    CrDj"(;Va.*NdlnzB9M?@K2)#>deB7mN

    To decrypt the archive on Windows, you will need the gpg2 tool from the Gpg4win package .

    Mirror (with decrypted files)
    dfiles.ru/files/8ojjgfdze

    Contents of the eqgrp-auction-file.tar.xz.gpg archive on Github (published April 8, 2017):
    github.com/x0rz/EQGRP
    (The owner of the x0rz repository says that some binaries may be missing because the antivirus removed them)

    Read Next