Flag: Tornado! Hurricane!

OpenRCE Article Comments: Plausible Deniability

Article Abstract Backdoors in software are a venerable trick used for decades now. Even backdoors sometimes have backdoors (the infamous SubSeven "master password", for example). But if you're going to put a backdoor into your remote access trojan (RAT), you risk your reputation when that backdoor is exposed. After all, some of the people you are supplying with your code are likely to be quite paranoid, and insist on checking things out with a debugger before trusting your code to be what it says it is. This article is about my analysis of a Chinese RAT called WinEggDropShell v1.41

Full Article ...    Printer Friendly ...

Article Comments
MohammadHosein Posted: Thursday, November 17 2005 18:40.56 CST
months ago i found a Master Password in a stupid RAT developed by ChaseNet guys , i was a Forum member and i started a thread with this question , WTF fellas , what is this ? you told this is a Clean RAT and those clean guys told me go fuck yourself and i think it was a very good example for Clean people Plausible Deniability :) ( kidding ) . thanks , Nice Article , informative .

rfreeman Posted: Friday, November 18 2005 00:59.11 CST
Well, I found a couple versions of this RAT. Initially my hope was to locate some version of the source code as that would give the best impression of the type of coder(s) and whatnot. Obviously this was wishful thinking as I know Joe is a thorough researcher. I did obtain a few binaries, so I thought it would be interesting to see if the same flaw existed earlier or if it was introduced more recently. In the process of investigating this earlier version, I noticed some interesting things that led me to decompile the subfunction. Below is a semi-optimized decompilation (hopefully not too rife with errors). It is my opinion that the overflow is not a mistake and additionally, it appears that the version I downloaded allows two passwords. :)

BOOLEAN getlogin( socket mysocket )
unsigned long misc1; //maybe should be div_t (optimized)
char hexstring[32];
unsigned long flag, ctr;
char greeting[256];
char socketbuff_in[128];

flag = false; //whatever so im qualifying it as a pseudo-boolean
sprintf(greeting,"%s\r\n%s","WinEggDrop TEXT","Enter Password:");
memset(greeting,'\0', sizeof(greeting));

ctr = GetTickCount();


memset(socketbuff_in, '\0', sizeof(socketbuff_in));
recv(mysocket, socketbuff_in, sizeof(greeting), 0); //really suspect error

if ( flag )
  if ((strlen( greeting ) + strlen( socketbuff_in )) < 64)
    strcat( greeting , socketbuff_in );
    goto finishprocessing;
if (0 != strlen( socketbuff_in ))
  strcpy( greeting, socketbuff_in ); // AHA! very suspect!
return false;

misc1 = (1000 / ( GetTickCount() - ctr ));

if (misc1 < 12)
if ( *(socketbuff_in + strlen( socketbuff_in ) - 1) == 0x0D )
goto finishprocessing;
if ( *(socketbuff_in + strlen( socketbuff_in ) - 1) != 0x0A )
   goto socketinput;
   goto finishprocessing;
return false;


cleanup( greeting );
convert_hex_to_hexstring( hexstring, greeting );

if ( !my_strcmp( hexstring , PasswordAsHexString ) )
  if ( !my_strcmp( hexstring, 32byteHexString ) ) // oh-oh! two allowed passwords!!!
return false; // not logged in

return true; // logged in

joestewart Posted: Friday, November 18 2005 06:19.40 CST
Excellent work Robert! I'm hoping to see some articles from you posted to OpenRCE in the future.

Veritas Posted: Friday, November 18 2005 08:55.10 CST
"months ago i found a Master Password in a stupid RAT developed by ChaseNet guys , i was a Forum member and i started a thread with this question , WTF fellas , what is this ? you told this is a Clean RAT and those clean guys told me go fuck yourself and i think it was a very good example for Clean people Plausible Deniability :) ( kidding ) . thanks , Nice Article , informative ."

Obviously I missed something. From which RAT are you talking?

Nice article, a good reading.

rfreeman Posted: Saturday, November 19 2005 00:49.59 CST
Thanks Joe, I'll put some thought into potential articles.

Sowhat Posted: Saturday, November 19 2005 04:00.45 CST
Good job!

This is something what i want to talk on 22C3 next month ;)

my presentation is about <<Exploiting Rootkit>>, trying to talk something about the Backdoor of the backdoor, and overflowing the rootkit to gain control.

Expecting for more works on this topic ;)

Sowhat Posted: Saturday, November 19 2005 09:35.59 CST
I have roughly checked the WinEggDropShell Eternity Version

It seems that there are several other buffer overflows.

//FTP USER command bof?

.text:100027BD                 push    offset aUser    ; "USER"
.text:100027C2                 call    _strlen
.text:100027C7                 add     esp, 4
.text:100027CA                 lea     edi, [ebp+eax-103h]
.text:100027D1                 push    edi
.text:100027D2                 push    offset aS       ; "%s"
.text:100027D7                 lea     edi, [ebp+var_208]
.text:100027DD                 push    edi             ; char *
.text:100027DE                 call    _sprintf

_ReceiveSocketBuffer can maximum recv 0x200h, but [ebp+var_208] is a 0x104h buffer. However, I havent verify it, plz feel free to correct me

MohammadHosein Posted: Saturday, November 19 2005 14:12.57 CST
@Veritas : an old version of Bifrost , there was a guy named Aphex there who developed lots of useful things , like a user mode Delphi Rootkit + Source you may find it in rootkit.com , this guy developed some fw/fwb/fw+/etc codes with very smart tricks , one day FBI arrested this guy and after all he told us that they just found one of his RATs in a very important governmental PC , ChaseNet guys maintained his RATs alongside other RATs just like LOMs! funny days , good memories .

JasonGeffner Posted: Tuesday, November 22 2005 12:35.43 CST
Malvin: "I can't believe it, Jim. That girl's standing over there listening and you're telling him about our back doors?"
Jim Sting: [yelling] "Mister Potato Head! Mister Potato Head! Back doors are not secrets!"


Sorry, but I couldn't resist quoting WarGames here :)

Good article, Joe!

MohammadHosein Posted: Friday, December 2 2005 16:47.21 CST
have a look at this : http://www.milw0rm.com/id.php?id=1353

strasharo Posted: Saturday, December 3 2005 06:05.40 CST

joestewart Posted: Monday, December 5 2005 09:11.57 CST
Yes, these links are to Sowhat's exploit, which he hinted at in his comments above. If you check his full advisory released to Full-Disclosure he references this article. So now the references are fully circular :)

Th3ChaS3r Posted: Sunday, December 18 2005 11:14.43 CST
Amazing, i must have completely missed the fact that Aphex joined our team then left. LOL, hehe obviously the Founder doesnt quite know what is going on. Um when has ChaseNET ever supported any RAT developed by Aphex, i think you will find he had his own site at iamaphex which is nothing to do with ChaseNET so please don't slander us. It really isn't neccessary And there was no mention anywhere of Bifrost have a master password, the only RAT that did have a master pass which was from EES was Optix Pro <1.2

MohammadHosein Posted: Monday, December 19 2005 04:35.26 CST

Zeroknock Posted: Thursday, June 1 2006 01:23.20 CDT
Good Knowledge .Great

daniellewis Posted: Wednesday, March 5 2008 17:45.39 CST

I'm glad that most of you are already familiar with this.  I'm curious if any of you have thought to recognize exploits in software that were most probably intentionally placed?

Deep in the specification for EFI it even goes on to explain all the wonderful things it can do like run remote code before the disk is even spun up (or the bootloader loaded)

All the way up to most IM's - in fact if you're lucky the creepy guys that do this sort of thing will even throw you a bone to ease your conscience.

