Earthstation 5 Claimed to be Malware
- Thread starter MrMilney
- Start date
Except in this case I don't feel like slashing my wrists...just slashing my cat5 cable...
bad bad movie....
Of course it's a surprise. Who could have seen this coming? I've been using it for weeks with no proble.... hey... where'd my terabyte of pr0n go?
In all honesty though imo if you used this software you earned it.
Lol... talk about a wild theory
Conclusion
----------
The people behind ES5 have intentionally added malicious code to ES5. If
you have followed the ES5 discussions on message boards and read what the
ES5 people have said and done (eg. DoS attacking BitTorrent sites), this
comes as no surprise. The question then is "why did they do it?" I'm sure
they won't tell us, but here's a theory: They could be working for the
RIAA, MPAA, or a similar organization. Once they have enough users on their
ES5 network, they would start deleting all copyrighted files they own which
their users are sharing. The users wouldn't know what hit them.
Conclusion
----------
The people behind ES5 have intentionally added malicious code to ES5. If
you have followed the ES5 discussions on message boards and read what the
ES5 people have said and done (eg. DoS attacking BitTorrent sites), this
comes as no surprise. The question then is "why did they do it?" I'm sure
they won't tell us, but here's a theory: They could be working for the
RIAA, MPAA, or a similar organization. Once they have enough users on their
ES5 network, they would start deleting all copyrighted files they own which
their users are sharing. The users wouldn't know what hit them.
Full-Disclosure] EartStation 5 P2P application contains malicious code
random nut randnut@yahoo.com
Thu, 2 Oct 2003 17:18:16 -0700 (PDT)
Previous message: [Full-Disclosure] Semi OT, Half Life 2 source code leaked due to Outlook flaw.
Next message: [Full-Disclosure] EartStation 5 P2P application contains malicious code
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
--------------------------------------------------------------------------------
EartStation 5 P2P application contains malicious code
-----------------------------------------------------
ES5 info
--------
EarthStation 5 (aka ES5, aka ESV) (http://www.earthstation5.com and
http://forums2.es5.com/) is a P2P application first released about 6-12
months ago. The people behind ES5 claim that ES5 is the most secure P2P
software in the world. They also claim that they are security experts, and
that they have more than 15 million simultaneous users on-line 24/7. In
comparison Kazaa, the most popular P2P application, only has about 4
million simultaneous users on-line at any given time of day.
Malicious code
--------------
There exists malicious code in ES5.exe's "Search Service" packet handler.
By sending packet 0Ch, sub-function 07h to the "Search Service"'s IP
ort,
a remote attacker could delete any file the user is sharing. If the remote
attacker uses "filenames" with a relative path in them (eg.
"..\..\..\WINDOWS\NOTEPAD.EXE"), the remote attacker could also delete
files in eg. the windows and windows\system32 folders, or any other folder
on the same partition as any of the shared folders. Since most users using
Windows are in the Administrators group, a remote attacker could also
delete the C:\BOOT.INI file which is a required boot file used by ntldr.
IMPORTANT: This is not a bug! They intentionally added this code to ES5.
Vulnerabilities
---------------
There also exists a lot of other vulnerabilities in ES5 (eg. DoS attacks,
buffer overflow bugs, and so on), but these all seem to be unintentional.
Another advisory may have more info on these vulnerabilities, but I'm not
their beta tester so don't hold your breath.
Conclusion
----------
The people behind ES5 have intentionally added malicious code to ES5. If
you have followed the ES5 discussions on message boards and read what the
ES5 people have said and done (eg. DoS attacking BitTorrent sites), this
comes as no surprise. The question then is "why did they do it?" I'm sure
they won't tell us, but here's a theory: They could be working for the
RIAA, MPAA, or a similar organization. Once they have enough users on their
ES5 network, they would start deleting all copyrighted files they own which
their users are sharing. The users wouldn't know what hit them.
