Dont know if this is an old or new sorcery but it is really a pain in the butt seeing my agent goes down. I recorded the activity of all server exes just to trace what happened and hope to find a clue, logs, or any footprint but the agent goes down without any of them -- it just closed.
im not a pro so i did a basic stuffs just to know what is happening, i tried to view the traffic using wireshark and i found this:
I dont know ASM but i know how to code in c++ (a little) so i created a simple tool to capture these packets then block its src ip. But since it was connected already win firewall fails (but yeah, the IP was blocked). I included wkillcx.exe (a tool that can kill an established connection) but my agent still goes down. I am pretty sure that the packets above (from wireshark) are correct, i have many samples. i captured many packets during the attack and it was ended with those packets.
Here is my epic fail tool:
I am willing to pay to those who can recreate this exploit and fix it.
Please leave a msg. Thanks!
im not a pro so i did a basic stuffs just to know what is happening, i tried to view the traffic using wireshark and i found this:
PHP:
## FROM CLIENT ## pcap2
2023 0c:00:00:50 :57:a6:b2:29:51:23:63:50:4d:7a:d8:67:b3:31
2045 00:00:00:90 :0b:c6
2046 0c:80 :25:28:14:3a:97:0d:b0:de:14:90:44:22:3d:9c:2d:ad
2049 08:80 :12:95:a9:79:e2:68:ff:ca:c7:c4:95:65:5b:bf:69:e8
2051 08:80 :44:9f:df:42:f2:2c:5f:e6:c7:c4:95:65:5b:bf:69:e8
2052 08:80 :63:f5:93:6a:3e:77:fd:f2:c7:c4:95:65:5b:bf:69:e8
2054 08:80 :7b:59:51:a5:fa:4d:8a:4b:c7:c4:95:65:5b:bf:69:e8
2060 08:80 :58:29:ec:53:97:77:34:2b:c7:c4:95:65:5b:bf:69:e8
2073 0f:80 :b7:aa:8d:f0:29:d1:ff:92:29:10:a1:03:36:40:4e:08:42:12:08:cd:8d:01:ed:c6
2081 08:80 :96:e6:f4:67:4f:96:32:bd:c7:c4:95:65:5b:bf:69:e8
## FROM CLIENT ## pcap7
49873 0c:00:00:50 :5f:8a:5d:8a:58:08:35:8c:18:5d:b6:65:0e:28
49992 00:00:00:90 :0c:ad
49993 0c:80 :bb:e3:7e:f5:e5:6a:d7:1a:bb:d2:12:74:af:0a:96:3a
49996 08:80 :49:99:07:8a:8a:93:2f:48:d1:78:2d:ac:77:5e:02:4d
50005 08:80 :b7:6a:68:b6:29:9b:25:d2:d1:78:2d:ac:77:5e:02:4d
50009 08:80 :17:2c:34:fa:64:38:9c:45:d1:78:2d:ac:77:5e:02:4d
50013 08:80 :09:f4:0a:2c:32:34:f0:a1:d1:78:2d:ac:77:5e:02:4d
50050 08:80 :37:33:db:c7:65:5d:7d:c5:d1:78:2d:ac:77:5e:02:4d
50142 0f:80 :b8:07:c6:c0:3a:dd:3b:4c:64:29:f0:e6:ab:cc:8c:dc:09:7d:1c:2b:e6:cc:cb:f3
50172 08:80 :49:99:07:8a:8a:93:2f:48:d1:78:2d:ac:77:5e:02:4dI dont know ASM but i know how to code in c++ (a little) so i created a simple tool to capture these packets then block its src ip. But since it was connected already win firewall fails (but yeah, the IP was blocked). I included wkillcx.exe (a tool that can kill an established connection) but my agent still goes down. I am pretty sure that the packets above (from wireshark) are correct, i have many samples. i captured many packets during the attack and it was ended with those packets.
Here is my epic fail tool:
I am willing to pay to those who can recreate this exploit and fix it.
Please leave a msg. Thanks!
Last edited:
