Now, as you can see, by sending a specially crafted packet, we can cause Memcached to segfault, and essentially die. Memcached is used by a lot of high profile sites to speed up page load times, and killing it would impact a bit on site performance, so I was rather curious as to why this bug had not yet been killed.
As you can see from the report, the vulnerability is trivial to exploit. Just send the magic packet of death and it kills the memcached service. I tried to get remote code execution from it, but had no luck at all. Perhaps one of you might have more luck!
// Decided to publish this after some misgivings about disclosure. After telling Asher about it earlier, it was decided to disclose it to make people aware of the issue.
A week or two ago, I stumbled across an article about how these “Brainwallet” things were making your bitcoins “Deniable”, as no “wallet” exists except in your head.
How they work is quite simple: you take a passphrase, and that is to be the super secret key for your “wallet”. So long as you remember that passphrase, you can access the wallet.
This passphrase is hashed with SHA256 to form the private key for your wallet, so you can generate your privkey at will. The privkey is turned into a bitcoin address using the standard algorithm.
Now, so long as you know the private key, you own that wallet. So if you know the passphrase, you know the private key. This is essentially basing the private key on insecure (user supplied as opposed to random) data, normally a word or string of words (everyone sucks at passphrases).
Now, how do we go about attacking this. Well, think of it as the same as cracking peoples passwords.
You take a dictionary of likely looking passphrases, and hash ‘em with SHA-256 to make a bunch of private keys. You then convert them to wallet-import format using the Base58 encoding that Bitcoin uses, and pass the WIF string to bitcoind to import the wallet. If anyone was using that private key/passphrase, all their bitcoin now belongs to you.
Being a lovely person, I wrote up a proof of concept based on brainwallet.py (a brainwallet generator) that automatically does all this. My code is terrible, but it proves the point I was trying to make. A better written piece of code could import thousands of keys incredibly quickly, exhausting entire blocks of passphrase-keyspace.
So, you might remember my short writeup on exploiting command injection vulnerabilities - http://insecurety.net/?p=403 - and note that the tool used, GWEE, was a bit outdated and often would not compile correctly on modern versions of Linux using GCC.
Had you ever messed with the tool, you might also notice one of the authors was Sabu, so as a matter of principle, I was going to avoid using it whenever possible.
So, many attempts were made at re-implementing the tool in Python, most of them absolute failures, totally rubbish, or otherwise “clunky” and inelegant.
Anyways, much messing about later, I stumbled across a piece of code by @LaNMaSteR53 named “rce.py”. You can download it here: rce.py (the original one).
My main problem when writing my implementations (prior to seeing LaNMaSteR53′s implementation) was handling the POST data. How the hell would I get it from the commandline to the tool itself without having the user editing some config file of some kind. To me, this was a major stumbling block.
So, when I saw Tim’s implementation, passing it “just like a GET, but telling the parser it was POST”, I had to borrow it. A quick bit of replacing the urllib stuff with requests.get and requests.post, and I had a decent base to build from.
While the retooled version of rce.py itself was pretty cool as it was, I felt it could be taken a lot further. The original beta had built in reverse shells (12 or so varieties), however it tended to crash and such a lot. No error handling whatsoever, and some of the payloads simply failed to function at all.
Eventually, I wrote the “payloads” module. A slimmed down version of it is included in the wee.tar.bz2 archive, as I have not finished the thing yet. Currently the public release contains only a python reverse shell, however it is extremely easy to expand upon.
Anyway, on with the show.
we.py has only one mandatory arguement, the –url arg. You simply (for a GET request, the default), put in –url=’http://victim.com/vuln?vuln=<rce>&otherparams=otherparams’
For a POST request, you put them in just like a GET request, and specify –method=post as an argument to tell the tool to parse them as POST parameters.
By default, it gives you the “rce.py” style inline shell prompt. However, using the –shell argument, you can specify it to use a reverse shell instead like so: –shell=reverse.
By default, the reverse shell will use 127.0.0.1 and 4444 as its lhost and lport, so you can change this with –lhost=LHOST and –lport=LPORT.
So, here is a screenshot of it in action:
This tool is still being developed, so report any bugs you find in it and make suggestions
So, finally my DNS issues and suchlike got sorted out, and the server has been migrated to a new host. Email is back as of a few hours ago (few issues with MX records and mailboxes or something and emails being delivered 10 times to me, but I think that will fix itself after a few days. I hope so anyway, because being bombed with 100 messages 10 times each is getting plenty bloody annoying).
Everything is upgraded to the new wordpress, no more nasty hacking the config files to get WP to work on a server not designed to run it.
So, while the site was “inactive”, I was working on a whole bunch of new content (and finishing old articles) to publish. Seeing as I have exams, I shall just leave a few gifts here for you to look at until they are over. dietrich may have something for you also
So, in order to keep everyone entertained for the next few days, check out the following piece of exploit engineering.
D-LINK DIR-300 and DIR-600 routers have a hilarious preauth remote root flaw in their web interface. A webpage called “command.php” that accepts a “cmd=$cmd” and executes it as root. EPIC FAIL. Why was that there? Ask D-LINK.
It delivers my customary user friendly shell interface, exploiting command injection. It can also autoenable TELNET and grant Telnet access, though this is seemingly less reliable, it hung when I tried it after rebooting the router.
Will be writing some more exploits, and maybe publishing them soon, so stay tuned
This is a reasonably old remote code execution trick that I was actually unaware of until recently, when I stumbled across it by accident. I have been heavily researching various ways to go from a file inclusion bug to a remote code execution bug, and this one really got me interested.
As we previously mentioned in the I expect:// a shell post, you can use certain PHP streams to execute code via a file inclusion vulnerability. This one does not require any PHP extensions to be installed, unlike the expect:// trick, and relies solely on allow_url_include to be enabled, which sadly is becoming a rarity these days.
How this works is simple. PHP has a data:// stream, which can decode and accept data. If you insert some PHP code into this stream and include() it, the code will be executed. Rather simple, and rather effective too. I will cover php://input in a follow up post, and then post my findings on abusing FindFirstFile.
Essentially, instead of including /etc/passwd or a remote file, you simply include the following. data://text/plain;base64,PAYLOAD_GOES_HERE
Where the payload is base64 encoded PHP code to be executed. I choose to base64 encode the payload to avoid some problems I ran into with whitespace and longer payloads.
Now, obviously this would be no fun without a simple proof of concept tool to demonstrate the vulnerability. The following tool is under serious redevelopment at the moment, so it only spawns a bind shell at the moment. Next version will offer several payloads (I am working on a generic payload library for this kind of thing).
This blog post covers a fascinating method of leveraging Local File Inclusion to gain Remote Code Execution on a vulnerable host. It has several downfalls, but overall is one of the more interesting methods I have found, and I have not found any references to it anywhere that I looked online.
PHP has many “wrappers” to parse certain types of things. For example, the php://input or php://filter wrappers, which have been used in the past for both code execution and information disclosure – notably the PHP-CGI Arguement Injection exploit, which uses the php://input wrapper to inject code after making modifications to PHP.ini directives.
One of the more entertaining ones I stumbled across is how PHP handles the expect:// “wrapper”. For those who do not know, “expect” is a program/scripting language of sorts that one can use to interact with other interactive programs. Some of you may be familiar with pexpect from Python, which is used to interact with SSH sessions for automation. It is a rather powerful utility, and is often used by sysadmins to automate procedures which would normally require human interaction.
As it happens, amongst PHP’s many wrappers, there is an “expect://” wrapper. I stumbled across it by accident while looking up the correct way to use php://filter to read files via LFI (I will document that method later, it deserves a post of its own). I knew expect looked familiar, so when I looked more into it, I found examples of people using it in PHP scripts to automate things like ssh-ing to remote boxes, etc.
After a while it dawned on me that something interesting might just happen if I passed expect://ls to an include() call in a PHP script, so I decided to see what would happen.
I used the following vulnerable (to LFI) PHP script, and called test.php?hax=expect://ls
$code = $_GET['hax'];
It provided me with a directory listing of my webroot.
remote code execution
After a few minutes of thinking “oh, this is interesting”, I decided to see if I could knock up an interactive shell in Python to automate the whole procedure.
First off, I decided to see could I get it all to work out using Pythons “requests” module…
Seeing as it worked, now it was time to write a “shell”.
Yes, I now had a somewhat interactive “shell” on the vulnerable host (localhost…). I considered releasing the proof of concept right there, however further messing about was warranted first, obviously. I needed to see how far I could “push” this vuln, and how cool I could possibly make the PoC tool before releasing it to the wild, where someone would doubtlessly give me much abuse about my python
So, without further ado, here is the video demo of it. It now checks if the host is vuln (very rudimentary check), and offers the “inline shell” or a reverse shell Download links at bottom
// Err, the video is on its way, I did not have time to clean it up sadly. I will edit this post in a day or so with the finished video, I promise
The CVE-2012-1823 PHP-CGI exploit was, quite possibly, one of the most groundbreaking exploits of 2012. In a year that brought us MS-12-020 (the most hyped bug in my recollection), multiple Java 0day exploits, and several MySQL exploits, the PHP-CGI bug still stands out as one of the most hilariously brilliant bugs to show up for several reasons. Primarily the massive misunderstanding of how it worked.
For this exploit to work, PHP had to be running in CGI mode. A fairly obscure configuration not seen all too often in the wild. Essentially, with this vulnerability, you could inject arguements into the PHP-CGI binary and make changes to php.ini directives, allowing for remote code execution.
Developing an exploit for this bug is trivial. In order to gain remote code execution, you tell PHP.ini that it is to allow URL inclusion ( allow_url_include = 1 ), and to automatically prepend the “file” php://input. This means whatever we send in the POST request is parsed as PHP, and executed.
One way to exploit this (targetting example.com), using the lwp-request’s “POST” utility, is as follows.
echo “<?php system(‘id’);die(); ?>” | POST “http://example.com/?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input”
As you will see in the video, we can easily use this to execute commands remotely from a BASH shell.
The HTTP request sent, looks something similar to this:
POST /?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input HTTP/1.1
Connection: TE, close
User-Agent: lwp-request/6.03 libwww-perl/6.04
<?php system(‘id’);die(); ?>
The response to that was the server sending back the result of our command (id), so we know it works.
So now we have a somewhat reliable “commandline” RCE method, however, we like to automate things… Let’s see how hard it is to write a reliable exploit in Python.
The following screenshot shows exploitation using Python.
Exploiting PHP-CGI bug with Python
So, we know now that using Python’s requests library (a mainstay of all my exploits, as I guess you noticed).
Now that we have reliable exploitation using Python, I decided to go a step further and write an actual exploit in Python to automate the whole thing. It simply drops you into a shell of sorts, giving you the ability to run commands as the web-user.
Recently, during my research into exploitation of routers (inspired by some of my friends and associates, including the other writer on this blog, dietrich), I came across some fascinating code, and decided to do a demonstration.
One of my friends happened to have a router (Netgear WGR614, running the WGR614v9 firmware). We decided it would be fun to experiment with.
The web interface on it is something I have yet to explore, as he has forgotten the password and is none too happy about the idea of resetting it, as it would mean spending a day reconfiguring his network (I suspect this has to do with “Fuck setting up port forwarding for xbox live”, as I had to do that for my brother a year ago… Not a fun task!). Instead, I decided to see what access the TELNET interface offered.
When the router was scanned with nmap, it showed up as having port 23 (TELNET) open. However, attempts to connect to it failed. Upon investigation using my favourite search engine, I found that Netgear provide a “Telnetenable” utility. OpenWRT – Telnetenable
How it works is it takes the username and password (Gearguy and Geardog respectively are defaults for the TELNET), and the MAC address of the router.
It does an MD5 of those, some byte swapping, and then encrypts it all with Blowfish into a binary blob with the secret key “AMBIT_TELNET_ENABLE+”. Or so my understanding of it is. Cryptography and I get along only on Tuesdays. It then sends this to the TELNET port, which parses it and invokes telnetd.
Seeing as they only provided a Windows binary, and I wanted something that would run on Linux without using Wine, some further searches lead to the following Python script – Python- Telnetenable. Said Python script has a few bugs, so I decided to clean it up and make it a bit more user friendly. Left original credits intact, might send it as a “patch” to developer sometime.
So, you do “./telnetenable-redux.py <IP of Router> <MAC of Router> Gearguy Geardog” and wham, instant TELNET access. The TELNET console itself seems to have no authentication by default, dropping you straight into a Busybox root shell. From here you have complete access to the router itself. Due to laziness and such, the MAC address must be in all uppercase with no seperating : between the hex characters.
Anyway, without further ado, here is the demo video I recorded. Not bothered editing it as there is not much to see, really.
I am doing more exploring to search for interesting files to read on the router (finding out where it keeps the bloody HTTP authentication stuff is proving more difficult than previously expected), and as my research progresses I will post more about it. Router exploitation is a fascinating, and under-researched field, that is filled with pretty 0days and such to investigate
IBM Systems Director has a Web Service listening on 6988/TCP. This service, the “CIM Server”, in versions prior to 5.20.3 SP2 is vulnerable to a directory traversal vulnerability, permitting loading of local DLL files and their execution. This is assigned CVE-2009-0880.
Executing Local DLL files? Not really all that interesting. However, then our good friend @kingcope decided to take a look at this bug, and suddenly, it became VERY interesting.
Because of how Windows treats files, you can not only load a LOCAL DLL file, but you can load a REMOTE DLL file, if said DLL file is made available over a WebDAV share. Essentially turning “Execute some file on the remote box” into “Remote code execution with SYSTEM privileges”.
How this exploit works, is it sends a specially crafted HTTP request to the CIM Listener service, telling it that it should totally load \hacker\hacker.dll because it is definately a legit DLL file to execute.
This software, being inherently silly, decides “Sure! Of course I will load this DLL file!” and loads the remote DLL file, executing whatever code is at its initialization routine (your reverse shell mayhaps?).
To make the whole party even more fun, the code is executed as SYSTEM, and no authentication whatsoever is needed to exploit this vulnerability.
The original exploit by Kingcope may be found here: http://isowarez.de/Exploits/IBMDirector.txt however he has disabled access to “wootwoot” DLL file, so I could not use his exploit code in the following demo. I ended up using the Metasploit module which was released shortly after his exploit came out.
What I find most interesting is that no one before Kingcope ever though about using a Webdav share to serve up a remotely loaded DLL. Perhaps now people will have to revise old bugs and write new, super effective exploits?
“If you want to win a race condition, you best cheat”.
The following article demonstrates a fascinating method of exploiting Local File Inclusion vulnerabilities first thought up of by the guy who runs Gynvael.Coldwind.pl . It is further documented at Insomnia Security
To start, when you are exploiting a Local File Inclusion, in order to gain remote code execution you must “write” some PHP code somewhere on disc that you can “include”. Normally this means injecting into logfiles, or the /proc/self/environ interface.
In the event you cannot locate the logfiles, or access them, most people simply give up and claim “Yep, it is unexploitable”.
This is not true.
When you upload files via HTTP POST to a webserver running PHP, during the upload it creates a tempfile for the files data, normally in /tmp. This file is “randomly named” (I do not trust the PRNG PHP uses), and is stored for the duration of the upload.
Now, it just so happens that it will create this file irrespective of whether or not you are legitimately uploading (i.e. the webapp is accepting an upload) or not, and the file is deleted when the “upload” finishes.
Because these files are randomly named, and there are no wildcards that we can use on Linux (more on this later!), you might think “So, how does this help me at all?”.
Normally, you would be right. Unless you find a flaw in the PRNG that allows you to predict the “dummy name” of the file, this is not so useful to you. What we need is an information disclosure bug that displays the PHP variables at that particular time…
… Enter PHPinfo(). The phpinfo() call, often found in /phpinfo.php or other such files (often forgotten and not removed on webservers), displays the PHP variables as they are at that point in time… Including the “Dummy Filename” that is currently in use.
So, if we are to send a file upload, containing our evil PHP code, and then include() it (via the LFI), using the path given to us by the PHPinfo page, we gain code execution on the remote server.
Yes, but not quite.
The file exists there for mere fractions of a second, so we lengthen the duration of the upload (we upload to the phpinfo file) by padding it with trash data. The insomniasec paper (linked at bottom) explains this better than I will, so I advise reading it! This is a race condition, so to further enhance our chances, we use multiple threads and multiple attempts. One of them will succeed, normally within short order (averages at 30 seconds, see the demo video!). If you have LFI and a phpinfo() page, you WILL gain code execution on the server.
The PHP code you “upload” and execute via include() effectively acts as a “Dropper”, dropping some malicious code that is stored in /tmp with a filename you have set. You then simply include() this dropped file via the LFI bug to execute code, as per normal LFI.
The InsomniaSec guys released, along with their paper, a demo script to show how it works. imax, the mantainer of Fimap (which I also develop) released a Fimap plugin that exploits this vulnerability, and that is what I am about to demonstrate. imax’s code drops a file named “eggshell” which is essentially a stripped down version of the Fimap payload.
The Fimap module is extremely reliable, giving me shells in short order. I have never had an issue with it to date, and normally on remote boxes it takes a minute or so to pop a shell.
Next week I will be releasing a demo of doing this against Windows targets without the lovely PHPinfo bug. A much “truer” race condition