Tested ES5 builds
-----------------
ES5 build 1266
ES5 build 2180 (latest version)
MD5 sums of files
-----------------
MD5 sum (using RFC 1321 source code) of tested files (just in case the ES5
people will remove the malicious code w/o changing the build number)
e35838ef6668abe883344e3a7e734794 *es5beta1266.exe
ce44a1f0542b9132f2debd9866febc65 *es5beta2180.exe
373c30ba0e8b1dce05dcab2acce94a77 *es5_build1266.exe
915de0f8e72be40bf071a86bc9dc2626 *es5_build2180.exe
2,244,663 es5_build1266.exe (ES5.exe - build 1266)
2,347,063 es5_build2180.exe (ES5.exe - build 2180 - latest version)
4,436,309 es5beta1266.exe (ES5 installer - build 1266)
4,553,325 es5beta2180.exe (ES5 installer - build 2180 - latest version)
The official ES5 installer download URL is
http://download.es5.com/es5beta.exe , but check its MD5 sum before
installing it in case they changed it.
Credits
-------
me for discovering it (randnut@yahoo.com)
Exploit code
------------
Go to http://www.geocities.com/esvuln to download the exploit binary and
source code (it looks weird in this email).
Source code to esv ("ExpoitStation 5" or "EarthStation Vulnerabilities",
you decide) but first a little FAQ...
1Q: esv doesn't work after a couple of times.
1A: Make sure that there are no other es5.exe processes running
in the background. ES5.exe usually doesn't exit completely,
so use taskmgr.exe (or press CTRL+SHIFT+ESC) to kill all
es5.exe processes. Then start es5.exe and try esv again.
It can also happen if es5.exe hasn't initialized all its
server code. Wait a couple of seconds before running esv so
es5.exe has time to initialize its network code.
Another possibility is that the UDP packets sent from esv to
es5.exe are lost. Try a couple of more times and at least one
should reach its destination intact.
2Q: I can't delete files on the other computer
2A: You can't delete files until the other computer's es5.exe's
Search Service has updated number of files it's sharing. Go
to Activity to check Search Service on the other computer
(make sure you have enabled option "Enable ALL activity" in
Settings or you won't see it). Then wait for usually 30-60
secs after startup for the "Search Service" line to change
from "Clients:0 Files:0" to something like "Clients:1 Files:3".
Now delete your files. If you're not a Sun/Star, you should
instead wait until the "Sun: NAME SuperNova: NAME" line changes
from "Sharing Files:0 Megs:0" to something like
"Sharing Files:2 Megs:0".
Make sure that the path to the shared folder is correct. You
can find the correct path if you check the other computer's
ES5 settings. Copy and paste it because it must be the exact
same string. Example, if the path is
"C:\Program Files\EarthStation5\New Media Files", it's possible
that ES5 instead uses "C:\Progra~1\EarthStation5\New Media Files",
or "C:\PROGRAM FILES\EARTHSTATION5\New Media Files" or any other
combination.
Also note that you cannot delete files with relative paths
containing a double backaslash followed by two dots ("\\..")
under Win98 (and probably also Win95 and WinME). There's a bug
in es5.exe where it will use double backslashes. Example, if the
shared dir is "C:\Program Files\EarthStation5\New Media Files",
then es5.exe will save that as
"C:\Program Files\EarthStation5\New Media Files\" (note the last
backslash). If you want to delete the file "C:\WINDOWS\NOTEPAD.EXE",
you could specify this relative path as the "filename"
"..\..\..\WINDOWS\NOTEPAD.EXE". es5.exe will put these two strings
together like so:
"C:\Program Files\EarthStation5\New Media
Files\\..\..\..\WINDOWS\NOTEPAD.EXE"
(note the double backslash). Windows XP (and probably WinNT,
Win2000, Win2003) can delete these files, though. Note that all
Windows OSes can delete all user's shared files without a problem.
********** BEGIN esv.cpp **********
/*
* esv - "ExploitStation V" or "EarthStation Vulnerabilities"
* (C)2003 random nut (randnut@yahoo.com)
* All rights reserved.
*
* This code is released to the public because the people behind ES5
* would claim I lie. Thus, I have no choice but to let everyone
* download and run this application to prove that I'm right. Only try
* this on computers you're allowed to delete files on, and don't try
* this at home kids.
*/
#include <WinSock2.h>
#include <windows.h>
#include <stdio.h>
#include <string.h>
typedef unsigned char uint8;
typedef unsigned short uint16;
typedef unsigned long uint32;
typedef signed char int8;
typedef short int16;
typedef long int32;
uint32 __GetChecksum(const char* buf, int buflen = 0,
int uplim = 0x7FFFFFFF, int lowlim = 0)
{
if (buflen == 0)
buflen = (int)strlen(buf);
int chksum = 0;
for (int i = 0; i < buflen; i++, buf++)
chksum ^= *buf << (8*(i&3));
return (uint32)(lowlim + (chksum % (uplim - lowlim + 1)));
}
uint32 GetChecksum(const char* lpszString)
random nut randnut@yahoo.com
Thu, 2 Oct 2003 17:18:16 -0700 (PDT)
Previous message: [Full-Disclosure] Semi OT, Half Life 2 source code leaked due to Outlook flaw.
Next message: [Full-Disclosure] EartStation 5 P2P application contains malicious code
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
--------------------------------------------------------------------------------
EartStation 5 P2P application contains malicious code
-----------------------------------------------------
ES5 info
--------
EarthStation 5 (aka ES5, aka ESV) (http://www.earthstation5.com and
http://forums2.es5.com/) is a P2P application first released about 6-12
months ago. The people behind ES5 claim that ES5 is the most secure P2P
software in the world. They also claim that they are security experts, and
that they have more than 15 million simultaneous users on-line 24/7. In
comparison Kazaa, the most popular P2P application, only has about 4
million simultaneous users on-line at any given time of day.
Malicious code
--------------
There exists malicious code in ES5.exe's "Search Service" packet handler.
By sending packet 0Ch, sub-function 07h to the "Search Service"'s IP
ort,a remote attacker could delete any file the user is sharing. If the remote
attacker uses "filenames" with a relative path in them (eg.
"..\..\..\WINDOWS\NOTEPAD.EXE"), the remote attacker could also delete
files in eg. the windows and windows\system32 folders, or any other folder
on the same partition as any of the shared folders. Since most users using
Windows are in the Administrators group, a remote attacker could also
delete the C:\BOOT.INI file which is a required boot file used by ntldr.
IMPORTANT: This is not a bug! They intentionally added this code to ES5.
Vulnerabilities
---------------
There also exists a lot of other vulnerabilities in ES5 (eg. DoS attacks,
buffer overflow bugs, and so on), but these all seem to be unintentional.
Another advisory may have more info on these vulnerabilities, but I'm not
their beta tester so don't hold your breath.
Conclusion
----------
The people behind ES5 have intentionally added malicious code to ES5. If
you have followed the ES5 discussions on message boards and read what the
ES5 people have said and done (eg. DoS attacking BitTorrent sites), this
comes as no surprise. The question then is "why did they do it?" I'm sure
they won't tell us, but here's a theory: They could be working for the
RIAA, MPAA, or a similar organization. Once they have enough users on their
ES5 network, they would start deleting all copyrighted files they own which
their users are sharing. The users wouldn't know what hit them.
Tested ES5 builds
-----------------
ES5 build 1266
ES5 build 2180 (latest version)
MD5 sums of files
-----------------
MD5 sum (using RFC 1321 source code) of tested files (just in case the ES5
people will remove the malicious code w/o changing the build number)
e35838ef6668abe883344e3a7e734794 *es5beta1266.exe
ce44a1f0542b9132f2debd9866febc65 *es5beta2180.exe
373c30ba0e8b1dce05dcab2acce94a77 *es5_build1266.exe
915de0f8e72be40bf071a86bc9dc2626 *es5_build2180.exe
2,244,663 es5_build1266.exe (ES5.exe - build 1266)
2,347,063 es5_build2180.exe (ES5.exe - build 2180 - latest version)
4,436,309 es5beta1266.exe (ES5 installer - build 1266)
4,553,325 es5beta2180.exe (ES5 installer - build 2180 - latest version)
The official ES5 installer download URL is
http://download.es5.com/es5beta.exe , but check its MD5 sum before
installing it in case they changed it.
Credits
-------
me
for discovering it (randnut@yahoo.com)Exploit code
------------
Go to http://www.geocities.com/esvuln to download the exploit binary and
source code (it looks weird in this email).
Source code to esv ("ExpoitStation 5" or "EarthStation Vulnerabilities",
you decide) but first a little FAQ...
1Q: esv doesn't work after a couple of times.
1A: Make sure that there are no other es5.exe processes running
in the background. ES5.exe usually doesn't exit completely,
so use taskmgr.exe (or press CTRL+SHIFT+ESC) to kill all
es5.exe processes. Then start es5.exe and try esv again.
It can also happen if es5.exe hasn't initialized all its
server code. Wait a couple of seconds before running esv so
es5.exe has time to initialize its network code.
Another possibility is that the UDP packets sent from esv to
es5.exe are lost. Try a couple of more times and at least one
should reach its destination intact.
2Q: I can't delete files on the other computer
2A: You can't delete files until the other computer's es5.exe's
Search Service has updated number of files it's sharing. Go
to Activity to check Search Service on the other computer
(make sure you have enabled option "Enable ALL activity" in
Settings or you won't see it). Then wait for usually 30-60
secs after startup for the "Search Service" line to change
from "Clients:0 Files:0" to something like "Clients:1 Files:3".
Now delete your files. If you're not a Sun/Star, you should
instead wait until the "Sun: NAME SuperNova: NAME" line changes
from "Sharing Files:0 Megs:0" to something like
"Sharing Files:2 Megs:0".
Make sure that the path to the shared folder is correct. You
can find the correct path if you check the other computer's
ES5 settings. Copy and paste it because it must be the exact
same string. Example, if the path is
"C:\Program Files\EarthStation5\New Media Files", it's possible
that ES5 instead uses "C:\Progra~1\EarthStation5\New Media Files",
or "C:\PROGRAM FILES\EARTHSTATION5\New Media Files" or any other
combination.
Also note that you cannot delete files with relative paths
containing a double backaslash followed by two dots ("\\..")
under Win98 (and probably also Win95 and WinME). There's a bug
in es5.exe where it will use double backslashes. Example, if the
shared dir is "C:\Program Files\EarthStation5\New Media Files",
then es5.exe will save that as
"C:\Program Files\EarthStation5\New Media Files\" (note the last
backslash). If you want to delete the file "C:\WINDOWS\NOTEPAD.EXE",
you could specify this relative path as the "filename"
"..\..\..\WINDOWS\NOTEPAD.EXE". es5.exe will put these two strings
together like so:
"C:\Program Files\EarthStation5\New Media
Files\\..\..\..\WINDOWS\NOTEPAD.EXE"
(note the double backslash). Windows XP (and probably WinNT,
Win2000, Win2003) can delete these files, though. Note that all
Windows OSes can delete all user's shared files without a problem.
********** BEGIN esv.cpp **********
/*
* esv - "ExploitStation V" or "EarthStation Vulnerabilities"
* (C)2003 random nut (randnut@yahoo.com)
* All rights reserved.
*
* This code is released to the public because the people behind ES5
* would claim I lie. Thus, I have no choice but to let everyone
* download and run this application to prove that I'm right. Only try
* this on computers you're allowed to delete files on, and don't try
* this at home kids.
*/
#include <WinSock2.h>
#include <windows.h>
#include <stdio.h>
#include <string.h>
typedef unsigned char uint8;
typedef unsigned short uint16;
typedef unsigned long uint32;
typedef signed char int8;
typedef short int16;
typedef long int32;
uint32 __GetChecksum(const char* buf, int buflen = 0,
int uplim = 0x7FFFFFFF, int lowlim = 0)
{
if (buflen == 0)
buflen = (int)strlen(buf);
int chksum = 0;
for (int i = 0; i < buflen; i++, buf++)
chksum ^= *buf << (8*(i&3));
return (uint32)(lowlim + (chksum % (uplim - lowlim + 1)));
}
uint32 GetChecksum(const char* lpszString)
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 23K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
-
-
Facebook
Twitter