Donner2011 Posted: Wednesday, December 21 2011 04:05.54 CST
This is such a great resource that you are providing and you give it away for free. maternity wedding dresses
Pregnancy wedding dresses
maternity dresses for weddings
chiffon maternity wedding dresses
short maternity wedding dresses
plus size maternity wedding dresses
christmas costumes I love seeing websites that understand the value of providing a quality resource for free. Its the old what goes around comes around routine.

Agnesaa Posted: Monday, October 15 2012 19:35.13 CDT
Guild Wars 2 Gold PC at GameSpy - Check out the latest cheap GW2 Gold cheats, cheat codes, walkthroughs, guides, videos and more!
IGN is the gw2 gold (PC) resource with reviews,  wikis, videos, trailers, screenshots, cheats, walkthroughs, previews, news and release dates.

Agnesaa Posted: Monday, October 15 2012 19:35.25 CDT
Minecraft gift code is a game about placing blocks to build anything you can imagine. At night monsters come out, make sure to build a shelter before that happens.Mass Effect3 generator download for free,  code generator Rapidshare com files, free Battlefield 3 CD Key
month card  generator Hotfile, Mediafire search files results.

Agnesaa Posted: Monday, October 15 2012 19:35.37 CDT
Players will take adventures in a world full of danger
C9 Gold and challenges.There're totally 4 classes(include Warrior,Buy C9 Gold Hunter etc, 2 mysterious classes will be unveilled then) in game. You can try them in first closed beta test. It will be a nice experience to against its high level of Monster AI Continent Of The Ninth Gold and try awesome combo skills by controlling characters.

Agnesaa Posted: Monday, October 15 2012 19:35.54 CDT
Everyday is an interesting new life adventure. Impressive indeed. thanks guild wars2 powerlevel
gw2 powerleveling
gw2 powerlevel

Agnesaa Posted: Monday, October 15 2012 19:36.28 CDT
Very interesting discussion glad that I came across such informative post. Keep up the good work friend. Glad to be part of your net community. wow gold us/cheap gold for wow/cheap safe wow gold

JohnGrace Posted: Monday, March 4 2013 10:23.23 CST
I recently came across your blog and have been reading along. I thought I would leave my first comment. I don’t know what to say except that I have enjoyed reading. Nice blog, I will keep visiting this blog very often. <a href="http://www.writingpearl.co.uk/criminology-assignment/">help in criminology</a>|<a href="http://www.writingpearl.co.uk/accounting-assignment/">help in accounting</a>|<a href="http://www.writingpearl.co.uk/economics-assignment/">help in economics</a>|<a href="http://www.writingpearl.co.uk/statistics-assignment/">help in statistics</a>|<a href="http://www.writingpearl.co.uk/finance-assignment/">help in finance</a>|<a href="http://www.writingpearl.co.uk/law-assignment/">help in law</a>

JohnGrace Posted: Monday, March 4 2013 10:24.22 CST
Great blog. All posts have something to learn. Your work is very good and i appreciate you and hopping for some more informative posts. help in criminology|help in accounting|help in economics|help in statistics|help in finance|help in law

Add New Comment

There are 31,272 total registered users.

Recently Created Topics
Reverse Engineering ...
let 'IDAPython' impo...
set 'IDAPython' as t...
GuessType return une...
About retrieving the...
How to find specific...
How to get data depe...
Identify RVA data in...
Question about memor...

Recent Forum Posts
Finding the procedur...
Question about debbu...
Identify RVA data in...
let 'IDAPython' impo...
How to find specific...
Problem with ollydbg
How can I write olly...
New LoadMAP plugin v...
Intel pin in loaded ...
OOP_RE tool available?

Recent Blog Entries
Breaking IonCUBE VM

Anatomy of a code tracer

IAT Patcher - new tool for ...

CryptoShark: code tracer ba...

Build a debugger in 5 minutes

More ...

Recent Blog Comments
nieo on:
IAT Patcher - new tool for ...

djnemo on:
Kernel debugger vs user mod...

acel on:
Kernel debugger vs user mod...

pedram on:
frida.github.io: scriptable...

capadleman on:
Using NtCreateThreadEx for ...

More ...

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit